Skip to content

Managing multiple login passwords “securely”

This year marks twenty years of computer and internet usage for me. In a two-part series, I discuss my experience and learnings on managing multiple passwords (part 1) and computer security (part 2).  From spending the whole day in the IIT, Madras library in the mid-90s to rarely entering it in the 2010s, it has been a sea change in the way I (and all of us) seek and process information.

The need for a password manager: necessity is the mother of clutter.

Initially one could access all parts of a website (including sub-directories!). Soon site owners wanted users to "log in" to use the entire or sections of the site. From having to log in to use e-mail, now more passwords were required. Unfortunately, each website had its own password codes. Some wanted one letter in capital, some a character like $,%,... and so on. When online banking took off, some banks wanted the passwords changed every few months and even insisted that the new password should not resemble the last three passwords! Some AMCs also insist on this.

So the need for a password manager became natural. The most secure password manager is this one:

Photo by Jesse Radonski (Flickr)

Of course, as long as the notebook stays at home (in one place) and so is the computer used to make financial transactions. Sure your dog can eat your notebook or it can be burnt, but when it comes to security (and insurance) we can only consider probability and not possibility. Those who can distinguish probability from possibility can also distinguish paranoia from prudence.

Security is the cost of Convenience

There is no free lunch. If we want a "convenient" way to "securely" store passwords and login, then it will have to come at the cost of security. Any piece of code, be it human generated or machine generated, can be cracked/hacked by anyone with enough determination. So none of the password managers that we have today are hacker-proof. It is merely sheer dumb luck that I have not been hacked as yet.

For the last 15 years or so, I have been using Roboform to manage my passwords and in the last 9-10 years or so, I have been making online transactions with passwords stored in it. I make no claims that is the best or even good enough. There are many other options which are probably better, but I have no intention to shift as I am used to it.

Initially, Roboform was free to use for storing ten logins with a paid version for unlimited logins. Thanks to competition and emergence of browser based password managers, Roboform is now completely free for personal use with a paid business version. There is a cloud based version which can be used to sync passwords across devices and this costs a small fee.

Roboform (so should others) comes with a so called "master password". This can be used to unlock access to select logins. This master password is not stored anywhere in the Roboform software. So losing this would mean trouble. I have used my wife's favorite password as the master password so that she can access the logins in my absence. Any login involving money exchange can be further secured by this master password.  This was the first double authentication I had used prior to the emergence of the mobile.

Now with mobile based authentication at the final stage of the money transfer, I believe such master passwords are not of much use.

In my opinion, double authentication is meaningful only when two separate devices are involved. This is the reason I will never use my mobile for online transactions. Losing a mobile is not just a possibility!

Why not browser-based password managers?

I am of course referring to Chrome and Firefox (most popular choices?). As of now, all my financial transactions logins are in Roboform with a master password. All the rest (Facebook, Gmail, EB bill, Telephone, property tax etc) are all on chrome.

However, I do feel that there is no harm in using browsers to store say, AMC passwords. Suppose the browser is hacked and the password is out in the open (with the login), what is the worst that can happen? I may have to pay tax if the hacker makes a redemption. The money will go to my bank account in T+1 or T+3 days ( I can get this canceled in the meantime as I will get an SMS and email alert). The hacker would then need my bank credentials and mobile phone to access my money. That is just too much of a long shot.

I repeat

Paranoia ----> possibility

Prudence ----> probability

Oh yeah, by the way, I am pro-Aadhaar and supposedly the CIA knows my A-number. How flattering!

The problem with browser based password managers are the updates. Chrome suddenly changed its settings interface and couple of weeks ago. When I managed to get to the password and wanted to change one and clicked on the "eye", it wanted a windows password!  Users who did not set a windows login password suddenly could not access their own passwords.

Thanks to an outcry in the forums, this was quicked removed in the next update. I have never faced such nonsense with Roboform. Even if the latest version looks completely different from the first version I used, the core settings are the same.

Even though all sites have a "forgot password" link, some do not have a "forgot login id" link. So at least for this,  a cloud-based service is necessary. I will be getting the Roboform Everywhere service (20 USD per year or 50 USD for 3Y or 75 USD for 5Y)

Chrome has this too (free) and it is quite convenient.

By the way, you can have some fun trying to find out how secure your password is with many online tools. Here is a screenshot:

Source: https://password.kaspersky.com/in/

Disclosure: I am NOT affiliated with any of the brands mentioned in this or any post here.

================================

Ask Questions with this form

And I will respond to them in the next few days. I welcome tough questions. Please do not ask for investment advice. Before asking, please search the site if the issue has already been discussed. Thank you.  PLEASE DO NOT POST COMMENTS WITH THIS FORM it is for questions only.

GameChanger- Forget Startups, Join Corporate & Live The Rich Life You want

My second book, Gamechanger: Forget Start-ups, Join Corporate and Still Live the Rich Life you wantco-authored with Pranav Surya is now available at Amazon as paperback (₹ 199) and Kindle (free in unlimited or ₹ 99 - you could read with their free app on PC/tablet/mobile, no kindle necessary).

It is a book that tells you how to travel anywhere on a budget (eg. to Europe at 50% lower costs) and specific investment advice for young earners.

The ultimate guide to travel by Pranav Surya is a deep dive analysis into vacation planning, finding cheap flights, budget accommodation, what to do when travelling, how travelling slowly is better financially and psychologically with links to the web pages and hand-holding at every step.  Get the pdf for ₹199 (instant download)

You can Be Rich Too with Goal-Based Investing 

My first book with PV Subramanyam helps you ask the risk questions about money, seek simple solutions and find your own personalised answers with nine online calculator modules.

The book is available at:

Amazon Hardcover Rs. 271. 32% OFF

Infibeam Now just Rs. 270  32% OFF. If you use a mobikwik wallet, and purchase via infibeam, you can get up to 100% cashback!!

Flipkart Rs. 279. 30% off

Kindle at Amazon.in (Rs.271) Read with free app

Google PlayRs. 271 Read on your PC/Tablet/Mobile

Now in Hindi!

Order the Hindi version via this link

Create a "from start to finish" financial plan with this free robo advisory software template


Free Apps for your Android Phone

Install Financial Freedom App! (Google Play Store)


Install Freefincal Retirement Planner App! (Google Play Store)


Find out if you have enough to say "FU" to your employer (Google Play Store)


About Freefincal

Freefincal has open-source, comprehensive Excel spreadsheets, tools, analysis and unbiased, conflict of interest-free commentary on different aspects of personal finance and investing. If you find the content useful, please consider supporting us by (1) sharing our articles and (2) disabling ad-blockers for our site if you are using one. We do not accept sponsored posts, links or guest posts request from content writers and agencies.

Blog Comment Policy

Your thoughts are vital to the health of this blog and are the driving force behind the analysis and calculators that you see here. We welcome criticism and differing opinions. I will do my very best to respond to all comments asap. Please do not include hyperlinks or email ids in the comment body. Such comments will be moderated and I reserve the right to delete the entire comment or remove the links before approving them.

9 thoughts on “Managing multiple login passwords “securely”

  1. Shashank

    I don't know what makes you feel a notebook is the most secure password manager, infact it is the most insecure thing to do today when it comes to passwords. As to browser-based passwords, try using password add-ons that store passwords in cloud encrypted. I've been using Lastpass for years now without any issues whatsoever. It's cross-platform, supports all browsers, excellent support, almost all features are free and encryption/decryption of data takes place on your device. It really is for the most paranoid of nerds!

    Reply
    1. freefincal

      A notebook (the one made of paper) is something that I can store at home and always at home (along with the computer I transact on). That is secure enough for me if "most secure" troubles you. I am happy with roboform. Will explore lastpass. Thanks.

      Reply
  2. Ajay

    I would suggest KeePass / KeePassXC / KeePassX depending upon which operating system is used.

    Also comes with OTP tool.

    Software is opensource so is much secure and also privacy concerns are much better addressed.

    There's a browser plugin for Google Chrome browser called as ChromeIPass. Which fetches id pass safely and puts in the input fields.

    I have tried them all. Use KeePassXC on my linux machine with ChromeIPass in chrome. It works well on Windows and Apple Mac as well.

    Highly recommended!

    Also, I use dropbox client and keep the encrypted database in it. KeePassXC use that file directly, so when changes are saved they get backed up and can be accessed from other machines if and when needed.

    Reply
  3. Akshay Kini

    This is the best suggestion. I've also been using KeePass for nearly a decade. In addition to your suggestions, I use Keepass2Android android app to help fill in the passwords into Android apps. It has an option to use a "different keyboard" to fill in password directly from the DB, bypassing the clipboard and thus preventing other apps from potentially seeing the password.

    Reply
  4. Sreekanth

    Lastpass is free on multiple devices for personal use and safest too. Roboform etc. are too complex to use for me. Saving passwords on browsers is the worst form of security. A simple script can retrieve passwords stored in browsers. Lastpass is a browser plugin and also available for mobiles. I suggest to use this. Have been using this for more than 7 years.

    Reply
  5. Gautam

    In this case, you are trusting Roboform and their technology to safeguard your secrets. Is that safe to do or not is something that only you can answer. I did a quick check since I havent heard about Roboform and there are many claims from a few years old about their in-security. But not sure what is the truth and where. But since they are a proprietry and closed-source system, it does impact the trust factor. Personally, I am not comfortable with this kind of solution.

    I use Keepass on cloud storage which allows it to be synchronised and access it across my different devices. There are similar alternatives like Passwordsafe. A bit of web-research can yield safer options.

    Reply
    1. freefincal

      I agree it is based on trust, but open source does not imply "secure". Both can and have been hacked. And personally, I trust Roboform.

      Reply

Do let us know what you think about the article

%d bloggers like this: