I've been using a password management tool for the last 5 years that meets all of my needs flawlessly. Password Agent from Moon Software is perfect software in my book - small, simple, cheap, to the point, and does exactly what it's supposed to do - and nothing else.
I'm surprised how many people don't use password management tools - a password protected Excel Spreadsheet doesn't count! Everyone should have some kind of password management tool in my opinion. There are a lot of out there - Password Agent is one of the best.
Here's what it does:
- Password Agent is a GUI tool that manages .pwa files.
- .pwa files are Password Agent's custom file format that sports 256-bit key AES/Rijndael encryption.
- Using Password Agent to manage one or more .pwa files you're able to securely store all of your passwords in one place using a single strong password in unlock them all.
- Password Agent has the ability to generate strong passwords for you
- Password Agent has many keyboard shortcut niceties and usability features that make it easy to fit into your normal desktop maneuvering.
- Launch Password Agent (perhaps using a SlickRun shortcut)
- Start typing - Password Agent will start scrolling
- Select the entry you want
- Hit Enter to view
- Hit Ctl+K to open any link you might have stored in the entry
- Hit Ctl+A to auto fill your credentials - this features is handy for websites, but fragile depending on the site's layout and use of javascript.
Here's a demo of me using SlickRun, Alt+Tab and Password Agent to launch PayPal.com and log into their system. My hands don't leave the keyboard and I never physically view my credentials:
Pretty cool...
Most PC users have a short list of passwords they use for everything. Most people try to use the same password for all systems. This is inherently insecure, error prone, and a hassle - how often does some new web site or system reject your trusty password and throw your world for a loop?
I have Password Agent on all my machines and I use FolderShare to keep my .pwa files synchronized across all my machines (including Virtual Machines). Important note: Password Agent can be ran directly off of a USB memory stick - no installation required. You can literally carry it around on your key chain if you'd like.
What I love about password management tools in general is that I no longer have to have one password. In fact, I don't even have to know my password to 99% of my accounts. I can use Password Agent to generate a store password for me, save it in my .pwa file, and use Password Agent to feed those credentials to that system when I need it - I don't even need to see the password.
Between work and pleasure, I have accounts on scores of machines, web sites, and systems - waaay too many to remember. Some of these systems are very sensitive - waaay too sensitive to have one weak password that use for everything else.
On certain projects at work, I got into the habit of putting Password Agent at C:\ root for all systems. Each team member knew the magic password to the .pwa, and each machine has a .pwa file that houses the password words for each of that systems's subsystems (SQL Server, IIS, Windows, etc.). That worked well and for bigger more complex teams, you could have a .pwa per team role (i.e. C:\SysAdmins.pwa, C:\Developers.pwa, etc.), have multiple magic passwords, and only hand them out to those who should have them. This approach neutralizes the temptation for someone to leave SQL Server's sa password blank. Similarly, people can change the password frequently without worry or the hassle of updating the team - just be careful about changing the password on the .pwa :)
On the personal side, I use Password Agent to generate the strongest password each system will accept and forget about it. If that system has some ridiculous password refresh and strength rules - no problem. Password Agent does all the dirty work for me, and again - FolderShare keeps the .pwa's copied everywhere I want them.
Having said, that... I do need to have a logon to my Windows machine so that I can run Password Agent, and I do need the strong password to access my .pwa file, so I can't escape password hell entirely :)