Risks of Password Management Tools
Banks, hospitals, and other businesses are requiring usernames and
passwords to gain access to their sites. Free e-mail sites,
newspapers and even game sites require usernames and passwords. Often
the requirement to use usernames and passwords is imposed to gain
marketing data, however Federal and State legislatures are tightening
laws (see HIPAA
) and increasing criminal and civil penalties governing
unauthorized access to personal information, making usernames and
passwords mandatory just about everywhere.
The average web user can visit dozens of sites per hour, many of which
are requiring authentication. The number of username/password pairs
the average surfer must remember is increasing dramatically.
Most users see the following as potential solutions:
- Use the same username/password identification (ID) for all sites.
- Use the site name as part of the ID.
- Write your site IDs down on a piece of paper.
- Use a Personal
- Use the built-in "Remember Password" features on your browsers.
- Use a password service, such as Microsoft's
Surprisingly enough, a number of computer security experts advise to
use the old fashioned method -- write your site IDs down on a piece of
paper, and keep it in your wallet. If someone finds the paper,
they're unlikely to know what it's about -- especially if you have
used your own shorthand for web site names, user-IDs, or passwords.
Not the Solution
Although all of the above listed potential solutions have their
drawbacks, some of the biggest names in computer research are advising
to steer clear of Microsoft's Passport
service. Passport is designed to allow Internet users to have a
single sign-on. A user signs up for the service, creates a username
and password, and that ID works all over the Internet. At least
that's Microsoft's hope.
The Federal Trade Commission settled
charges with Microsoft over complaints that Passport did not
deliver on its promises. The Gartner
Group, a computer research firm, is not only recommending
businesses stop accepting Passport connections, but that they notify
any existing customers of the security problems.
For today's technophobes, it's probably the paper and wallet. For the
techies, have a look at Personal
Password Managers. This isn't a problem that's going to get
easier anytime soon.