Jun 20, 2014

    Password woes? These may help

    MORE than half a million websites that were supposedly secure turned out to be less than safe when the Heartbleed bug was discovered in April.

    This vulnerability affected the popular OpenSSL cryptographic software library used to encrypt Web traffic.

    More shocking was the revelation that the bug had been around for more than two years before it was found.

    Despite the widespread attention - a recent Pew Research Center survey found that 64 per cent of Internet users in the United States had heard about Heartbleed - only 39 per cent of online users changed passwords or took other steps to secure their accounts after learning about it.

    Users may be understandably blase about such security breaches, as websites and online vendors seem to be hacked with alarming frequency.

    Or they may find it too much of a hassle to change their passwords when they have numerous online accounts.

    This is because, not only do you need to change passwords, but you must also ensure that the replacement passwords are strong ones that cannot be easily guessed or cracked by brute force. But strong passwords can be fiendishly hard to remember.

    This is where password managers come in. These apps save your log-in IDs and passwords, so you need to remember only a single master password. Not having to remember scores of passwords means you can stop recycling a handful, and, instead, create unique and strong passwords for all your accounts.

    Password managers are not new - every modern browser has a basic version. Some can even sync your passwords in the cloud, so you can access the saved passwords when using the browser on another device.

    The downside is that anyone with access to your computer will be able to view the stored passwords.

    Only Firefox offers the option to enable a master password to encrypt the stored passwords.

    Dedicated password managers, however, offer much more. They can generate strong passwords for you and protect your saved passwords using the latest encryption standards. They can sync your passwords across computers and mobile devices.

    They can even fill in forms automatically for you.

    Some password managers can be stored in a USB flash drive and used at public computers. These usually support multi-factor authentication, that is, they protect your account even if a password is leaked.

    Here are five password managers you should check out.


    Free for use on computers; for mobile devices, a yearly subscription of US$12 (S$15) is required.

    For Android, BlackBerry, iOS, Linux, Mac, Windows, Windows Phone

    LastPass is one of the most popular password managers around, and it is easy to see why. Even the free version has plenty of features, such as the ability to fill forms and create notes within the app to store bank account and passport numbers.

    But you will have to upgrade if you wish to use LastPass with mobile devices, or run it off a USB drive.

    Multi-factor authentication is another reason to upgrade. LastPass offers a free paper-based solution, or grid multi-factor authentication.

    You print out a square grid of random numbers and alphabets, and carry it with you. When you access LastPass, the app will ask, in addition to the master password, for certain values found on the printed grid.

    A less common feature is its ability to disable log-ins from a list of countries. So if you will not be doing any travelling in the near future, you can allow log-ins only from Singapore.


    Free version offers limited functionality; US$9.95 for first year and US$19.95 subsequently

    For Android, iOS, Linux, Mac, Windows

    The free version offers up to 10 saved log-in IDs, which is great if you have only a few online accounts. There are no ads.

    This works on computers and mobile devices. Saved data is backed up to the cloud, for syncing with other devices.

    It comes with a built-in password generator. As its name suggests, RoboForm remembers the details the first time you fill in an online form, and will automatically do it for you.

    There is no export feature in RoboForm. So if you are sampling various password managers, try RoboForm last as it can take some work to transfer saved data from it to a rival password manager.


    Free version has limited functionality; US$29.99 per year for premium version

    For Android, iOS, Mac, Windows

    The free version will not let you save your data to the cloud and sync across devices.

    But its key features - password management, auto-fill forms and a digital wallet - work on all its supported platforms.

    If you have only one device, you get full functionality without upgrading.

    Two-factor authentication is available, but limited to the Google authenticator app on the phone.

    The app will tell you which of your saved passwords are weak, via a user-friendly dashboard interface. It will also send you security alerts when your online accounts may be compromised, so that you can change your passwords immediately.

    Upgrading to the full version is relatively expensive. But its slick and polished interface may be worth the premium.



    For Windows; unofficial ports for Android, iOS, Linux, Mac and Windows Phone

    This open-source password manager is spartan compared with the other apps featured here. Going by its old-school user interface, it is obviously not designed for mainstream users.

    The learning curve can be quite steep, so expect to tinker with the settings to get it set up properly.

    But it is powerful and highly customisable. Its password generator, for instance, has many more options than that of the typical password manager.

    KeePass comes with two-factor authentication built in. A portable version lets you run it off an external storage device without installing the app.

    You can import saved passwords and data from other apps and password managers.

    Written originally for Windows, KeePass has been ported to multiple platforms. Its greatest strength lies in the numerous optional plug-ins that add extra functionality to the app.


    US$49.99 for single-user licence (no subscription)

    For Android, iOS, Mac, Windows

    Unlike most of its competitors, AgileBit's 1Password does not use a yearly subscription model.

    Instead, you pay US$49.99 for a single-user licence, which lets you install the app on as many machines as you like, but for only one user.

    You are also entitled to software updates until the next major release.

    The app works on both Windows and Mac, but its interface is clearly influenced by Cupertino.

    It has the typical features, such as integration with popular browsers and secure text notes to store sensitive information like passport numbers.

    But you have to install a file-based syncing app such as Dropbox to use 1Password over multiple devices, as the password manager does not have its own cloud-based sync feature.

    The company recently released a new Android version with an improved, modern user interface. This mobile version is free till August.