Password management

I recently received an occasionally recurring question regarding password management. I thought it was a good opportunity to write up my current thoughts.

At this time, I recommend LastPass. It’s cross platform, so iOS, Android, OS X, Windows and Linux all have versions. You can use all but the mobile versions for free; full access involves a $12 per year fee. The advantage to paying $1 per month is that it is like you are the customer of a bank with a space in their vault; they are obligated to provide you the services. Your LastPass password content is encrypted and decrypted at your devices so if you lose access to your account, LastPass can’t really help; however, you are syncing to their cloud, which can be a security concern for some. You can also secure your account with two factor authentication using Google Authenticator. This means that in order to access your account on a new system, or the systems you designate, you’ll enter your password and then the security code provided in your Authenticator app. This way, your phone becomes the second key to your account and it’s in your pocket.

Second, 1Password is excellent. It’s like Things for OS X and iOS, beautiful and just works, but more Apple oriented; there is a Windows version too, though I haven’t tested it. The OS X and Windows apps have an upfront price of $49.99 at last check but no recurring expense. Worth another look for me, if I’m honest. I’m told you can use it with either a local (for the security conscious) or synced account, but again, I haven’t tested fully. It appears that the sync is used with a Dropbox account so definitely some testing required to recommend saving a set of passwords to the Dropbox servers.

Third, if you only have OS X and iOS devices and can wait a few more months, your Keychain can sync with iCloud in iOS 7 and OS X Mavericks coming later this year. I’m testing that feature in the beta of iOS 7 now.

Fourth, for the more security conscious, permitting your passwords to sync anywhere is a concern, however encrypted the service. We use an offline local machine with a camera trained on it that runs only KeePass as a password database at NOC. For locked down local management, KeePass has become a standard. And then never go online. Nor permit anyone physical access to your system. Nor go out your door. 🙂 Please let me know your thoughts, questions or updates you recommend. Cheers! 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s