The Case for Using a Password Management Application

View Mobile Site

The Case for Using a Password Management Application

Here at the IT Security blog, it is easy for us to say things such as, “…you need to make strong passwords! You know, with numbers, and letters, and symbols, lots of characters! Things like “Kd03E#L0(@.” Yes, that’s a good password.”

As a reader, it is easy to sit in your chair, roll your eyes, and think, “…but that’s so impractical! How could I remember that? How could I ever use that?” I know, I know. I was you, rolling my eyes, not that long ago.

After cracking a few weak passwords on our penetration tests, it became obvious that there is a huge difference between strong passwords and weak passwords. In the case of sensitive information protected with a password, it is vital to create and use strong passwords.

If you don’t feel up to the challenge of loading your brain full of random strings of numbers, letters, and characters, then I recommend you consider a good password manager application. These applications are designed to relieve this very conundrum that technology users are frequently finding themselves surrounded. It acts as a go-between for all of your password-protected accounts. You remember one strong password, and it remembers all the others, and manages everything through your web browser. Here are a few to consider:

Keepass is a great application on a variety of platforms that stores your passwords locally on your computer. If you have more than one system, it allows syncing through Dropbox.com. There are some guides to assist you with getting it set up here and here.
Lastpass is similar, but all of the passwords are stored securely on the local computer and automatically synchronized (again, securely) to Lastpass’s server. If you have multiple systems and don’t want to involve a third party like Keepass/Dropbox, it is one to consider. There’s a great guide to assist you with it here.
A third alternative is 1Password. Though more expensive, 1Password has a much better user interface and I have found it to be more intuitive and easy to set up. For something that is simple to use and understand, I would recommend 1Password.

I encourage you to try out one of these solutions today. The peace of mind will be well worth it!

By: Scott Crews, CPA, GWAPT

Security and IT Audit's blog |

Tags: Security and IT Audit, Managed Security, Risk, Security, Risk

Even better than having

Submitted by Anonymous on Thu, 02/24/2011 - 10:37am.

Even better than having strong passwords is completely eliminating passwords! Solutions like OneLogin (http://www.onelogin.com) allow companies to centralize password management and user authentication and to a large extent eliminate passwords so that employees just have to remember one set of credentials. OneLogin also provides Active Directory integration, user provisioning, two-factor authentication and is pre-integrated with thousands of apps. If you want to test how vulnerable your organization is to phishing attacks, you can try out OneLogin's phishing test simulator: http://phishingtest.onelogin.com

I keep all my passwords in an

Submitted by Anonymous on Wed, 02/16/2011 - 3:21pm.

I keep all my passwords in an Excel file that is password protected. How secure is a password protected Excel file?

Ha! Great question. As long

Submitted by LBMC on Wed, 02/16/2011 - 3:26pm.

Ha! Great question. As long as it’s in the .xlsx format for Office 2007, it’s actually really good. Microsoft built some encryption into 2007 that is very secure. For 2003 and versions prior (aka, the .xls format)…the encryption is very weak. As in, scary weak. So yes, Excel is not a bad route to go. I’m on site doing a penetration test this week and was talking about this topic with one of the security guys here at our client who is really good with encryption stuff. Prior to using Keepass, he used Excel. He just likes Keepass because it integrates into the browser and makes it simple enough that he was able to get his wife on board with it. -Scott