Securely see stored passwords on your iPhone.
(Credit: Siber Systems)We have long regarded the RoboForm browser toolbar for Windows as an uberconvenient freemium tool for storing and securing scores of passwords. In contrast, the new iPhone app, RoboForm for iPhone, is decidedly less acommodating.
The problem isn't so much that you have to have a free online account to use RoboForm for iPhone, or even that to have the online account you must first fill up the desktop version--either the free or premium software--with credentials. Part of the trouble is more that restrictions in Apple's SDK inhibit RoboForm's usefulness. Other flaws stem from the application itself.
It's helpful to understand how RoboForm works on your PC. RoboForm installs as a system tray icon and as a browser toolbar. It works with Internet Explorer, Firefox, and Chrome. When you enter your log-in credentials, RoboForm offers to save them, storing a file protected by 256 AES encryption on your computer. Selecting that credential later on from RoboForm's list fills in the log-in. In addition, you can keep credit card information and other sensitive data secured away in RoboForm, filling in online forms with a click when you go to buy an item online, for example. RoboForm secures passwords, includes a password generator, and uses one master password to manage the rest of your passwords.
The iPhone version of RoboForm is a cross between a data store and a unidirectional syncing app. It can give you access to the passwords you store via RoboForm for the desktop, which makes the iPhone version inconvenient for new users. First-timers would have to first set up an account, install RoboForm, input their passwords, automatically install the company's GoodSync syncing plug-in, and sync the secret data to an online account for which they would also have to register. In contrast, existing users only have to sign up for an online account, if they don't have one already, and sync data.
Once on RoboForm for iPhone, you sync to the online RoboForm account to transfer over your passwords and other credentials. Sounds reasonable so far, but here's the catch. Since Apple doesn't allow multiple third-party applications to run simultaneously, you can only fill in passwords from within RoboForm for iPhone--by clicking the Login button--and only then once you've entered your master password.
RoboForm on the desktop automatically installs a syncing plug-in.
(Credit: Screenshot by Jessica Dolcourt/CNET)A rival app, 1Password for iPhone, encountered similar hurdles when it debuted in July 2008 (review). Both 1Password and RoboForm for iPhone solve the tangle to some extent by including an in-app browser. The key to successfully using either app is to retrain yourself to open the password app to browse, instead of the Safari browser.
Assuming you believe that the benefits of RoboForm for iPhone outweigh the drawbacks of surfing the Web through a password app, there are two other solutions that might make RoboForm on iPhone less handy in some users' eyes. The iPhone's Safari browser features autofill in the iPhone 3.0 operating system update. If you opt out of that, you can take advantage of certain Web sites, like Google's Web apps, that offer to remember log-in credentials for you. RoboForm VP of Marketing, Bill Carey, counters that the software, in production for a decade, is more accurate in determining when to fill in credentials, and in some cases is more secure than browsers' password managers.
In addition to the awkward workaround for using RoboForm's smarts are other downsides. First, there are the known limitations. You cannot currently update or edit log-in information from within RoboForm on iPhone, making data currently one-directional--it flows into the iPhone, not out of it. RoboForm for iPhone won't work if your master password is four characters long. Your free account at RoboForm.com can't contain special characters, like the + or - symbol. RoboForm's publisher says that the company is working on fixes.
RoboForm downloads passwords to the iPhone from your online account.
(Credit: Screenshot by Jessica Dolcourt/CNET)We also encountered weak spots in testing RoboForm for iPhone. RoboForm for iPhone's practice of placing the Login button on the same screen as the exposed password pricks our nerves. Sure, you've already logged in with a Master password at this point, so theft is not an issue, but potentially flashing that information in public is. In addition, we received a "page invalid" error message when attempting to log in to Gmail. The same action worked flawlessly on RoboForm for Windows.
RoboForm's Carey informed us this is a known issue in which long URLs like Gmail and Wachovia Bank break on mobile phone browsers. The fix is fast, but since you can't edit on the iPhone yet, you'll need to be in front of a computer. In RoboForm on the PC, click Tools, then Edit Passcards. Change Gmail's log-in URL to http://www.gmail.com, then sync online and sync the iPhone app.
Kludgey workarounds like this make the app workable while development continues, but the weak spots are many, and the alternative options to using RoboForm on the iPhone are at this stage more robust. Existing users will get the most from RoboForm for iPhone. New users may want to weigh other options for the time being.
One of the best ways to protect your online security is to have strong passwords that you change periodically. But that's easier said than done. Coming up with hard-to-guess passwords is hard enough, but it's even harder to have separate passwords for different sites and to remember new ones after you change them.
One way to create a password that's hard to guess but easy to remember is to make up a phrase. You could type in the entire phrase (some sites let you use spaces, others don't) or you can use the initials of each word in the phrase, for instance, "IgfLESi85" for "I graduated from Lincoln Elementary School in '85." An even better one would be "MbfihswE&S" for "My best friends in high school were Eric and Steve." You get the idea--upper case numbers, letters, and symbols that are seemingly meaningless to everyone but you. Microsoft has an excellent primer on passwords and a password strength checker.
But even if you do come up with a clever and hard-to-remember password, don't use it for every site. Since lots of people do that, there's the risk that a sleazy site operator--or a sleazy person who works for a legitimate site--could use it to break into your accounts on other sites.
Password managers
One solution is to use a password manager. There are several available programs and Web storage services, but the ones I'm most familiar with are RoboForm and Lastpass. These programs can generate passwords for you and remember them so you don't have to. Both programs are, themselves, password protected, though you have the option of running RoboForm without a password or having Lastpass remember its own password on your PC. That's OK as long as no one else has access to your machine. I recommend that you manually enter your master password on a laptop that could more easily fall into the wrong hands.
RoboForm has a free trial version that's limited to 10 passwords after the trial ends. Lastpass is free.
RoboForm has been around for a long time, but Lastpass is a relatively new offering. Company CEO Joe Siegrist describes the program as a hybrid because it stores your passwords and usernames both on your machine and on the Web. You can download the browser plug-in to a PC or a Mac to work directly with Firefox on either platform or Internet Explorer on Windows, but there are also ways to use it with Safari and Chrome. Because it has a Web interface, it can work with any Web-enabled device, but the plug-ins for IE and Firefox make it easier to use.
On Firefox and IE, Lastpass records your usernames and passwords when you first enter password-protected sites and then enters them for you automatically for subsequent visits. Passwords are stored in a "vault," which is actually a Web page stored on your PC, as well as the company's servers, so you can access it from any device, including a borrowed machine. The password vault on your machine is automatically synchronized with the server, so you don't have to worry about synchronizing or backing up your data.
Password data, according to Siegrist, is encrypted on the PC and on the servers. He said that no one--himself included--can decrypt them without the master password that only you know. Assuming the encryption is as good as he says it is, this should protect your security even if their servers are compromised. The company provides a lot of security information on its FAQ.
There are also versions for Blackberry, iPhone, Windows Mobile, and Android as well as a Web site for phones and browsers that aren't supported directly.
For a lot more on this password management, see CNET News reporter Elinor Mills' post, "Facing the pain of passwords."
1Password lets you add and manage all sorts of Web log-ins in one place.
(Credit: CNET Networks)iPhone and iPod Touch users have a fantastic new solution for keeping track of log-in credentials from site to site. It's called 1Password, and like the name suggests, you only need to remember one password to access and use your log-ins across hundreds and thousands of sites.
Like RoboForm (download) and other desktop password solutions, 1Password lets you save these log-ins under the protection of a single master password. Unfortunately, due to the limitations of Apple's SDK, you can't run 1Password while you're randomly browsing in Safari, meaning you won't be able to enjoy the ease of autofill. 1Password's workaround is to have you plug in your log-in information and the URL of where that log-in screen is located. From the application, you can simply click on the site you want to go to and it will plug all of that information into the correct fields when it opens in an in-app browser.
The application is already off to a great start, but there are some quirks that need fixing (and will be getting soon). The most glaring omission is the lack of an on-screen keyboard, meaning if there's something like a captcha or another form to fill in later on, you're out of luck. You're also unable to delete saved log-ins, so any log-in you no longer need must be repurposed instead.
Otherwise, there's a lot of power for advanced users. Once you're browsing any site, if you have to log in again for something, you can simply hit the "lock" key, which will plug in your username and password yet again. The same can be done for forms if you're willing to make a preset for that--something just fantastic when you need to enter billing information without killing your thumbs.
Mac users who want to carry over passwords from their browser can also take advantage of cross-platform sync, which will port over log-ins from their desktop to their phone and vice versa with the $35 desktop version.
[via Macrumors]
PassPack is a password-saving service I first checked out back in January of last year. This past week it released a really cool and smart password-saving tool that exists separately from your browser and lets you manage your passwords while offline. It also syncs up with PassPack's cloud storage to let you access your shared passwords, then sync them to multiple, authorized computers.
The application's claim to fame is that you can access your passwords while offline and without the use of your browser. If you don't feel like installing a new, standalone app, you can get similar functionality by trying out the offline version of PassPack that takes advantage of Google Gears to let you do this while away from an Internet connection.
Since Adobe's AIR is cross-platform (download for Mac or Windows), PassPack's developers have chosen to spend more time developing it than the browser-based Gears iteration. Plus, if you're a user of multiple browsers, including some that fall outside the Gears love (like Opera (download for Windows or Mac)), the desktop application will work without issues.
One current weak point with the AIR app (that's due to be remedied soon) is that any locally created passwords will not sync back up with your central PassPack account, so if you're intending to add any new ones you should do that in the Web version instead. The tool also requires the use of an incredibly strong packing password that will roll up all your other passwords. Like I said when I first checked out the service, you're best to write it down somewhere as without it there's no way to recover notes and passwords stored in your account.
PassPack Desktop performs in much the same way the Web version does, although you can access it while away from your browser.
(Credit: CNET Networks)
I'm a sucker for password tools. Since signing on with Webware late last year, I've since amassed a collection of site log-ins the size of a pulp romance novel, and despite my youthful brain, remembering all of them is clearly impossible. A solution I've been using for some months is Roboform, which is a small piece of software that will let you keep your user names and passwords safely tucked away, combined with a browser plug-in that will automatically log you in to each site. This morning I've been playing around with a new feature from PassPack (review), which does the same thing sans software.
It's called 1-Click Auto Login, and as the name suggests, it will log you in to any site using the passwords you're stored in PassPack's password manager. All you have to do is enable the feature on your PassPack account, and drag a simple bookmarklet up to your browser's toolbar, or favorites folder. From then on, if you're visiting a site that's been added to your list of passwords, clicking the "PassPack It!" bookmarklet will autofill your log-in credentials. If you've got the one-click option enabled (it's off by default), it will go the next step and log you in automatically.
If you've got your login information setup, clicking the bookmarklet will automatically log you in to a site.
(Credit: CNET Networks)On the security side, since the bookmarklet pulls up your log-in credentials, and can be added to multiple browsers on multiple machines, you can deactivate it remotely and without having to from machine to machine. Likewise, you can reactivate all instances at once if you feel like locking things up when away from your machine.
There is one big snag when comparing this feature to Roboform. PassPack doesn't handle multiple log-ins for the same site with grace. When visiting a site with multiple accounts, PassPack will defer to the newer log-in for that site. Roboform, on the other hand, pops up to give you a small list of log-ins you can pick and choose from. I find this feature especially helpful when accessing one of my Google accounts, as I've got three I use in heavy rotation.
Clipperz, a competing online password management system, has a similar feature called "Direct Login" that closely emulates this multi-log-in list functionality. You can pick your login credentials from a sidebar which is summoned using a bookmarklet, and you're good to go. The service offers nearly the same feature set you get from PassPack, although Passpack has a few I find particularly helpful such as tagging and an offline mode that lets you access your passwords and make changes without an internet connection. There's a really great comparison chart put together by PassPack's CEO, that showcases some of the differences and similarities. If you're on the fence about which service fits your needs, it's a good read.
Which ever tool you choose, I'd highly recommend using one of these services to save and access your casual site log-ins if you've got more than a dozen. They're extremely helpful when it comes to accessing sites you signed up for months ago. As for financial services (banks, credit cards, and so on) and e-mail accounts with sensitive information, you're better off using your noggin.
- prev
- 1
- next
