Web Based Password Manager
I would love a web based password manager that’s completely accessible on all of my devices. I know that there are a lot of tools out there already, and I know there are some inherent security risks with this approach, but here is what I’m thinking:
- It simply stores Title, URL, Username, Password, and maybe a notes section
- It’s web-based
- It’s secure
- It’s responsive so you can easily add information for any device you own*
I’m wondering if there is something out there already, if it’s a good idea, and if people think it’s worthwhile. What do you think?’
*This one is important. I have 3 computers, 2 tablets, and between 2-3 phones depending on what I need to test. I don’t want to buy or download an app every time.
Does this mean you’re making one?
Thinking about it- it’s an idea I’ve been kicking around for a while.
Go for it!
I think Kevin Behr made a mobile app to manage passwords? He might be able to chime in
Indeed- I know his was all stored locally. I’m definitely looking for input on the best way to store this info securely on a server. I don’t want a LinkedIn situation on my hands!
Yup – his stores the info locally, but I remember chatting with him when he was designing it. I’m sure he thought through the pro’s and con’s of your idea.
That’s going to be tricky. Normally you’re just comparing hashes for passwords, but since in your case you have to give the user the actual password, I think you need to either store that plain-text (BAD!) or use 2-way encryption to get the plain-text back (also bad, but slightly less so).
Joe, here’s an idea that I had wanted to spin up awhile ago, I just never had the time. For my work, I can only access my e-mail by providing a password containing the first four digits of a PIN code that only I know PLUS a generated 8 digit code from an ACTIVIDENTITY keychain device that I carry around – very secure. I thought, “Wow, I wish I could do this for all of my accounts, with my phone being the physical code generator”. Well, if you’re familiar with Google Authenticator to manage and generate codes for two-step authentication, it’s open source (http://code.google.com/p/google-authenticator/). So, what if you had a web service that stores all of your accounts and credentials, and then you can access the web service by providing the code generated on your phone + a PIN code (all as one password).
To take it a step further, you could develop browser extensions to interface with when reach a website log-in page, which would access the web service and inject your credentials.
To take it ANOTHER step further, it would be really cool to then modify the browser extensions with Bluetooth capabilities, so that you can only login to an account if your device is physically near the computer. See Ford’s password manager for more details on this (http://gizmodo.com/5920197/did-a-car-company-really-just-make-the-best-password-manager-weve-seen).
I’m not sure if you are looking to go into any of those directions, but perhaps it can give you some ideas on security. Hit me back if you have any questions.
Check out LastPass. It looks like what they do is use 2-way encryption where the key is your master password…
All, check out my comment on Joe’s blog. What do you think?
Dave Redding will also have some good input here.
I use LastPass for this, and I recommend it. The web version and browser extensions are free, and include Google Authenticator security (if you want it) and a “Secure Notes” feature.
For $12/year you can get apps for Android, iPhone, Blackberry, and Windows Phone, plus plugins for Firefox Mobile and Dolphin. I held off buying this for a while, but I’ve been using it since August. The app isn’t perfect, but $1/month isn’t exactly breaking the bank.
I suggest giving the free version a go for a while to see if it’s the kind of thing you’re after.
I use 1Password sync’d via Dropbox. It’s encrypted, easy to manage, and has browser extensions for all the major browsers.