A very convenient means of storing and using userids and passwords

Subtitle Weaning myself off the Microsoft Fingerprint Reader

I love using my Microsoft Fingerprint Reader.  I can use it to log into Windows.  I can click on a shortcut to a website, press the fingerprint reader and I’m logged into the website.  I love using it.  One of the best features is that you can use individual loooong passwords or pass phrases on each website.

But ….

It’s not supported by Microsoft in Internet Explorer 8 (although there is a Firefox Add-in which supports it), Windows 7 or 64 bit editions of Windows.  So I’ve been exploring open source options.  Turns out that KeePass Password Safe is an excellent alternative. I like open source alternatives as I trust the open source community to review the code and ensure things are kept secure and confidential.  

Side note:  After having a few discussions on this topic in years past with Microsoft personnel I do trust them to do a darned good job of keeping things secure and confidential.  

One of the very nice features in KeePass is the Autotype feature.  Took a bit of work to get the system-wide auto-type hot key working as the documentation wasn’t very clear.  But now I can be at a web page in Firefox or IE, hit Ctrl+Alt+A and it will fill in the user id and pass word for me.   So hitting three keys on the keyboard is just about as efficient as pressing on the fingerprint reader.  Which sometimes takes two or three tries.

One problem though is that a few websites won’t take a 20 character password.   Worse some will take it when you initially setup your account and silently truncate the extra characters.  Then when you log in a second time it doesn’t truncate your password but still does the comparison so your passwords now don’t match.

The biggest inconvenience is going to be logging into Windows.  I’m going to be loosing that functionality.   Well, I’m using a pass phrase that I can just about rattle off in my sleep so I guess that won’t be too bad.  Needless to say though I’m not going to be in any hurry to upgrade my current Windows XP laptop.

Do ensure that you write down your Windows password and your KeePass master password and give to a few trusted relatives or friends who don’t live near you in a sealed envelope.   Actually I have these in a special KeePass entry in the notes section so it’s quite secure.  This way I can copy and paste into Notepad, print and distribute.

If you are going to switch passwords ensure you’ve distributed the passwords before you actually start using them.  Why?  Well, what if you are disabled or dead before you get around to notifying your trusted friends and relatives.  Also we have the best of intentions but I know that I don’t always get around to doing some things on a timely basis.

Note that one of the most important things you can do is to use a different password for every site you visit and your computer.   There are many stories of crackers getting thousands of passwords from sites with bad security and using the same userid and password at other sites.  This is why products such as KeePass is so important as they enable you to conveniently store and use different passwords for each website.

4 thoughts on “A very convenient means of storing and using userids and passwords”

  1. I don’t really see how this is any safer than having your browser save your passwords. I mean, anybody who can get access to your logged in system can hit Ctrl-Alt-A just as easily as you can, no?

    And it’s bollocks to say you need a different password for every website. Not all websites are created equally. Your online banking and Facebook do not have the same security requirements.

    Now, all that said, I don’t use the same password for all websites. But I do use a method of generating a different password for each website that I can reconstruct from my recipe. I have a basic strong password that I use and then I combine it with data that’s specific to the website, and that I can easily reconstruct. Because of different restrictions, some websites won’t accept the password that my rules produce, so I have some secondary rules for controlling that.

    Anyway, the point is that nobody could crack one of my passwords and be able to crack all my others.

    Additionally, since more and more websites use email addresses as your username (a good thing), I now create an email alias on my domain for each website that I’m using, and use that email only for that website, both username and contact. That serves two purposes:

    1. I don’t have to remember the username (i.e., which email address I used for that site).

    2. if I get spam on that email address, I know exactly where it came from and can take appropriate action.

    So, I frankly don’t see the point of a fingerprint reader *or* the software you describe in this post. Since there are ways to do this without overtaxing your memory, there’s no reason to rely on a technological solution that’s not really safe.

  2. I use several browsers depending on my mood. That is IE for Microsoft sites, Chrome just for Facebook and Firefox for all the rest. I feel that the programmers working on KeePass are paying much more attention to security than the browser folks. I store more passwords such as email and network in there as well.

    We can argue a bit about different passwords for different websites but what if there was a malicious employee at one website. Now he has access to some of your data at other websites.

    This file that KeePass creates is in my equivalent of My Documents folder and thus is also backed up on a very frequent basis. Who the heck knows where the browser password file is and when, if ever, was it backed up?

    And what happens when you die or are disabled? Now my key passwords, including my non browser passwords, are in one place and organized so my executors can deal with things.

  3. I wasn’t even beginning to suggest that one save passwords in the browser — I never save any passwords for anything, ever, and find it annoying that browsers don’t allow me to set them to never prompt to save a password (and I also hate it that logon screens default to “Remember me”).

    I note that the form for posting this has a Remember Me checkbox that defaults to OFF, which is exactly right, but the opposite of what most sites do.

  4. If someone hacks one website, they get the password for that website, but they don’t know the recipe to convert that to the password for another website.

    And that’s the point.

    I know how to reconstruct the password, but just knowing one password doesn’t give away all the others.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>