For a completely different approach to managing multiple accounts, take
a look at Password Scrambler at OnePassword.com. Depending upon your
actual requirements, PS is a very elegant solution.
* PS uses a different password for every site you visit.
* PS integrates with IE and Firefox.
* PS works for multiple people on the same system.
* PS works for one person on geographically dispersed systems.
* PS works for multiple people sharing one web site identity.
* PS does not store the passwords locally nor remotely. Forget
worrying about a password file being decrypted: how can you crack a
file that doesn't exist?
* PS can be used for any password by entering a value in both master
password and site. (NOTE - PS v1.1 requires tabbing several times
before the password is generated.)
* PS uses a secure hashing function for encryption.
Note that if you need multiple accounts on the same site, PS will use
the same password for all accounts if you use the same master password.
One easy remedy, if one is even needed, is to append or prepend the
account name to the master password. Just be absolutely consistent
however you choose to vary the master password.
I had a number of concerns when I first suggested this to ACF. Many of
those were addressed in v1.1, some far more elegantly than I expected.
* Drawbacks
* PS defines the site password. You cannot use your own.
* PS either does not record the web account ID or (option) stores the
ID in the registry in plain text.
* PS does not store any additional information about a site.
* PS must be installed.
does
* PS has no backup or alternative if you forget your password. You can
print a list of passwords (for a given master password and system) if
you store the account IDs (an option).
* PS does not work well if your site IDs vary unpredictably from site
to site nor if your usual ID is remotely common. "Bill" does not work.
* If you change the password for one site, you (logically) should
change the master password. That entails changing the site password
everywhere, but ....
* PS does not have an easy way to change passwords on multiple sites.
The process is more tedious than it needs to be.
* PS is still vulnerable to keystroke logging, memory scanning, and
perhaps clipboard exploits.
* PS v1.1 requires excessive tabbing when the site is changed manually
(e.g., to obtain a non-web site password).
Solutions?
Perhaps the developers will provide more enhancements. Given their
creativity so far, I can easily imagine an even better future.
* One quite straightforward implementation for changing master and
local passwords could be a special form that duplicates the master
password and password fields so that both the old and new passwords are
displayed.
* Rather than entering the site account ID each time (or storing it in
the registry), the form could have an account field that would be used
as the default for that session.
I thought about recommending that the site account ID be stored in
encrypted form in either the registry or another file. Unfortunately,
that would require a reversible function so that the program could
recover the unencrypted form.
The solution that I am currently in the process of adopting is to use
Password Scrambler where I can and record only the exceptions in a
standard password repository.
