Cannell.org/blog

I have been looking for a system to manage passwords for a long time now and I have tried a number of methods and products, but they have all fallen short one way or another. The biggest challenge I have with passwords are:

• How do I safely manage them across all of my computers?
• How do I safely share some of them with my wife?
• Can this be simple to use?

Most solutions on the market today fall short by not meeting the first two requirements. They assume the user only needs to manage passwords on one computer. A few solutions meet the first two requirements but are still too complicated and, at a minimum, require cutting and pasting text between windows (if you have a product that requires cutting and pasting, well then go back to the drawing board).

To make a long story short, I am now using a solution that is working quite well. It is based on RoboForm (which, by itself, is very good at managing passwords) and Windows Live FolderShare (a free file synchronization service). Here is how it works:

• RoboForm detects when a password is entered through a web browser. It's browser integration is very good at detecting web forms asking for login information and even works with Basic Auth (this is when the browser prompts you for a username and password rather than being a form on a web page). However, login forms in some sites that make heavy use of Javascript are not detected by Roboform.
• After I submit the login information RoboForm intercepts it, encrypts it, and stores it in a "Passcard" file. This is a critical point. Roboform does not store login information in a database record . A separate file is used for each Passcard.
• I synchronize Passcards between computers with FolderShare. It does this by synchronizing the folders storing Passcard files. Add, modify, or delete a Passcard on one computer, that change gets reflected on all the other computers. If Roboform used a database this type of simple synchronization would not be possible.
• Later, when I return to the site (on any of the synchronized computers), RoboForm detects this as a place it can enter login information and lights up a button on it's browser toolbar. Clicking this button tells RoboForm to fill in the login information.
• A password is used as part of the encrypting and decrypting processes for the stored Passcard. RoboForm uses a single "Master Password" for all Passcards. However, you can setup different profiles, each managing a different set of Passcards and using a  different master password. These profiles are stored in separate folders.
• Anytime you access a Passcard (like when creating a new Passcard or entering login information on a form) RoboForm will need the Master Password. However, RoboForm can cache the Master Password for a short period of time. I encrypt Passcards with AES encryption but RC6 and BlowFish are also options. Of course, its a good practice to use a long passphrase to make it more difficult to decrypt should the Passcard fall into the wrong hands.

Because Roboform uses the filesystem to store login information it is much easier to move this information around. For example, each Passcard is a file and each RoboForm profile is a folder. Also, by encrypting login information with a high-strength algorithm there is less concern about completely securing access to the Passcard. Although I wouldn't make them available in a public location, it could take years for someone to brute-force decrypt a Passcard encrypted with a long passphrase.

FolderShare does a good job synchronizing files and folders between computers. Combining this with Roboform's browser integration and this setup works quite well.