Review: Password management eases with Net storage

Worse, we use the same ones for lots of Web sites. So if one site gets compromised, or an employee there is dishonest, someone could start trying out that password on other sites where you have accounts, like Amazon or PayPal, and you've got trouble.

Browsers help out a bit by offering to remember your passwords, but that does little good if you are on a different computer or want to try a different browser.

The rescue comes from password-management programs. A couple of them have recently taken a big step forward in ease of use, by storing your login information online so that you can access them from multiple computers. Online storage does raise some questions about security, but it also makes these little-known programs worth another look.

I've used one called Roboform for more than four years. Like a browser, it stores passwords on your computer, encrypting them so that they're revealed only when you type in a master password. It fills out the login forms on a Web page automatically. It also stores your address, credit card number and other personal data, so you don't have to type them in when you shop online. Because it's independent of the browser, you can access the same passwords as you switch between Firefox and Internet Explorer.

With Roboform, I have been able to take those passwords to another computer, but it's been a bit of a hassle. If I signed up for a new Web site on one computer, I had to manually copy the Roboform file that contained the username and password to the other two computers I use regularly.

A free update to Roboform, released last week, takes care of this problem by storing the passwords not only on the computer, but also in an online locker provided by the publisher, Siber Systems Inc. Every time you create a new password, Roboform stores it, in encrypted form, in your online locker. When you log in to another computer, the password is automatically copied over from the locker.

The system is still cumbersome. You have to install an extra piece of software called GoodSync on each computer you need to synchronize. If too many passwords have changed since the last synchronization, GoodSync pops up and asks you to manually approve the changes. The choices are difficult to understand.

In providing an online storage option, Roboform is catching up to a new password management program, LastPass, that's designed from the ground up to store passwords online. Trying that, I found it slightly easier to use - at least, it didn't confront me with cryptic dialog boxes. It also has the virtue of being free, while Roboform costs $30.

Both programs work in Internet Explorer and Firefox on Windows-based computers, but if you go beyond that, LastPass has the edge in compatibility.

Roboform doesn't work on Macs at all, though Siber says it is working on a plug-in for the Safari browser on the Mac. You can access your Roboform Online locker as a Web site on a Mac with any browser, but it won't help you create new passwords or fill existing ones into Web pages. This is at best a stopgap measure for occasional Mac use.

LastPass works with Firefox on the Mac, and the company says it is working on a Safari plug-in. LastPass also has a more effective stopgap measure for other browsers, both on Windows and Macs, in the shape of "bookmarklets" that will fill in passwords even if there's no compatible plug-in.

This may sound good, but one thing worries me about LastPass. By default, it stores your passwords only online. While I'm reasonably comfortable that they're safe from theft there, what if LastPass' Web site goes down because of a hacker attack, or worse, because the company goes out of business? Then you've lost the keys to your online life.

LastPass does provide a free application that can store your passwords on your computer's hard drive or a portable thumb drive. I strongly recommend using that application, LastPass Pocket, to make regular backups.

Neither Roboform nor LastPass is a complete answer to online security, of course. You could still be duped into entering a password on a fake "phishing" site set up to look like your bank's. And if someone gets hold of your master password, that person can get all your passwords in one swoop from your online locker. In that sense, online storage of the passwords is riskier than having them on your computer.

But even if there are risks to using these programs, they're better than using the same password for all sites. It's probably also safer than writing down all your passwords on paper and carrying them around with you.

If we accept online password storage as safe and reliable, then these password managers are probably just a stepping stone to a more comprehensive, Internet-wide identity management system. The long-frustrated idea there is that one "ID card" that you store online would be legible by all Web sites, and your password tells a site that that ID card belongs to you.

Microsoft Corp. has tried to get sites on board with this model for more than a decade and has accumulated criticism for security flaws along the way. Now, however, there's some momentum behind a system called OpenID that just might make programs like LastPass and Roboform unnecessary. Most of the big Web companies, including Microsoft and Google Inc., support OpenID.

I wouldn't hold my breath, though. In the meantime, Roboform Online and LastPass both do a good job.

If you're a new user, you may be drawn by LastPass' zero price tag, but be aware that you need to back up your data. I'm considering switching from Roboform because it's lagging in how many browsers it supports. It works well enough, though, that it's probably not worth the move.

---

On the Net:

http://www.roboform.com

http://www.lastpass.com

---

Peter Svensson can be reached at psvensson(at)ap.orgGot a technology question? Send an e-mail to gadgetgurus(at)ap.org.
©2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.