For the longest time (i.e. since I first used a password) I’ve always kept passwords in my head. In the early days it was easy since systems were isolated and pesky password policies hadn’t yet become the norm. It was usually easy to remember, because the number of unique passwords I had was, um, just one.
Then over time those password policies started to appear and I had to start thinking of new passwords for more places that wanted more security, typically by varying my single core password. Then they introduced password history, and dictionary checks and all sorts of things which now meant I had to remember what all the various incarnations were. My capacity for password rememberising was fast reaching full.
What made it harder is that with more and more things being on the internet I was also getting an account explosion and starting to forgetting what login id I was using, especially when it was for a site I hardly used, so I’d often find myself doing the ol’ “forgotten password” thing. Side note: It’s a scary experience when the forgotten password thing results in you being emailed your current password. Yikes!
Anyway, I knew this wasn’t best practice,and there were plenty of people saying “use a password manager” but the conceived hassle for me of trying to keep passwords in sync between different machines was a massive turn off.
Anyway, after reading Jeff Atwood’s little cautionary tale and his follow up about how his own password got hax0red I decide enough was enough, time to man up and get over my anti-password-manager mentality.
So first things first, I did some poking around the googleweb and found KeePass and decided to give it a try.
Why this one and not others? Well, first – it’s free! :-) But mainly it’s because
it’s portable and because it has a really cool AutoType feature where with a single key combo (ctrl_alt_a) I can get my passwords autotyped into whatever app I happen to be using. So it’s now not only is it remembering my passwords for me, but it’s also saving me keystrokes. Heaven! There’s a slew of other things it does as well which I really like, but you can go check those out for yourself.
Anyways, I used it for a while to see if it worked for me and got to enjoy and appreciate what it did. But it still didn’t solve my problem of wanting to maintain my passwords only once but have them available on any of the machines I have, even when I don’t have an internet connection. This is where the portability factor becomes valuable. You can take the app, copy it to a USB stick and just plug it into whatever computer you happen to be using and it’ll work. However the idea of chewing up a USB slot just for the password manager didn’t appeal to me. It’s too clumsy to keep plugging the thing in all the time and there’s a good chance I’d do something stupid and lose the USB drive.
Enter Live Mesh. To get the “on every machine” thing working I just created a live mesh folder and synchronised the KeePass folder with my mesh. Now whenever I update my passwords all I have to do on the other machines is make sure Mesh had synced and do a quick restart of KeePass to pick up my new changes and I’m all set. Everything just works beautifully
I’ve been doing this now for about 3 months and I’m loving it! I’m gradually replacing all my crappy passwords with stringer ones generated by the tool and feeling a lot more secure about my online identity.
As a note, I probably won’t change my twitter password as I use twitter from web kiosks, my windows mobile phone (though there is an unofficial KeePass port for the mobile) and other places where I don’t have access to my mesh folder.
If you’re in the same situation i was in before, then maybe it’s time you started looking at how you too can get to love a password manager :-)