It seems to me that it would be better to control the malicious software angle at the endpoint. If users can’t install or run unapproved software, it would be far more effective than trying to identify and block the sources of such software. If you attempt to block social media sites, you’re putting yourself in a position of having to identify which sites are “good” and which ones are “bad”, while simultaneously putting your users in a position where they will actively try to circumvent your policies. People are getting better at using proxies and the like to bypass controls. If you want to prevent them from accessing social media, you have to effectively prevent them from accessing the Internet… and there can be significant business costs to doing that (especially if your competitor’s employees are unfettered).

The core issue here, is that I do not believe that social networking can be effectively controlled… so I say don’t bother. Spend the money and time on controls that work. Manage the software, sure. Let audit/marketing audit the social networks, so they can monitor the brand impact. Let the managers manage the people. Let the business owners decide the acceptable level of risk.

Since I had just established service to the internet that day, it was pretty easy to figure out where the problem started. This may not be the fault of Plaxo, but the risk is too high for me.

I expect that I’ll be looking a lot come this time next year when it’s time to pick out a shiny new phone. :)

I was considering 1Password as well, but they have completely ignored an Android version for a long time, continually saying they’ll get to it eventually – plus, they don’t support any OS other than OSX.

Generally speaking, I distrust the “store it in the browser” option. I know that it’s more convenient and that modern browsers use decent encryption on their password stores… but in order to function, they must be able to read the store. This means that it is theoretically possible for a flaw in the browser to expose the store to an attacker via web page.

That’s not to say that my solution is perfect. In particular, it is vulnerable to password sniffing by keylogger and accidental account lockouts due to mis-entered passwords. However, when I compare those risks to those of native browser storage, the native browser solution seems riskier. (This is just a feeling… I’ve not researched it… yet ;)

Basically, my philosophy is similar to the Unix philosophy. Most systems do one thing well. Browsers, be they IE, Firefox, Opera or Chrome are really good at browsing. They’re getting better at security, but it’s still not their core focus. There is a lot of security in simplicity, so a simple password wallet with good market history (and that is being actively maintained) is probably better then security in a browser.

I use Gnu Keyring on my Palm and am considering 1Password should I move to the iPhone. I don’t know what’s available in the Blackberry and Android spaces, but I’m sure that they exist there too.

I was curious, and was hoping you could elaborate as to how you manage your passwords securely.