Here's a cool tool that I can't live without. It's called Roboform, and it's a "must have" tool if you maintain many subscriptions on the web. Every time you subscribe to a new website or service on the internet, you're usually asked to provide a user name and password. Most people use the same usernames and passwords on the many different websites that they visit, which is just asking for trouble. If they only knew how vulnerable those passwords really were. Trust me on this, I know.
I used to maintain a PHP-based message board. It was subscription-based, meaning users had to provide a username and password to login. The passwords were supposedly stored in a secure SQL database, but it wasn't terribly difficult to hack open. In fact, I did it quite by accident. One of my users had complained that they had forgotten their password, the "Forget your password?" links weren't working for them, and they really didn't want to create a 2nd account -- was there anyway I could look up their old password?
It took about 25 minutes to figure out where the passwords were stored, how they were encrypted, and what his current password was. He was very thankfuly, while I suddenly realized that I now had everyone's password -- over 500 members of my community message board. And you could just tell that these were accounts and passwords that were reused on their other subscriptions, like online banks (there were a ton of 4-digit, all-numeric passwords), social networking websites (Facebook, Myspace, etc), other community message boards, etc.
Of course, I'm far too scrupulous to have done anything with that account / password info. In fact, I ended up submitting a bug report to the platform developer, telling them how I had cracked their password database, and suggesting a fix. But it really opened my eyes to how vulnerable all these passwords are that we willfully enter into websites. It made me think of all the online subscriptions I maintain:
- Gmail.com
- Ebay.com
- Amazon.com
- Myspace.com
- Facebook.com
- Salesforce.com (for work)
- Salesforce.com (for my NH User Group)
- Salesforce.com (Developer Account #1)
- Salesforce.com (Developer Account #2)
- Salesforce.com (Developer Account #3)
- PayPal account
- Corporate browser based email login
- Corporate web-based documentation control system
- Corporate web-based software bug tracking system
- Gaming Accounts (EQ, WoW, SWG, LotR, Tabula Rasa)
- Wikipedia accounts (dozens of 'em)
- Web-based community message boards (dozens of them), most PHP, just like the one I easily hacked open once upon a when
- Online News sites I frequent (dozens of 'em)
- This blogger account
The list goes on and on and on, and it grows every single day. I spend a lot of time on the web, frequent a lot of new sites, and many are subscription based. They're free, but they still prompt you for a username and password.
Security pros tell you that it's just good practice to have a unique / different password for every system that you access, but who can remember hundres of unique passwords?
Roboform.
Download the application (www.roboform.com) and install it. Roboform installs a new toolbar on your browser. As you visit websites, and are prompted for username and password, Roboform interrupts and asks if this should be a site that Roboform must remember. If you click yes, it records the website information, the user name entered, and the password entered. From that point on, you can visit the website and automatically login into it ... at the click of a mouse!
You can even create multiple aliases. That's very handy for the schizophrenic (or perhaps for couples / family members who share the same computer, but maintain their own accounts to different websites).
The "free" version of the application will remember up to 10 sites/accounts/passwords and two different aliases, but you can upgrade to the full "Roboform Pro" version for $29.95 and get unlimited in both categories.
Roboform can also auto-generate highly secure passwords (random alpha-numeric strings) so you can be assured that every password you enter on every site is unique, difficult to crack, and not similar to any of your other passwords.
There are a ton of other features (form filler) and security reasons (phishing security, keylogger prevention) to use this tool. Best of all, there is no spyware, no adware. Ultimately, I just like it for it's ease of use and simplicity. I bought both Roboform Pro and Roboform2Go.
Roboform2Go runs on your USB device, which is very handy for me, since I log in to a lot of different computers at different locations. No matter where I am, no matter what system I'm using, I can securely log on to my favorite websites -- without having to recall their long, goofy URLs, or what my unique user account and password is to that specific site.
Roboform -- it's the Force Monkey's Top Pick of cool tools.
+1 on Robo Form. But I've recently switched to a Mac so I must also give a shout out to 1Passwd.
ReplyDelete