Options for Secure Personal Password Management

Most consumers will, against the advice of security experts, use weak passwords, reuse one or two passwords for everything, write their passwords down, or all of the above, simply in an attempt to retain their sanity. This situation is even worse for a system administrator, information security officer or IT consultant. People in these positions not only have to deal with many more systems, but typically choose strong (e.g. hard to remember) passwords, and select different ones for each system. Because of the difficulties associated with remembering passwords, a group of software applications, called password keepers or password managers has emerged. These applications deal with everything from the simple storage of user IDs and passwords to the management of password access across many users. In this paper I have used my personal needs for password management as a starting point, trying to determine a solution which would work both for IT personnel, and which would also be suitable for use by the average computer user. I examine the arguments for and against password storage, define the requirements of a secure password management application, develop evaluation criteria, and evaluate a number of password management applications.