Password Managers
God Help Us All

Now more than ever, we are extraordinarily vulnerable to cyber-attacks. See Hacker Disaster for a brief history of why we are where we are.

At present, there’s no one simple solution to secure our devices and login credentials. Contrary to all the hype from password manager providers such as YubiKey, LastPass, OnePass, Google, etc., securing our logins and keeping track of them is going to be rather difficult for the average user. Because of the ever-evolving hacking threats as well as the ever-changing security enhancements coupled with hundreds of different operating platforms and devices, our task of securing our precious data is and will be rather complicated.

Even though I as a retired computer programmer, I have more experience with computers than the average user, I am finding that securing my stuff is difficult.

In the past, I tried a whole bunch of methodologies at saving and securing logins including a password list on my smartphone as well as various services including the above key. This key thing did work – sort-of – while the company was in business. However, they went bust and the device was soon no longer valid.

How it worked: The MyKey device relied upon an application that ran as a browser plug-in. It kept track of all my web login URLs in a file on my PC. It stored the user and passwords on the sim card that was inserted in the USB device. The application would occasionally go to the MyKey server to update the DOMs for the login URLs so the app would know where on the webpage to enter the user and password. However, the company soon disappeared. So, I decided to write my own application to fill in login credentials.

It took a while … and included some bootleg APIs. It had a function that enabled me to teach it where on the page the user and password fields were . Then thereafter it would automatically fill in the credentials.

Several years later, Google Chrome had this feature added. So, I decided to have the Chrome browser store the credentials. When Google Password Manager came along, I use that. Then… Password Manager hot hacked.

Now here I am trying to figure out a way of storing our passwords for the various devices my wife and I have. Imagine, Google got hacked.

I bought the highly rated YubiKey and found it to be very difficult to actually set it up. There’s no real description on how the thing works much less any real documentation on how to set it up. Also, it’s limited to certain popular websites.

I then tried several password managers like LastPass. This software is fraught with difficulties. Though LastPass can automatically setup passwords, it has problems with a lot of the less popular websites. And, talk about bug filled software.

If I were going to use one of these password managers, it would be a good idea for me to go through introducing the manager to each web site using the existing credentials making sure it works with each site. Then, later on, change each site’s password and verifying the change on all devices.

Easy To Use

There really is no all-in-one solution that is easy to use. The problem is, once again, there are no real standards. Providers like DashLane, LastPass NordPass and the others is they all rely upon somewhat static webpages and links. Most website’s login can appear on different master pages which may inherit the login dialog.

The only way of getting around all this mess is for providers to have rooms full of data clerks scanning every website for any changes.

On my original software I wrote, I included a function that if a login page changed, it would indicate that it couldn’t find the user and password fields. I would then reteach it what fields to look for.

The problem is, the APIs I used were from a hideously expensive software package (Segue's SilkPerformer) that was used by large companies to test their websites.

But for the average person – most people are going to be hard pressed to setup a reasonably secure password manager. Everyone of these are going to byte (bite) the user in the butt.

This is may be where government might have to come into play. Either providers are going to standardize login credentials and methodologies or government is going to … lay down the law.