• Home
• About
• Password Organization
• Securing Your Data
• Cloud Storage

Organizing Your Passwords

We use a lot of usernames and passwords today.  Some are easy to remember, since you use them almost every day – logging in to your computer or your email account.  Some are hard to remember, like logging in to your Con Edison account once a month to pay an electric bill online.

Creating unique, hard-to-guess passwords are vital to keeping yourself safe online.  Storing these passwords in a secure location is just as vital.  I am amazed at how often these two rules are broken by everyday computer users.

If you just want the solution to this problem, jump to the bottom of this section.  Otherwise, let’s first explore the stupid things people do to deal with an overload of passwords.

Stupid Ways to Store Passwords

1. Writing passwords down insecurely.  If you can easily read your password off a piece of paper, so can a thief who views that piece of paper (whether it’s in your now-stolen wallet, or sitting on the desk in your now-broken-in-to home).
2. Storing passwords in your email. Lots of people like to email themselves a copy of their passwords, and then store these emails in a folder.  Obviously, this is a problem – if the thief can read your email, he can access all your passwords.  Saving passwords in emails, or writing them in a file and saving them on your computer is the electronic equivalent of #1 (writing them down insecurely).

Stupid Ways to Create Passwords

In addition to storing passwords stupidly, people also create poor passwords to begin with, typically by displaying any number of the following bad habits:

1. Using obvious passwords.  Don’t make your alarm code your home’s address number.  Don’t use your anniversary date in your email password.  Don’t use your children’s names in your bank account password.  If it’s something obvious, a thief who is determined to steal from you will eventually figure it out!
2. Using the same password for everything.  Think of the ramifications of a thief (which can sometimes be a person you know) guessing your 1 password.  They can now log in to your bank account, your Facebook page, your email…you get the point.
3. Using the same method to create unique passwords.  A lot of people will simply make their passwords unique by using a “theme” of sorts.  For example, your Amazon.com password might be “Amazon123”, your Citibank password might be “Citibank123” and your Facebook password might be “Facebook123”.  This is the functional equivalent of using the same password for everything, even though each site technically has a different password.  If I figured out just one of these passwords, it wouldn’t be hard for me to guess all the rest.

Why Your Email Password is Critical

Of all the passwords you create, your email password is of utmost importance.  First and foremost, if someone has your email password they can pretend to be you – this is a key element in identity theft.  Second – your email can act as the gateway to breaking many of your other passwords.  As a natural part of requiring usernames and passwords, websites need to give you the ability to help yourself if you forgot your username and/or password.

When you click “I forgot my password” – a staple on most websites – a well-designed website will send you an email with instructions on how to first authenticate yourself (usually via a bunch of personal questions that hopefully only you would know) and then allow you to choose a new password.  In this scenario, having access to your email does not automatically give the thief access to the website.  Note: If the thief knows a lot about you (typically when it’s someone you know), he may be able to answer the personal questions fairly easily.  So even a well-designed website can’t protect you 100% – all the more reason to have a secure email password so the thief can’t access the “I forgot my password” email in the first place!

A poorly-designed website will simply email your password to you.  This is horrible because if a thief has your email password, he can now read the email message that contains the website’s password.

If I were a thief who just stole your laptop, the first thing I would do is access your email and look for passwords.  If I didn’t find any, I would next go to sites like Citibank, Bank of America, Fidelity, Amazon.com, Netflix, and any other popular website I could think of and click “I forgot my password” after putting in your email address.  I would then monitor your email inbox to see which sites were stupid enough to give me easy access to your account, and disaster would ensue.

The Solution

I use a pretty easy method to create long, unique, hard-to-guess passwords that I don’t have to worry about remembering.  I store all my passwords in a program called KeePass Password Safe.  Just as the name implies, it’s a safe for your passwords.

KeePass Password Safe is free, and available at: http://www.keepass.info

KeePass creates a file where all your passwords get stored, and you access this password file (called your “password database”) by using one master password.

Here’s a screenshot showing the contents of a sample password database I created:

As you can see, KeePass gives me instant access to all my passwords.  I can view the password and manually type it in to the website I’m trying to access, or I can just click on a password and have KeePass automatically type it in to the website – very useful for long passwords.

Since I’m no longer worried about remembering my passwords, I am not likely to pick poor passwords or to write them down in an insecure location (such as taped to my computer monitor).

The KeePass password database file is highly encrypted.  Even the CIA would not be able to break in and access your passwords.  Only the master password will do the trick – so obviously the one strong password you will need to remember is your KeePass password!  I keep a copy of this password written down and stored in my safety deposit box, just in case I ever forget it.  Note: There is nothing wrong with writing down a password, so long as you keep it physically secure.  A safety deposit box is plenty adequate for most of us, but not as convenient as something like KeePass for the bulk of your passwords.

Even Better: Accessing Your Passwords Everywhere

So you’ve set up a KeePass database and stored all your passwords in it.  You have the database file (a file with the .kdbx extension) located in a folder on your computer, and it looks like this:

Your next question is: how can you access this file when you’re not at home?  Saving all your passwords on your home computer is fine, but when you go to work and want to log in to a website (shame on you!) how are you supposed to access your password?  What if you’re just at a friend’s house?  What if you’re simply using another computer in your home which doesn’t have the password database saved on it?

The solution to this problem is actually quite easy – you need to save your KeePass database on a shared network folder you can access everywhere, and if you have no idea what I just said, then you need to read my discussion of Cloud Storage!