Passwords Security | How To Safely Store Passwords

Print Friendly

Every Thursday I answer a reader’s question.  If you want to ask a question, you can contact me

I had a question this week that I didn’t want to answer.  Here is the question:

I’m still very reluctant to turn over passwords to all my private accounts to a software program where everything is together in one package.  Any thoughts on that?  Frankly, it just scares me. 

I should note that in the question the reader did at one point specifically ask about MoneyDance security.  The question came up because of my post on the best personal finance software of 2010.

In fact, when I first replied, I basically just avoided the issue.  Here was my first response:

I’ll be honest (I usually try to be honest :))  I don’t really know much
about online security issues.  Here is my philosophy.  The people who
develop these programs know what they are doing and have made it secure, otherwise there is no way it could get past those who do know.  I know that is just blind trust.

How’s that for useless advice?

Here’s my disclaimer on this answer.  This is the first time I’ve ever done any research on the question, but I was intrigued by what I found …

Should I Store My Passwords on a Personal Finance Website or Software?

I read a dated (2002) report on some things with Quicken Security.  What I found most interesting was this statement from the abstract:

I’ve found that the password protection used by Quicken is easily reversed with the purchase of a $30 password cracking application.

Granted, I’m sure that the application can no longer crack the newest Quicken, but as Quicken improves, wouldn’t password cracking tools also?

If I were currently using Quicken, that article would be enough to make me grow a brain and find out if my information is secure.

MoneyDance Password Security

Here’s what the folks at MoneyDance said about their security (via customer support email):

Because Moneydance is a standalone program rather than a web based application like mint.com, your online passwords only ever exist on your computer or in a direct encrypted connection to your bank. Your passwords are not stored on a Moneydance server. By default, Moneydance does not even store your passwords locally on your computer and you have to enter them every time you connect to your bank.

Moneydance does have an option to let you store your passwords locally on your computer such that you don’t have to enter them each time you connect to your bank. And we recognize that storing your passwords on your computer is a security risk. Because of this risk, Moneydance will only let you store your passwords in your data file if you encrypt your data file. If you go to  File->Encryption there is an option to “Store online passwords in file.” Once your data file is encrypted, you will be prompted to enter a single password each time you run the program and open your file. This file password is yours and yours alone. It is never sent to Moneydance.

On the one hand, entering your passwords each time is extremely annoying.  On the other hand, entering a PIN at the ATM is annoying, but the extra layer of security is kind of nice. 

Lesson Learned: Research your own software and see what they have to say about the security of the product.  If you are nervous about your password information, then choose not to have it stored on your program.

Mint Password Security

On the Mint forums, the Mint folks make a big deal about the fact that they don’t store your passwords.  Here’s what they say:

Mint does not at any time store or retain your online credentials, whether in the form of Login IDs, account numbers, passwords or pins for this Account Information.

That’s all well and good, but as you continue to read, all they are saying is they don’t store it so they send that information off for someone else to store. 

Here is an article that asks is Mint safe?

The basic argument is much like my original one.  If Mint.com was ever to have a security breach, that would be the end of their company with hundreds of thousands of workers.  I’m sure they are working feverishly to protect users’ identities.  This will not satisfy conspiracy theorists, but it makes sense to me.

Lesson Learned: You can’t fool all the people all the time.  If it was high risk to store passwords with Mint, someone (who wouldn’t be able to understand their explanation) would blow the whistle.  I’m sure there is a way a password could be stolen, but I prefer not to live in paranoia. 

General Online Password Security

For around five years, I’ve been using a program called RoboForm.  You’ve probably already heard of it as they have 10 million users.

I use RoboForm for two primary reasons.  First, they have an automatic form fill that makes filling out webforms simple as pie.  Second, they have a secure system for storing online passwords.  You already know I don’t know what I’m talking about, but the geeks say Roboform offers file encryption up to AES 256 bit – whatever that means.  I’ve taken the Mint.com approach here.  If the product (designed to store passwords) does not store passwords safely, then they are on the verge of bankruptcy. 

Anyways, I used to have the exact same password for every financial account.  Who can remember more?  Now with RoboForm, it generates and saves unique passwords for me.

You can get a free 30 day trial download, and then you can purchase the product for about $30.  Check out RoboForm here

Lesson Learned: Having one password for everything is a bad idea.  If that is what you are doing, all one person needs to learn is one of your passwords and you are going to be in a big mess.  Change your passwords.

This post does contain affiliate links.  Read more about my ad policy.

Anyone understand computer security geek issues?  How do you determine if your passwords are safe?  Do you ever do research or just blindly trust that things are secure?

Comments

  1. Art Ford says

    Security is a major issue. Several sites talk about generating strong passwords. http://www.microsoft.com/protect/fraud/passwords/create.aspx. Another is http://vimeo.com/3546084

    Another issue is that you need a good firewall and a program that will stop malware like keylogger software that you might download inadvertently.

    That is not a good area in which to skimp, and may be even more important than the password, since it’s your first line of defense.

  2. says

    Great article! I’m really impressed by the research that went into it. As a self proclaimed geek, I know what I should be doing to keep everything safe but your article serves as a great reminder.

    We live in an age where ANYTHING online can be stolen. We can make everything as secure as we can, but someone who wants it bad enough and is smart enough can get at it. All we can do is protect ourselves the best we can, and keep records of everything in case identity theft happens.
    .-= Jaime @ Eventual Millionaire´s last blog ..3 Tips to Categorize Your Virtual Money =-.

    • says

      @Jamie
      I agree that we all need to find a balance. Too much worry is not a good thing nor is too much ignorance. Thanks for your comment.

  3. Arthur @ FinancialBondage.org says

    forgot to mention… general rule.. password tips…

    if your password is so easy you can remember it, there is a good chance someone can guess it. Good passwords would include:

    - 7 characters at least. More are even better.
    - UPPER and lower case
    - Letters and numbers
    - And a few special characters like: !@#$%^&

  4. says

    In regards to passwords security, to play it safest I don’t store any passwords using software, nor do I store them on a computer. I use what I’ll refer to an archaic method, but it’s what I feel the safest using. In addition to that the storage of passwords for any financially related websites are stored yet in a different place all together. Paranoid? Perhaps, but I would rather not have to question the potential security of storing them within software or in a computer that accesses the internet.
    .-= Tammara´s last blog ..QuiBids and Pinching Your Dollars =-.

  5. says

    I didn’t see any mention of KeyPass password safe :)

    This is a program that I use to store my own passwords on my desktop; the program creates encrypted standalone database. To open that database, I have one “super password” which is about 30 or 40 characters long, but I only have to remember that one instead of 100+ passwords, and now I can set different passwords for each site.

    The problem, of course, is that i have to go to the program now cause each of my passwords is a funny encrypted string instead of something I can actually remember, and if the database ever got wiped out, well that would be a headache…
    .-= Kevin@Invest It Wisely´s last blog ..Fixed Rate and Variable Rate Mortgages: Which is Better? =-.

  6. says

    KeePass appears to have the same features as RoboForm, except it is free as in free beer (and yeah, it’s actually KeePass not KeyPass). RoboForm’s website also seems kind of spammy to me.

    I definitely would recommend KeePass since it is open source software (so more eyes looking at the robustness and security of the code) and because the website is not spammy and trying to sell you something :)

    I’ve been using KeePass for a while and I’m pretty happy with it. You can organize passwords into folders and auto-generate passwords, and you can even store entire documents in its encrypted database. It also supports an “auto-type” feature for automatically filling out forms, but I’ve personally never used it myself.

    Maybe one area where RoboForm has an advantage is “Fight Phishing and Defeat Keyloggers.”, but then again, you should really be using an anti-malware and anti-virus tool for that anyways. :)
    .-= Kevin´s last blog ..Fixed Rate and Variable Rate Mortgages: Which is Better? =-.

    • says

      @Kevin
      Thanks. Sounds like a good product. I’ve had RoboForm for a few years and I’m completely satisified with it. Someone just looking into a product could look into KeePass. Thanks for the info.

  7. says

    Got to agree that RoboForm is a great product, as is KeePass. In the end the important thing is that you are protecting your passwords. So try both and see which one you find the simplest to use.

    If you like the way one particular product works you are more likely to actually use it, so your passwords will be more secure.

    Great article by the way.

  8. says

    Good Post, I have been using Roboform for the past year, you start off with a free version and then upgrade to the full version after a trial period. I needed to store login details as I used to fill in surveys and its impossible to remember all and wastes time too.

  9. says

    Woah! I’m really digging the template/theme of this site.

    It’s simple, yet effective. A lot of times it’s challenging to get that “perfect balance” between superb usability and
    appearance. I must say you have done a very good job with this.
    Also, the blog loads very quick for me on Chrome.
    Excellent Blog!

Leave a Reply

Your email address will not be published. Required fields are marked *