Tuesday, June 12, 2012

Password Security - Password Managers

Last time I talked about the need for better password security.  Before you can develop a good password scheme, you need to first identify all the sites and passwords you need to protect.  I know some people who write down all their usernames and passwords on a piece of paper which they keep near their computer.  Others may do it digitally, keep a text file or a spreadsheet with all the usernames and passwords.  Still others may just rely on their memory.

Regardless of your system, the first step is to record all your usernames and passwords in a safe location.  For this I highly recommend a program called KeePass.  KeePass is an awesome (and totally free) utility for storing usernames and passwords.  It stores all this info in a single DB file which is very highly encrypted.  Even if someone gets their hands on a KeePass database file, it's very unlikely they would ever be able to crack the contents.  I personally recommend version 1.x over version 2.x.  Version 1.x is simple, clean, and easy to use whereas version 2.x is more complex and less user-friendly in my opinion.  If you find you don't like KeePass for some reason, LastPass is another very common password manager (also free).

So basically what you need to do is visit every single web site you have an account for.  For each site, add your username, password, and URL into KeePass.  It's a good idea to create folders in KeePass to group similar items; e.g. Banking, Utilities, Forums, email, etc.


There are other password managers out there.  For example, most (if not all) web browsers have a built-in password manager.  These password managers have one cool feature, when you visit a web site it automatically fills in your username and password.  But here's my problem with these password managers.  Regardless of what password manager you're using, you're in effect putting all your eggs into one basket.  Every password is stored in a single location.  So if that one location is compromised, then all of your passwords are compromised.  I know that KeePass and LastPast use very good security to encrypt your sensitive data.  So again, even if the encrypted file is copied the chance of someone every cracking it open is very slim.  But how secure are the password managers inside your web browser?  To be honest, I had a hard time finding the answer to that.  If the security is weak, the maker of the web browser sure isn't going to admit it.  As it turns out, I have reason to question how secure these password managers are.  The programs IEPassView, PasswordFox, ChromePass, and OperaPassView are free software from NirSoft that decodes passwords stored in IE, Firefox, Chrome, and Opera.  If these programs can decode the passwords in your web browser, who's to say a web site that you're visiting or a plug-in installed in your browser can't decode your passwords as well.  I'm not willing to risk that, I don't trust the built-in password managers to keep my passwords safe.  But that doesn't mean we can't take advantage of their useful features.  More on that next time.

No comments:

Post a Comment