I’ve been aware of password managers for years but I never used one – I was skeptical. While I understand their benefits, I always thought they would be too inconvenient to use.
I’m going to assume that you’re aware of what these things are – little pieces of software that keep track of all the passwords you use to login to various websites, and the only way to get at them is to enter in your one master password. So, instead of memorizing a ton of random passwords (which no one does), you only need to remember one. The password manager can even generate passwords for you if you want, and then you just need to reset your password on whatever website you log into with the one that was randomly generated.
I broke down this past week and decided to stop relying upon my brain to do my password management and instead use software. I did this for two reasons:
- For security
I have quasi-uniqueness for many of my passwords, but I do reuse some of them for web sites I don’t care about that much. - Because my $WORK is making me
At work, I have to login to a bunch of different environments and it’s pretty much impossible to keep track of them. Furthermore, they rolled out a change this past month where you can’t pick your own password to login to these environments (excluding my PC logon), they generate them for you. Either I write them down or I use a password manager. The password manager won.
We had a security presentation a few weeks ago and the one thing I remember is that the recommended piece of software to use internally at the company is called… well, I’m not sure if I am supposed to advertise it so I will refer to it as ComboPass. I hope that doesn’t actually exist, I don’t look things up while I am blog-writing. This is a 3rd party tool and the reason the company recommends it is because it integrates with certain other tools we use like Windows Phone (I can’t recall if this is the real reason but I’m on a roll and can’t be bothered to stop typing).
First impressions
Anyhow, I downloaded the tool, installed it, and… nothing happened. Did it work properly? I started digging through the help guides and figured out that a little icon shows up in my Windows SysTray.
Oh. Right.
I double-clicked the icon and createdea new master password to unlock it. Now what? I looked at the screen and I couldn’t figure out what to do. This may seem obvious to all of you but I didn’t know what my next steps were. Weren’t these things supposed to be easy to use? In my mind, I envisioned that every website I used could easily integrate with this stuff.
Eventually, I figured out that I had to right-click and add a new entry. I guess that makes sense, looking at it in retrospect.
Well, first things first. The main reason I have resisted using a password manager is this – won’t I have to sync this across all my devices?
I have a Windows 8 PC, a Windows 7 PC, a Windows Phone, an Android tablet (which I got for free), an iPad 3, and an older iPad which I also got for free. My wife also has a Mac. I don’t use all of these devices at the same rate. But I do use them all once in a while. Was I going to have to install ComboPass on every single one of these?
I decided to start small. To begin with, I decided to save only my work environment passwords on my primary Windows 8 machine, but I made the mistake of saving the password file to the local hard drive. I generated some new passwords and stored them in ComboPass.
Now how do I use them?
Oh, I have to copy/paste them when I want to login. But first I have to unlock ComboPass every time using that new master password I generated for it and I don’t have it memorized yet.
Ugh. What an inconvenience. But at least those crazy work passwords are stored so I don’t have to remember them anymore.
Syncing to another device
Okay, well, since I have two main PCs – Windows 8 and Windows 7, I figured I better get ComboPass set up on Windows 7. I downloaded and installed it and then pointed the password file as SkyDrive Pro (Microsoft’s enterprise cloud storage solution). I copied my Windows 8 password file from the hard on that PC onto SkyDrive Pro where my Windows 7 machine could pick it up. So, now they’re sync’ed!
That was not going to end well, as we’ll see later.
Aside: I got my Windows 8 PC back in May and I do most of my work on it, but I retain my old Windows 7 PC for a couple of reasons:
- I like the hardware better. The keyboard “clicks” better, and the mouse trackpad is more responsive.
- I can’t figure out how to get certain connectivity to the corp network working in Windows 8 the way it works in for me in Windows 7. This is clearly user error. But this user’s workaround is to use Windows 7 instead of calling the IT department to fix it.
My website logins
Next up – my website logins. I am not thrilled about the possibility of having to copy/paste my password from ComboPass into Amazon, Mint, Netflix, my banks, etc. every time I want to login to them (I don’t save them in my browser, I retype them each time I login). So, I decided to experiment with a website I don’t care about as much – FutureAdvisor. This is a website that analyzes your stock portfolio and makes recommendations on the best way to balance them. Pretty cool, if I could get it to work. I reset my password for it and stored it in ComboPass.
At this point, I only have a few things stored in ComboPass. But then I realized something – my Windows 7 device pulls the password file from SkyDrive Pro, but my Windows 8 device pulls it from the local hard drive. That shouldn’t be; I copied it from the hard drive to SkyDrive Pro.
That was a mistake.
For you see, I wasn’t keeping things in sync (I know, it’s my fault), I overwrote the password file and I locked myself out of FutureAdvisor along with a couple of other websites.
Ugh!
And I can’t reset my password because FutureAdvisor’s password reset currently doesn’t work. Every time I click the “reset my password” which sends me an email, it tells me the link has expired. It is physically impossible to click it any faster than what I am doing.
I know it’s always possible to lock yourself out of your own accounts even using conventional password management. But this only happened because of me using a password manager and trying to sync it between only two devices.
My impressions so far
So far, my initial reactions are mixed. While I like the ability to not have to remember my passwords:
- Remembering the new master password is inconvenient. I had to write it down and physically carry it with me on a piece of paper.
- Copy/pasting from the password manager is inconvenient. I liked being able to logon to Amazon by typing in my username and password (I had it memorized and it is unique). It is now an extra step. Or at least it would be if I hooked it up to Amazon. I thought these things were supposed to auto-fill in web logins? Right?
- Even though I know that locking myself out of FutureAdvisor was my fault, and it’s their fault the password reset doesn’t work, it feeds my paranoia that using a password manager adds too much complexity. I don’t mind adding accounts that I only access on two devices that sync with Skydrive Pro. But am I going to have to type in those super-long passwords on each of my Windows Phone, iPad 3, old iPad and Android?
So for now, I still memorize the passwords on websites that are important which I may log onto on multiple devices (which defeats the purpose of a password manager). - What happens if I ever cannot connect to SkyDrive Pro (e.g., I ever leave the company I work for)? Then I can’t log onto anything! I’d have to go and reset the password on every service and then update it on every device.
I prize convenience, and this adds a lot of risk.
I am probably whining about a lot of things that have already been solved. I readily admit that I have not climbed the learning curve that exists for changes in anything. While I find the password management useful in some cases, I’m not ready to make the full leap.