The recent news that someone using your computer can see all of your passwords stored in Chrome with a few clicks made me aware of something that I had known -- but ignored -- for a long time: I have five or six passwords for dozens of accounts.
I've heeded the warnings and tried to come up with secure passwords that combine letters, numbers, capital letters and symbols. But often, I'm unable to remember a password and find myself wasting time resetting it.
Enter “password management” tools. These services generate unique passwords for each site that requires one. Your codes are all stored in one central place, which can be unlocked with one master password. (So be sure you don’t forget it.)
We compared three password management tools: LastPass, MaskMe and PasswordBox. The services all use AES-256 bit encryption, which Charles Tendell, a Denver-based cyber security consultant and Certified Ethical Hacker, said “would take months to hundreds of years to crack.”
So if these services are all safe, what makes them unique? Read on to find out.
LastPass has been around for a bit over five years and is free for desktop use. LastPass Premium, which gives you mobile access, is only $1 per month.
The service works on Chrome, Firefox, Safari, Internet Explorer and Opera. LastPass generates usernames and passwords for you, and automatically fills them in when you visit a site where you've enabled the service.
Like MaskMe and PasswordBox, LastPass has limited functionality on mobile devices. Although it has apps for Android, iOS, Windows Phone and Blackberry, only the Android app can populate login information. Basically, on the other mobile devices, LastPass' mobile app is a place to store, edit and copy your passwords.
PROS: At $1 per month, the premium service is very affordable. The LastPass login has an optional extra level of security with two-factor authentication, which means you can set it up so you have to give the site a secondary form of proof (like a code sent to your mobile phone) to get into your account. It works on most browsers, and has apps for Android, iOS, Blackberry and Windows phones. You can also access your password vault from the web if for some reason you can't download the LastPass extension or don't have access to your phone.
CONS: LastPass has a dated look and feel, and navigating the settings is more complicated than it needs to be. According to the company, LastPass is working on a redesign. And in order to use the Android app, you have to toggle between different keyboards in your device's settings, which is cumbersome.
MaskMe is a new browser add-on from Abine, the online-privacy startup behind DoNotTrackMe and DeleteMe. MaskMe not only acts as a password vault by generating and storing passwords, but it will also create aliases for your email address that are simply forwarded to your inbox. This is great for two reasons: A password is useless without identifying information, so even if hackers were able to get access to your password, they would have no idea who it belonged to because of the masked email address. While that specific account could theoretically be jeopardized, other accounts with the same password wouldn't. The masked email feature also allows you to easily protect against unwanted mail.
MaskMe's premium version -- which is $5 per month and includes mobile access -- also gives you the ability to create a "masked" phone number and pay for things online without disclosing your actual credit card numbers.
MaskMe's browser extension is for now only available on Chrome and Firefox, but Sarah A. Downey, a privacy analyst at Abine, said the company is working on Safari and Internet Explorer functionality too.
When it comes to password management, MaskMe's Android and iOS apps are limited, and at this stage won't log you into apps. Like LastPass apps for anything other than Android, the MaskMe app basically serves as a secure repository where you can see and copy your login and password.
PROS: The free version masks email addresses, so you never have to give out your actual address ever again. It's very easy to set up and easy to manage your information. Big, clear icons give you access to your login information. It is accessible from the web, so if you're at a computer and can't download a browser extension and you don't have your mobile device, you can still get your passwords.
CONS: Limited login functionality on the mobile (premium) version, which is only available for Android and iOS, but Downey said Abine is working to improve the Android app. At $5, the premium version is more expensive than LastPass and PasswordBox, but you also get much more. There is no two-factor verification, but it's on the way, said Downey.
Unlike MaskMe and LastPass, PasswordBox gives free access to its mobile app. It allows you to store 25 passwords -- either generated by the app or your own -- for free. It costs $1 per month to store more than 25.
The PasswordBox extension, available on Chrome, Firefox, Safari and Internet Explorer, has a neat tiled interface that's also pre-loaded with popular sites, so you can quickly add all your passwords to sites like Facebook, Gmail and Twitter.
One thing that differentiates PasswordBox is its most morbid feature -- a "Legacy" function that lets you designate a trusted friend or family member to collect your passwords if you die. The person whom you designate can only have access to your PasswordBox account if he or she presents a death certificate.
PasswordBox also allows you to share passwords with other people who have PasswordBox accounts.
PasswordBox is available on iPhone, Android phones and iPad. But like the other password tools, the mobile app works best with Android. Like LastPass, only the Android version of PasswordBox will enter your stored login info in mobile apps.
PROS: Legacy and sharing features are unique to PasswordBox. The visual layout is simple, clean and appealing, and easily allows you to import your old passwords and login info. (This can also be considered a negative from a security standpoint because you're using your old passwords.) Available with Chrome, Firefox, Safari and IE. At $1 per month, it's a great deal.
CONS: There is no web access to your passwords, so if you can't download and install a browser extension or you don't have mobile access, you can't access your passwords. And like LastPass, you have to toggle between keyboards for the Android app to input your account info. There is no two-factor verification, but a company spokesperson said it's rolling it out this fall.
Having a good tool to manage your passwords is only part of the solution, Tendell, the security expert, said. LastPass, MaskMe and PasswordBox are only as good as your master password.
"You can't have a super secure vault with all your passwords stored in it and leave the door open all the time," Tendell said. "You can't have this password vault and have a really weak or easily guessable or non-complex password that you used anywhere else on the Internet."
So what's the best way to choose a truly complex -- but memorable -- password? Tendell said to choose a base word, like "computer," but when you're typing it in, offset each letter in the same direction. For example, "Computer" offset to the key to the above right would be "F0k-8645."
What do you use to avoid password fatigue? Let us know in the comments, or send me an email at firstname.lastname@example.org.