Keeping your passwords in one place

When I read that the owner of My Money Blog keeps his passwords aggregated on one website, I was shocked. That’s putting all your eggs in one basket, I thought. If a hacker breaks into Yodlee, the service he uses to keep all his financial passwords, he’s toast!

But then I read his rationalization. He uses an analogy: let’s say each bank is a safe box. If someone cracks one, the rest are safe. But if it’s a safe he doesn’t check very often, he might not know about it until his statement comes. By then, a lot of damage may have been done.


With Yodlee, it’s like having those safes in one big vault. If the hacker broke into that vault, they’d get access to everything. But since he checks Yodlee every day, he can “sound the alarm” and work against the damage immediately.

Now here’s the real key, and I haven’t yet verified this so I need your input on how true this is. He says this speed can save him money, because the law under “Regulation E” caps consumer liability at $50 for those who notify banks within 2 business days. And charges on credit cards are always protected. All the companies he’s worked with work fast to fix the bad charges. I have to agree there: credit card companies, if notified quickly, will definitely protect the consumer.

So that’s why he uses Yodlee, and it makes sense to me. What do you think?

3 Responses to “Keeping your passwords in one place”

  1. Sam says:

    Any suggestions on the best Yodlee version to use? I’m finding it difficult to register or even to know if I can register at all at the various websites that offer the service. I managed to register on Comerica, but the interface is plain and boring. The others are a mystery as to whether or not they are free or if I can register online.

  2. AntonEgo says:

    Your thinking is out of the box but basically sound. Reg E is a set of rules issued by the Federal Reserve governing electronic transactions that include online banking, ATM withdrawals and debit card payments. The bottom line is that consumers who act quickly are protected and will only be liable up to $50. Consumers must notify their bank of the fraud within 2 business days. Wait 3 days and the liability goes up to $500. And if a consumer waits more than 60 days the liability is unlimited — but only for transactions after the 60 days has expired. Reg E rules are designed to encourage consumers to feel safe about electronic transactions. Even if a consumer has acted negligently and succumbed to a phishing attack and given away personal identification information that led to the fraud they will be protected.

    So yeah — use a service like Yodlee to stay on top of all your accounts, anytime, anywhere. Apart from the benefits of knowing where you spend your money each month, you’ll know instantly if someone else is adding to your bills! And good luck to anyone trying to hack into Yodlee – check out their security section on their site.

    As for the best Yodlee version to use – 2 words:


  3. Trevor Johns says:

    First off, there’s more at stake from having credentials stolen then just fraudulent purchases. A malicious user could publish libelous material in your name, access confidential documents, or use your source control privileges to introduce a backdoor into a software project. The damage from any of these things would be immeasurable, and all the federal regulations in the world won’t help.

    That being said, just about everybody online already “keeps all of their eggs in one basket”, they just don’t realize it. Because most services online allow users to retrieve or reset their password via email, once somebody’s email account has been compromised, every other account online that is linked to that address should also be considered compromised.

    To give credit where it’s due, this was pointed out to me in a tech talk by Simon Wilson, who was using a similar argument to illustrate out why OpenID isn’t any more dangerous than current sign-on systems. If you’re curious, here’s the video:

Leave a Reply