To paraphrase Don Tapscott (Macrowikinomics)
paraphrasing David Allen (Getting Things Done)
, the brain shouldn't be used to store static information, it should be used for figuring things out
. One aggravating mistake I see committed in a computer environment is organizational chaos. Do you have more than a few icons and/or files on your desktop? Do you have all your documents, spreadsheets, presentations, pictures, etc., in your face? Are any of them named 0001.jpg, 0002 jpg, etc.? This isn't organization, it's cognitive suicide
. Cleaning up one's computer habits is no more pleasant than organizing the garage, but eventually it should be done. Password management might be your first, easily accomplished cleanup, and when the obvious rewards are noticed, other habits of device organization might occur (like cleaning up the desktop perhaps?).
Complex passwords are a pain in the a**. If it's impossible to remember a short shopping list, how or why should a human be expected to remember a complex password like x8xg&bze!YZSvt ? Some people recognize the need for password complexity and invent uncommon passwords, but keep them on a post-it note, or a file called passwords.txt. Insufficient, dangerous and unnecessary. Instead, use a password manager. Elegant, simple, organized.
Password managers allow a user to remember one master password (fancy not required) and the manager will remember all the rest, any number, any complexity. Remember the example of acceptable passwords from the last blog
? One of them was My cat has 2 fleas!
Again, every common character type is represented, that is, upper case, lower case, number, special character (.,@ etc.) Very easy to remember and, until more sophisticated methods of password cracking are discovered (like quantum computing, perhaps the NSA has it already but normal people don't know), very safe.
A common, first use scenario to record password(s): Browse to a web page that requires a password, like a bank. When you login normally the manager will memorize both the site and the password you type in, then secure the password with heavy encryption. Easier than dictating to a secretary, and all major browsers/mobile platforms, including really odd ones, are supported.
On a subsequent visit you’ll only need to choose the web address (URL) from the password manager's list, click/tap, and your secure site will be instantly available. You will need to enter the master password (like My cat has 2 fleas!) one time only, and each time you open a new site, when required, the manager will do its magic. Again, the brain is not a good memory manager, but almost any device can do these tedious chores effortlessly.
I'm guessing that there are several persons reading this blog who re-use passwords and, if so, they may not be complex. Both managers described below will allow changing passwords for every site and even generate secure ones on demand. Both will examine your password repository and sniff out duplicates, allowing the alteration of one or many. So simple passwords and phrases can be turned into unique, complex alternatives easily, and remembered across a collection of devices, or one device to another. Both managers will require the master password to be re-entered after a certain period of time, and/or every time you restart or sleep a device and/or close a browser. These settings can be personalized, so if your device is compromised and your settings conservative, the master password will be locked away.
Two Password Manager Examples
In the arena of password managers RoboForm has two advantages that make it superior to LastPass.
RoboForm doesn't require that the master password be kept outside your computer, instead that part is an option. Every password you memorize makes its own little file and those can be safely transported on a USB stick, left accidentally in the dentist’s office, kept in a file repository like DropBox, even stored in RoboForm's secure cloud.
Several years ago, while working for a business with deep pockets, I lived on RoboForm. It worked well, still does. It delivers a consistent user experience, so it's easy to use. That being said I hate RoboForm! I bought into its ecosystem just after launch (it was about 30 bucks in 2004?) and was assured that my license was good for life and all my devices. They lied.
Without notice the company rescinded their lifetime license and demanded extra fees, costly version upgrades and licensing of extra devices, even if an older one was retired. Weary of being nagged and fleeced I switched to LastPass.
This manager differs from RoboForm in one very important way, and some would correctly theorize that it's more vulnerable. LastPass always stores your master password in their own, off-computer server.
In May, 2011, the LastPass technical department noticed unusual traffic and determined that a black hat entity was probably trying to hack the password database. Obviously this would have been a huge breach if the worst had actually occurred, because the breach might also reveal master passwords.
Unlike most other companies that will hide even the appearance of error or breach (sometimes for months), LastPass immediately acknowledged the suspicious activity even before confirmed, because they assume it’s the customer’s right to know. There ensued much inaccurate outcry and criticism of the service. In fact there was no error, no foul and I commend the company for issuing a warning even before they had conducted full discovery.
However, acknowledging the possibility of future actions against their vault, LastPass went back to the drawing board and doubled down on the security model. I can think of few other companies that take their responsibility this seriously. Even Steve Gibson (GRC.com)
uses LastPass, and that would be good enough for me, even if I didn't understand the technical detail.
One disadvantage of LastPass is an inconsistent experience across devices and browsers. So when one jumps from Firefox to Google Chrome to iPad to Android phone, the interface will change, if modestly. It’s a mild aggravation while getting the hang of it, but an incredible brain aid nonetheless.
Because LastPass stores its information in your computer and in the cloud, any alteration will propagate to all. Way beyond handy!
Lastly, both managers will store all manner of sensitive information, like credit card numbers, social security numbers, addresses, etc., and autofill these fields when visiting an ecommerce site, like Amazon. This is so cool.
I’m still inventing the next blog post, but please stay tuned...
Feel free to offer topic suggestions. Commenting on the blog would be great, let’s get some discussions going. Or, if you don’t want to comment and have a topic suggestion, please email: email@example.com