New software, services help manage passwords, protect online identity

SAN JOSE, Calif. - Your dog's name. Random nouns. And who could forget blm457yfp?

Most people who use the Internet know the difficulty of remembering all the passwords they need to check e-mail, chat online, download music and transfer funds. Experts advise against using the same password for multiple accounts, in case it falls into the wrong hands. But all those different sign-ons are hard to keep straight and, even with password-manager software to help, they can be hard to keep secure.

Software makers have come up with several alternatives that you're likely to hear more about in coming months. Already, you can sign on to several sites with a single "OpenID" that you've registered with one provider. You can use your mobile phone to generate a digital "key" that you don't need to remember. You can even click on an encrypted "information card" that might one day replace your passwords altogether.

The technology behind these alternatives has been around for a while. But security experts, programmers and industry groups have struggled to make them both convenient for consumers and secure enough to win acceptance from major banks, retailers and other Internet services.

"There's just a big problem with passwords. I can't remember my own. I have too many of them," said analyst Linda Monahan, who studies online banking and identity fraud for Javelin Strategy and Research.

Some basic solutions have been around for years. Most Internet browsers, including Microsoft Explorer, Apple's Safari and Firefox, have "password managers" that offer to remember user names and passwords when the user first signs on to a Web site, and then fill in the blanks automatically on subsequent visits.

The downside, of course, is that the browser will fill in those blanks for anyone else who sits down at that computer. And over the years, critics have identified flaws they say makes browser-based managers vulnerable to hacking.

Several companies offer stronger password managers as stand-alone products, such as RoboForm, LastPass and ID Vault, or include them as features in broader security programs, like the "Identity Safe" that now comes with Symantec's Norton Internet Security products. These can be protected by passwords themselves: Once you sign in, the software will remember the passwords you need for all your online services and accounts. Some let you store the information online, while others encrypt it on a USB memory stick, so you can access your passwords from any PC.

There are even programs, like one from DigitalPersona, that come with a piece of biometric hardware - a fingerprint reader that promises the software will cough up your passwords for you and no one else.

Still, do you really need all those different passwords? Some advocates of a more open Internet have embraced a concept known as OpenID, which allows a user to create an identity at any one of several Web sites and then have that identity recognized at other participating sites.

When you visit any site that accepts OpenID credentials, you either type in a URL or click a link that connects you to your original OpenID "provider." Once you enter your OpenID password, the provider sends you back to the site you wanted to access, and you are automatically logged on.

OpenID has been slow to catch on, although it received a big boost when Facebook announced plans in May to let people sign in to their accounts with OpenID credentials from other providers. Other big companies like Yahoo and VeriSign have begun issuing OpenID credentials, but most have been reluctant to accept other issuers' credentials on their own sites.

Critics say that's because anyone can become an OpenID provider, so the site that relies on your OpenID credentials doesn't always know who it is trusting.

For users, there's another weakness: Because you must go to a Web site and type in your OpenID password, a malicious person could use "phishing" or other techniques to learn your password, and then access other sites in your name.

Security expert Bob Blakley favors another approach, using a technology known as "information cards." The "cards" are files of encrypted data that allow your PC to have a conversation with a Web site in a process that eliminates typing in names and passwords.

"It's a little early to tell whether it's going to take off, but it does have some interesting advantages," like the ability to securely transmit other sensitive information - a credit card number, for example - in addition to a password, Blakley said. He's a researcher for the Burton Group, a consulting firm working with the industry-backed Information Card Foundation.

When you visit a Web site that accepts information cards, you click on a link that initiates an encrypted conversation with a special program, known as a "selector," that helps you manage your information cards.

The selector, which can reside either on your computer or online, pulls up the appropriate card and provides the site with a digital signature to verify your identity. You could also use the selector to make online purchases more secure. In that case, the selector may contact a third party - such as a bank - to exchange encrypted data that authorizes a transaction.

Microsoft has already built a selector program, called CardSpace, into its Vista operating system. Stand-alone selectors are available from two other companies, Novell and Azigo. Google, Oracle and PayPal have joined the industry foundation and there are a few working sample cards available, but no major retailer or financial institution has implemented the system yet.

For those who want to stick with passwords, the Internet company VeriSign has signed up eBay and PayPal, as well as some small banks and credit unions, for a service that promises added security by letting users combine an existing password with a second, digital "key" that they don't need to remember.

The process, known as "two-factor authentication," is frequently used by government agencies and corporations for controlling access to sensitive information. They often give employees a small "dongle" or token that fits on a key chain and generates an encrypted code, for use in conjunction with a traditional password.

Hoping to expand adoption in the consumer market, VeriSign has been offering downloadable software since April that lets iPhones, BlackBerrys and other mobile phones perform the same function. Once you download the application, you can use your phone to generate a six-digit code.

If you've enrolled at a participating Web site, bad guys can't access your account unless they have both your password and the code. Each code is valid for only 30 seconds, so no one can re-use it. The program is synchronized with VeriSign's servers; your phone generates a new code each time you need one.

VeriSign hopes the extra security will ease consumer worries about online financial accounts. But IDC analyst Sean Ryan said the convenience of a mobile phone may help the service catch on. Until recently, he added, two-factor authentication was "too much work for most people, except for those who are really paranoid."

PASSWORD TIPS

Use at least seven or eight characters, with numbers and symbols as well as letters. Random arrangements are stronger than words you can find in the dictionary.

Think of a phrase or sentence that you'll remember but others won't know, then take the first letter of each word and substitute numbers or symbols for some of them. "My favorite jacket is at the cleaners" becomes MFJIATC, or MFJ1@TC.

If you really want to use your dog's name, save it for news sites or accounts that don't contain sensitive information. Use a stronger password for more critical accounts or financial services.

If you store your passwords, use an encrypted file or password manager. Don't leave them on your hard drive in an open file labeled: "passwords.doc."

(c) 2009, San Jose Mercury News (San Jose, Calif.).

Distributed by McClatchy-Tribune Information Services.