Every Thursday I answer a reader’s question. If you want to ask a question, you can contact me.
I had a question this week that I didn’t want to answer. Here is the question:
I’m still very reluctant to turn over passwords to all my private accounts to a software program where everything is together in one package. Any thoughts on that? Frankly, it just scares me.
In fact, when I first replied, I basically just avoided the issue. Here was my first response:
I’ll be honest (I usually try to be honest :)) I don’t really know much
about online security issues. Here is my philosophy. The people who
develop these programs know what they are doing and have made it secure, otherwise there is no way it could get past those who do know. I know that is just blind trust.
How’s that for useless advice?
Here’s my disclaimer on this answer. This is the first time I’ve ever done any research on the question, but I was intrigued by what I found …
Should I Store My Passwords on a Personal Finance Website or Software?
I read a dated (2002) report on some things with Quicken Security. What I found most interesting was this statement from the abstract:
I’ve found that the password protection used by Quicken is easily reversed with the purchase of a $30 password cracking application.
Granted, I’m sure that the application can no longer crack the newest Quicken, but as Quicken improves, wouldn’t password cracking tools also?
If I were currently using Quicken, that article would be enough to make me grow a brain and find out if my information is secure.
MoneyDance Password Security
Here’s what the folks at MoneyDance said about their security (via customer support email):
Because Moneydance is a standalone program rather than a web based application like mint.com, your online passwords only ever exist on your computer or in a direct encrypted connection to your bank. Your passwords are not stored on a Moneydance server. By default, Moneydance does not even store your passwords locally on your computer and you have to enter them every time you connect to your bank.
Moneydance does have an option to let you store your passwords locally on your computer such that you don’t have to enter them each time you connect to your bank. And we recognize that storing your passwords on your computer is a security risk. Because of this risk, Moneydance will only let you store your passwords in your data file if you encrypt your data file. If you go to File->Encryption there is an option to “Store online passwords in file.” Once your data file is encrypted, you will be prompted to enter a single password each time you run the program and open your file. This file password is yours and yours alone. It is never sent to Moneydance.
On the one hand, entering your passwords each time is extremely annoying. On the other hand, entering a PIN at the ATM is annoying, but the extra layer of security is kind of nice.
Lesson Learned: Research your own software and see what they have to say about the security of the product. If you are nervous about your password information, then choose not to have it stored on your program.
Mint Password Security
On the Mint forums, the Mint folks make a big deal about the fact that they don’t store your passwords. Here’s what they say:
Mint does not at any time store or retain your online credentials, whether in the form of Login IDs, account numbers, passwords or pins for this Account Information.
That’s all well and good, but as you continue to read, all they are saying is they don’t store it so they send that information off for someone else to store.
Here is an article that asks is Mint safe?
The basic argument is much like my original one. If Mint.com was ever to have a security breach, that would be the end of their company with hundreds of thousands of workers. I’m sure they are working feverishly to protect users’ identities. This will not satisfy conspiracy theorists, but it makes sense to me.
Lesson Learned: You can’t fool all the people all the time. If it was high risk to store passwords with Mint, someone (who wouldn’t be able to understand their explanation) would blow the whistle. I’m sure there is a way a password could be stolen, but I prefer not to live in paranoia.
General Online Password Security
For around five years, I’ve been using a program called RoboForm. You’ve probably already heard of it as they have 10 million users.
I use RoboForm for two primary reasons. First, they have an automatic form fill that makes filling out webforms simple as pie. Second, they have a secure system for storing online passwords. You already know I don’t know what I’m talking about, but the geeks say Roboform offers file encryption up to AES 256 bit – whatever that means. I’ve taken the Mint.com approach here. If the product (designed to store passwords) does not store passwords safely, then they are on the verge of bankruptcy.
Anyways, I used to have the exact same password for every financial account. Who can remember more? Now with RoboForm, it generates and saves unique passwords for me.
You can get a free 30 day trial download, and then you can purchase the product for about $30. Check out RoboForm here.
Lesson Learned: Having one password for everything is a bad idea. If that is what you are doing, all one person needs to learn is one of your passwords and you are going to be in a big mess. Change your passwords.
This post does contain affiliate links. Read more about my ad policy.
Anyone understand computer security geek issues? How do you determine if your passwords are safe? Do you ever do research or just blindly trust that things are secure?