Password Manager is a must-have for both the security and the life
The Number of web sites and services in our daily duties grows from year to year. Each service requires standard user authentication. Generally, Application Security started with login/password pair, for all of us. It’s not easy to remember even dozen strong passwords, particularly if some service is used once per month. Keep in mind, we have to use different passwords. Usage of the same password for many web sites is the most worst thing a user can do at line of Application Security.
OpenID vs. Login/password schema
Modern web sites nowadays uses third-party authentication based on OpenID technology [https://en.wikipedia.org/wiki/OpenID]. It’s a bit harder to implement but makes user’s life much easier. It needs to authenticate on single web site (OpenID provider). Usually, it’s well-known public service or social network. Such authentication authorize a user on all other supported sites transparently. An advantage is obvious. A user avoid both to remeber the password and to enter it as well. On the other hand, the system gets personal data from social network. It would be helpful for developers of the site, so, they know more about their users. But it’s not so good at line of privacy for users. It’s ok to share personal information or friends list on well-known social network, and it may be absolutely another story in case of some third-party small service managed by no_name startup. Think twice next time you approve the privileges for new application or site. As software developer you should provide visitors on your site the choice how to register/authenticate and support both the easy OpenID authentication via social network and the good-old-days scheme to register and then login by password.
There is another way to keep Application Security in browser under control, even in the case of web sites don’t support OpenID authentication. It’s ok just to save the password right in the browser. The most of modern web browser support such feature and even offer to do so via some popup box when user enters his first data. The passwords would live in the scope of that browser on specified machine. It’s not good at line portability, needs to enter the same password all the time for each new system and browser. If machine broke down then user would lost all his passwords.
We recommend you to use centralized password manager service. For example, LastPass service or 1Password. As you understand, the name means that user should remember only one (last) password at all. All other passwords in his/her life are held under control by the password manager system in secured manner and available from any browser/device associated with user’s account. E.g., for using in the browser it needs to install standard plugin or module and connect it to password manager account.
Password manager features
LastPass is available for all major operating systems, web browsers and mobile platforms. The best feature of the service is ability to login automatically on specified web sites. On the one hand, such scenario allows the user almost completely avoid boring with password authentication, and on the other hand Application Security is fully provided. LastPass can also be useful for strong password generation on the registration forms of new web sites user signs up. It’s possible to keep several accounts (login/password pairs) for the same site. So, user can choose one of his/her logins on the authentication form and appropriate password would be used automatically.
There are several alternative platforms, of course:
• 1Password is very similar to LastPass and has almost the same set of features.
• KeePass is the free, light-weight and open source password manager implemented as application for Windows.
• Roboform is also can be used as password manager, but main purpose of this service is automatically web forms filling.