Battling Password Chaos
Comments(14) Keeping track of my passwords has been a nagging problem for me for a long time, but I only recently got around to doing something about it.
I’m ashamed to admit it, but up until now I’ve relied on a few popular but extremely insecure strategies to manage my various online identities.
- Reusing passwords – The obvious danger here is that some script kiddie compromises a very insecure ‘mom and pop’ site that stores my password as plain text and then goes around to all the popular sites trying it out until he finds one that works. Even though I was foolish enough to take this risk for years, most sites have different password complexity rules. That meant that I still had to rely on several different userNames and passwords combinations, which made revisiting sites that I hadn’t been to in a while painful since I invariably had to try several times before hitting upon the right one.
- Forgot Password Email Feature – I don’t know about you, but I don’t normally access my yahoo email over SSL and many sites simply resend the password in plain text. This means that my password is visible to anyone with a strategically placed packet sniffer, like WireShark. It’s also annoying to have to wait for the email to be sent each time.
- Firefox Password Manager – I let Firefox remember passwords for me all the time and I recently discovered that this is hugely insecure. If you’ve never used the SIW (System Information for Windows) tool from gtopala.com, take 30 seconds to download it and then click on the secrets node under software. You will be greeted with all of your passwords in plain text from any site that you’ve allowed Firefox to remember for you. That means if anyone ever gets even momentary access to your computer, all of your online identities will be compromised. Not cool.
- Password protected Excel worksheet – Let’s face it. Microsoft Office security is a joke. I’ve tried this tool with file based dictionaries from this site on Excel 2003 documents and it has cracked the passwords almost instantly. I’ve tried this other tool with Office 2007 documents, which uses stronger encryption. It was pretty slow, but it eventually figured out the password as well.
Whether I’ve legitimately scared you or else you’re just sick of jumping through the “Forgot Password” hoops, I highly recommend trying KeePass. It is a open source password management tool that lets you store passwords securely and safely copy credentials into web forms.
KeePass lets you logon using a password/file combination for extra security and has several clipboard security measures built-in to prevent clipboard monitoring hacker tools from stealing the password while you’re pasting it into a website.
As far as encryption is concerned, the site boasts that even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe. That seems pretty secure to me…
If you’re still being lazy and insecure like I was, why not do something about it?
It only takes a few minutes to download and you will dramatically decrease your security related browsing frustrations as well as reduce your risk of identity theft.
Popularity: 14% [?]
I’ve been using KeePass for more than 3 years, can only recommend it!
I wonder if there’s an online password storage system. Might sound like an accident waiting to happen, but I use more than one PC.
I’m also a big fan of KeePass. As a consultant it’s about the only way I can keep track of passwords for my various clients. There’s also a portable version of KeePass (http://portableapps.com/apps/u.....s_portable) that you can run off a thumb drive. I haven’t made that switch yet but I’m considering it.
Hey Now Coder,
e4, Nice Post, I’m going to try it. Sound good.
Thx 4 the info,
Catto
@izb – Yeah, I’ve wondered the same thing myself. I would try the thumb drive that Bill suggested. There is also a nice export feature in KeePass that allows you to transfer passwords to a file that can then be imported into a KeePass on another computer. You would still have synchronization issues, but it beats having to manually add them in multiple places.
I’ve been struggling with this very issue and was hoping that I’d see a good suggestion somewhere.
I would really like to see the password file sync happen automatically, so maybe I will setup a foldershare for my pw file.
Also, don’t forget to change the pw to all of your resources! If you still re-use passwords all over the place then this method won’t help you if 1 gets comporomised. The real benefit is when you create a unique, highly secure password for each site you visit.
@Ben – Good idea about using foldershare to sink the pw file. I’ll give that a try as well.
I have already begun the process of changing existing passwords. It helps that KeePass comes up with a random password by default when you are adding an entry and that there is a Generate Random Password button as well that you can configure with different rules to match the requirements of the site.
I’ve been using Keepass for a few years now, fantastic tool, especially when coupled with Truecrypt (5.0 just released) and Eraser.
On my USB stick I keep Keepass inside a Truecrypt partition for extra paranoia
Re: Firefox, *always* use a master password, I also use SIW and it didn’t find any of my secrets. I also never store passwords in Firefox for sites which are finance related, I just keep these in Keepass and copy to clipboard (although I also use ClipX so this has a risk associated with it)
Also on a Firefox tip: Try the “Secure Login” and “Autofill Forms” extensions. Aside from making login easy (duh:), what this does is prevent a site from auto-completing a form post based on your saved passwords (e.g. from a XSS attack), you have the manually press Alt+N. Check it out, very cool extensions! I also run NoScript of course.
KeePass is simply excellent!
Combine that to the possibility to have a portable version of it, and a Pocket PC version of it, all of which are of course able to handle the same database, and you’ll only need to remember one password for the rest of your life!
I’ve been using Keith Brown’s open source Password Minder ( http://www.pluralsight.com/tools.aspx ) for years, and it is also written in .Net. But, I’ll have to check KeePass out and compare the two.
@si – I’m wondering if the two FireFox plugins you mentioned prevented SIW from recovering those passwords. I’ll install them and give it a try. I’m also going to try using TrueCrypt with my thumb drive.
Thanks for the excellent suggestions!
No, they’re only active inside Firefox. Kill Firefox and then run SIW to see for yourself.
More info on master password:
http://kb.mozillazine.org/Master_password
AFAIK once you set a master password, all passwords set after then are encrypted, most likely weakness is if someone brute forces the master password (tools exist). If you’re paranoid, encrypt your Firefox profiles too.
Also, I presume you’re using Truecrypt v5.0. I found the new filesystem noticeably faster than v4.3a. NTFS works well and if you’re worried about cross-platform issues, NTFS-3g on Linux works fine with Truecrypt partitions.
Finally, the other extension which I find useful is Google browser sync, great for syncing between work and home. All saved data can be encrypted.
The other way is portable Firefox:
http://portableapps.com/apps/i.....x_portable
@izb
If you are looking for a web-based password manager, please take a look at Clipperz.
http://www.clipperz.com
Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded. And the key for the encryption processes is a passphrase known only to you!
Clipperz source code is freely available for security reviews, the core crypto algorithms have been packed into the Clipperz Crypto Library and released under a BSD license.
Clipperz offers:
- one-click login
- offline version
- import from Keepass
- one-time passwords
- …
Thanks,
Marco
Clipperz co-founder
Needmypassword.com is a great way to store all of your usernames, passwords, and urls. Imagine only having to remember one password to gain instant access to all of your log-in needs! Needmypassword.com is safe and secure so you don’t have to worry about anyone seeing your information except for you. It is also free and easy to use, so sign up now!