Managing passwordsThe prompt for this post came from an unlikely source. Taking passwords to the grave (via Bruce Schneier) which talks about the problem of accessing a person’s assets after they are gone. We will come to that at the end.
My problem was an ageing memory and dozens if not hundreds of passwords to remember together with other important information. This had to be kept securely but readily accessible, even when away from my desk. The solution I came up with is as follows.
- Store all of the passwords and related information in a database. I chose one that is designed for the purpose and had a good encryption scheme. This is PINS. It is a freeware product which seems to have minimal support but it works well so no matter. The encryption is blowfish and it comes with a useful random password generator.
- Put the database and the software on a USB flash drive. To some extent this steers the selection of the software above because it has to be capable of running without being installed on the PC. It does however limit it to the Windows platform.
- Take regular backup copies of the database. To do this I use “Pen Drive Manager.” This is not free but very low cost. What it does is every time you plug in your flash drive it synchronises it with a copy on the PC hard drive. I run a copy on my home machine and my office machine so I have two backup copies of the database at all times.
To run this successfully you must make sure that the database that you update is always the one on the flash drive so that it is the master copy. I install a copy of PINS on each machine for convenience but you don’t have to. Also you must have a good password for the encryption of the database. Once you have got it running, all you need to remember to do is update the database copy of the passwords when you change them in real life. Of course the password you cannot store on there is the password to the database itself. You don’t even have to remember the passwords to get into your own PCs because, if pushed, you can borrow someone else’s, plug in your flash drive and run the copy of PINS loaded on there.
If I forget my flash drive, firstly, PINS locks down after a few minutes so no one can access the database. Also I can still access the passwords on the other machine by pointing at the backup database. All I have to remember to do is not update anything and also switch it back to the portable copy as soon as possible. If I lose the flash drive completely then not only is it secure but I have all the information I need to recreate it.
You don’t have to just have passwords in the database. I have network configuration details, software activation keys, credit card numbers and PINs, web upload addresses, and any other information that I mustn’t forget. There are a couple of minor bugs in the software but nothing to stop me using it which I have for over two years now.
And back to the problem that prompted the post. Give your executors a copy of the database password, perhaps in a sealed envelope (and some instructions). This will give them access to all your other passwords and the further instructions and information on the database. That way, if you are lucky, your web site will be kept online containing your life’s work, they will be able to access your email and online banking accounts and anything else they need to manage your estate. Of course if you want to take anything to the grave with you, then keep the password somewhere else.
Webmaster
Another thing I suspect many administrators of password-based systems tend to rather skim over is the question of how well you look after those “Forgotten Your Password?” questions.
I quite agree. My credit card company always asked for my “memorable number” when I ring them about anything and I always forget what I gave them. One occasion was farcical – they gave me so many prompts that anyone who knew me could have guessed what it was. The internal company one has a list of 6 different questions they could ask you, which admitedly are fairly explicit, and they always ask two. But when it comes down to it, it is the judgement of the telephone agent to decide if you really are the person you say you are. This brings us on to the subject of identity which is a whole different can of worms.
I have gone through this site,here it lets you to manage your passwords by implying on these 10 tips are given there.
http://www.zdnet.com.au/insight/security/soa/Ten_tips_for_managing_passwords/0,139023764,139256952,00.htm
Hi “arthur” **, this is an interesting article but on some points I disagree; particularly point 1. Passwords must not be written down. As I have said elsewhere, it is impractical to expect users to remember the number of passwords that they need for business and home use these days, especially if we are to make any progress in educating them to create good ones. So I say, yes, let them write them down, but to manage the note in the same way that they would anything else valuable. That is not on a sticker on the screen or under the keyboard or the little black book in an unlocked desk but in their wallet, key-safe or other secure location.
It is worth noting that the article is a guide for the system designer rather than the user and from that point of view I largely agree. They need to take back some of the responsibility and not load it all on the “luser” who can’t be trusted to do things properly.
** I know that arthur doesn’t exist, this message was in my spam box; but clearly the spam machine had intelligence (maybe human) and had come up with an interesting link which was worth preserving so I mangled the URL and promoted the comment.