Saturday, May 7, 2011
Getting Aware Of Password Security
A few days back when Sony's PSN got hacked, everybody should have already thought about how secure their own passwords and data are stored in the net.
Unfortunately I didn't...
A week after this hack got official, I got an interesting call from my bank to tell me, that there are some suspicious transactions going on on my credit card: they were right: it wasn't me and so I had to block the card. I still can't tell if it has really something to do with the PSN, but what I can tell is that it raised my awareness about (my private) security and I thought about what I can change.
I won't talk here about privacy and common sense regarding internet: what I wanted to change was my passwords. Both of them.
Handling dozens of logins, I did what I guess lot's of people are doing out there: having their "standard-password". At least I had a quite secure one: so nothing like "password123" or others from the book "Most Common Passwords" but still: One site gets hacked and if the hacker is really interested enough to see what I post on facebook, he could. Unfortunately he could also buy me something from amazon or send himself some money via paypal.
So I knew what to do: I need a different, high secure password for every single site, server or other thing I need a password for. And I won't remember them: somebody else has to. Here comes a handy application in: a password-manager.
There are a lot of passwordmanagers out there. Those managers usually work in a way, that you only have to remember one password and you get access to a database with all your other passwords stored. This "master-password" can also be enriched by a security-key which basically is a file you have to provide to get access or via you logon-credentials to the computer itself. The first thing you need to think about when you go this way is whether you want your passwords saved online or offline.
Of course having them online seems to be an advantage: you always have access to them: on the other hand, they are stored with some provider you have to trust.
Regarding the newest security breach at lastpass
where the masterpasswords were compromised, I decided to leave the storage and maintainance to me.
Leaving out the online passwordmanagers, the choice was narrowed down to a few. The first tool I wanted to try was KeePass. It's a free open source tool which works on all platforms I use (linux, windows and android).
Storing a password sounds actually like an easy task: and it basically is, but regarding the usability of this tool, there are really some things worth mentioning.
First of all, KeePass is able to retrieve all your stored password from the most common browsers (like Internet Explorer, Firefox and Chrome) and stores them into its own database. With the help of some plugins, its also able to integrate completely into the browser and acts as the browsers password-manager: but I found out, with KeePass that's actually not even necessary. Why? Because of another cool feature:
Auto-typing: KeePass offers a system-wide shortcut to provide Auto-typing. What's that? Its searching the current open windows for known titles which you can define in KeePass and then it enters your username and password there. Of course you can customize that in a way that it fits to every common interface (ie. putty, remote desktop, mercurial ...).
Password-generator: KeePass provides you with a build in password-generator. This tool is fully customizable and can get you from 3 chars spellable up to 30000 chars, full ANSI password.
Synchronization and Triggers: KeePass is also aware, that you might need to take your passwords with you and offers the ability to synchronize with other files on your disk, usb-sticks or even ftp-locations. There are also plugins available where you can use some other storage-providers and synchronize files there. But for lazy guys like me its always a pleasure to find a way to automate something: and therefore you can use those triggers. A trigger is an event which is thrown when a defined action is happening in KeePass (like saving). On this trigger you can then use the synchronizing function: so when you save the file, its automatically synchronized and you're good to go.
The last feature I want to point out is, that KeePass is also available in a portable version: so there is no installation necessary.
The rest of the features can be seen here.
At the beginning of my research, I wanted to evaluate several products and get the best of them: but I figured out: "What could be better?" and I used this tool to change all my passwords to a reasonable security level.
Obviously, now I'm not able to remember them anymore and I really hope KeePass and my synchronizations won't let me down: if they do, I'm screwed: but secure :)