Caffeinated Coder

Keeping track of my passwords has been a nagging problem for me for a long time, but I only recently got around to doing something about it.

I’m ashamed to admit it, but up until now I’ve relied on a few popular but extremely insecure strategies to manage my various online identities.

1. Reusing passwords - The obvious danger here is that some script kiddie compromises a very insecure ‘mom and pop’ site that stores my password as plain text and then goes around to all the popular sites trying it out until he finds one that works. Even though I was foolish enough to take this risk for years, most sites have different password complexity rules. That meant that I still had to rely on several different userNames and passwords combinations, which made revisiting sites that I hadn’t been to in a while painful since I invariably had to try several times before hitting upon the right one.
2. Forgot Password Email Feature - I don’t know about you, but I don’t normally access my yahoo email over SSL and many sites simply resend the password in plain text. This means that my password is visible to anyone with a strategically placed packet sniffer, like WireShark. It’s also annoying to have to wait for the email to be sent each time.
3. Firefox Password Manager - I let Firefox remember passwords for me all the time and I recently discovered that this is hugely insecure. If you’ve never used the SIW (System Information for Windows) tool from gtopala.com, take 30 seconds to download it and then click on the secrets node under software. You will be greeted with all of your passwords in plain text from any site that you’ve allowed Firefox to remember for you. That means if anyone ever gets even momentary access to your computer, all of your online identities will be compromised. Not cool.
4. Password protected Excel worksheet - Let’s face it. Microsoft Office security is a joke. I’ve tried this tool with file based dictionaries from this site on Excel 2003 documents and it has cracked the passwords almost instantly. I’ve tried this other tool with Office 2007 documents, which uses stronger encryption. It was pretty slow, but it eventually figured out the password as well.

Whether I’ve legitimately scared you or else you’re just sick of jumping through the “Forgot Password” hoops, I highly recommend trying KeePass. It is a open source password management tool that lets you store passwords securely and safely copy credentials into web forms.

KeePass lets you logon using a password/file combination for extra security and has several clipboard security measures built-in to prevent clipboard monitoring hacker tools from stealing the password while you’re pasting it into a website.

As far as encryption is concerned, the site boasts that even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe. That seems pretty secure to me…

If you’re still being lazy and insecure like I was, why not do something about it?

It only takes a few minutes to download and you will dramatically decrease your security related browsing frustrations as well as reduce your risk of identity theft.