Password Managers – Bleh or Yay?

How many of you remember the scene from WarGames when Matthew Broderick slides the desk drawer open to reveal a list of passwords?  Yeah, that movie is twenty-seven years old now.  But the message is still apt: don’t store passwords where people can find them.
And after twenty-seven years of computer development, we have single signon systems, strong passwords, multi-factor tokens, and all sorts of cryptographic wizardry.  But despite all of this, we have competing rules for password strength, differing password expiration durations, and even more different types of accounts that demand different strengths of security.  For example, most people are very concerned about password strength for their financial transactions.  But these same people are probably less concerned about the password for their PetCo account.
The result of all these new rules and password differences is the same: people either store their passwords somewhere, or they use the same password root with variations in prefixes/suffixes, or they periodically must go through the password change/challenge dance.
Amidst this reality, there are a plethora of solutions.  But two such solutions have captured my attention: Roboform and LastPass.
Roboform is an excellent tool that will store passwords in an encrypted, local password store.  It seamlessly integrates with most browsers – especially Firefox.  It is actively developed.  And most importantly, it is secure by design.  Specifically, passwords are stored in a private place under YOUR control.  Of course, this means that if you access online accounts, you will need to have access to your password store.  This usually means storing passwords on a portable USB key.  For these and other reasons, Roboform has a large and devoted following.
But there is a new gunslinger in town.  Over the past few months, LastPass has garnered a large and growing user base.  It has a very attractive UI.  But more importantly, it is flexible and very powerful.  Like Roboform, it has the ability to store and exploit multiple identities.  And it is tightly integrated with every browser – including Chrome.  Indeed, the Chrome plugin is one of the best features of LastPass.
But unlike Roboform, the LastPass team has chosen a different path for its success.  LastPass exploits cloud-based technologies for customer password storage.  This is excellent if you will be mobile and you can’t carry your identity in a mobile fashion.  Of course, this means that your critical password store is publicly available.  So if you want to use LastPass, you need to understand how they store your passwords and how they control access to your passwords.
What is Roo’s recommendation: I have switched over to LastPass.  And I use a very complex and totally unique password for this store.  Do I trust the team at LastPass to protect my password store?  I must grudgingly say that I trust them – for now.  Do I know these people personally?  No, I do not.  But I do trust them enough by virtue of the people and organizations that have publicly endorsed their technology.
That said, I am reminded of something that President Ronald Reagan once said: trust – but verify.  So I am now keeping a mindfl eye on the continuing performance of the LastPass team (including its financial supporters).
-Roo