You should be using a password manager   no comments

Posted at 9:37 pm in Privacy,Technology

The latest interest security threat, called Heartbleed, has caused some people to reconsider their use of passwords and net security generally. Latest threat or not, that’s never a bad idea.

If you’re a typical internet user, you re-use the same user name and password, or some slight variation of it, on every website and service you visit. This is a very natural, human solution to the problem of having to remember multiple user names and passwords. It’s also several steps removed from never locking the door to your house. It’s more like leaving your door unlocked, putting up a neon sign reading “FREE LOOT,” and then posting the address of your home and your daily itinerary on Craigslist.

Heartbleed exploited a flaw in a piece of software used by millions of websites. It allowed an intruder to retrieve information held in volatile server memory, which changes from one microsecond to the next. Make enough queries, and you’ll eventually get someone’s user name and password information, and maybe even their credit card or bank data. Invaders write “bots” to do this again and again, and then search the plunder for the information they want.

Once that’s in their hands, they start trying some of the larger commercial websites with the same user name and password data. If you were using the same login information on, say, Twitter, that you were using at Amazon.com or BestBuy.com, they will be able to order merchandise under your account and even change your password and email address of record to make it more difficult for you to notify the merchant of the intrusion. Your credit card company will most likely eat the fraudulent charges sooner or later, but in the meantime you’re trying to buy gas or check into a hotel, and your card is declined because it’s over the credit limit.

Much of this grief can be remedied by using a password manager. Password managers track your user name and password information, as well as a lot of other data if you choose to trust it, all locked down with a single password.

The obvious first questions are, “So what if I lose that password?” and “What happens if the password manager is compromised?” If you lose the master password and don’t have the data backed up anywhere, you’re pretty much screwed. Sorry about that. Nothing is completely foolproof. However, that problem is solved fairly easily.

As for having the password manager compromised, well, never say never, but it hasn’t happened yet. Because of the importance and the volume of information these services protect, they have multiple layers of encryption and are about as secure as anything you’re going to find. In any event, they’re better than writing down your passwords on a Post-It attached to your monitor (someone just glanced at that Post-It).

Creating a password that you can remember, but is difficult to crack, is not as difficult as you might think. Stringing together three apparently unrelated dictionary words works pretty well, even more so if you separate them with random punctuation or substitute numbers.

For example, say that your high school mascot was the Warriors, your favorite pet’s name was Fluffy, and you lost your virginity in a Camaro. Let’s also assume you haven’t used any of these as the answers to security questions on any website (if you have, pick some other random words or events). From these, we get

WarriorsFluffyCamaro

Preface, separate and follow up the passphrase with some punctuation, and we have

*Warriors%Fluffy&Camaro+

Now, change the letter i to numeral ones (1) and the letter o to zeroes (0), and we get

*Warr10rs%Fluffy&Camar0+

Using the calculator at How Secure Is My Password?, I get the following estimates of how long it would take a typical desktop PC to crack each one of these:

WarriorsFluffyCamaro: 165 quadrillon years

*Warriors%Fluffy&Camaro+: 530 septillon years

*Warr10rs%Fluffy&Camar0+: 14 octillion years

Personally, I think the calculator on that website is a little pessimistic, as people are constantly devising better methods to crack passwords. However, I want to make it as difficult as possible, on the theory that if I make it hard enough to crack my password, the intruder will go on to someone who is easier pickings.

Most password managers have an option to use an onscreen keyboard to enter the master password. This is a feature designed to thwart keyloggers. Keyloggers can be hardware or software add-ins (the hardware varieties are usually innocuous-looking devices that install between your keyboard and computer cable) that record every keystroke you enter. A keylogger can obviously steal any password information you type into the keyboard. You circumvent the keylogger by bringing up a graphical keyboard with keys you click on with the mouse to enter your password. This is an important feature to use anytime you’re using a computer you do not control 100% of the time.

Password managers can also store information you key into onscreen forms, such as your home and shipping address, phone numbers, credit card numbers, etc. They save time, all but eliminate errors, and also circumvent keyloggers.

You can also create random, all-but-unbreakable passwords with all these password managers. You set some parameters of length, whether the password should contain uppercase or lowercase letters (or a mix of the two), and numbers and/or punctuation. Click the button, and a new, random password will appear. If you’re using a password manager, there’s no reason not to use long, complex passwords, as you’ll never have to enter them manually.

Here are three password managers I know to be reliable. Each one works in a slightly different way. One is free, no matter what; one is free for basic use and has an annual fee for more advanced features, and one is a subscription service.

KeePass Password Safe

KeePass is an open-source, completely free, standalone password manager. By “standalone,” I mean that it does not reside on the internet. You store the program, and its data files on your computer, or on a flash drive you move between the computers you use. Open source software is created by volunteers who make the source code available to anyone who wants it. The idea is that anyone who is interested can improve it and submit the improved code for new versions. There are lots of very reliable and well-thought-of open source packages.

As with other password managers, when you set up the program, you establish a single master password. This password should be something completely unique, not a word found in any dictionary, and certainly not something you use or have ever used anywhere else. If everything goes right, there is no need for you to remember any other password, ever again, so make this one a good one.

KeePass is activated when you bring it up manually, as with any other program. You enter websites, user names and passwords into forms, which are then encrypted and saved by the software. The next time you want to log into a website you have already saved, you just bring up KeePass, find the entry for the website you want, click on it, and it will open a new browser window, enter your login credentials, and log you in. It does this much faster than you would be able to.

You can install KeePass on any computer you use, but data files residing on more than one machine won’t be synchronized automatically. You can avoid that problem by installing the software on a flash drive, and inserting the flash drive into whatever machine you’re using at the moment. If you lose the flash drive and the data isn’t backed up (easy to do), you’re in a world of hurt, but anyone who finds the flash drive won’t be able to get into your password file without the master password.

LastPass

LastPass is a web-based password manager that is free to use most commonly-used features. There is a premium version for $12 per year that allows you to use the service on smartphones and other devices.

You start by going to the LastPass website and setting up an account. You then download and install the LastPass plug-in for any web browsers (Internet Explorer, Firefox, Chrome, etc.) you use. Each time you open that browser, LastPass will ask you for your master password.

When the plug-in is active and you’re logged in, LastPass will ask you if you want it to remember each website you log into. If you answer in the affirmative, the login information will be stored along with the site’s URL. For future logins, all you need to do is find that website in LastPass’s list, click on it, and the service will open a new browser window, go to the appropriate site, and log you in.

LastPass can be run from any computer, even if the browser doesn’t have the plug-in installed. You justy go to LastPass.com, log in with your email address and master password, and you’ll see a list of your stored sites. Click on any one of them, and the service will behave as if you had the plug-in installed, opening a new window and entering your login details.

LastPass can also store routine form information, credit card info, and random text information. For example, if you needed to keep a list of your prescription medications, you could open a new “Secure Note,” enter the information, and save it. It is as secure as your passwords.

RoboForm

This is the password manager I use, more out of habit and preference than anything else. RoboForm is free to download and install, but the unlicensed version will store a limited number of passwords. The premium RoboForm Everywhere package is $9.95 for the first year and $19.95 each year thereafter, and works across multiple computers and smartphones.

Installing RoboForm automatically installs a plug-in into any browsers installed on the computer. Periodically during the day, the software will “phone home” and check for any changes between the local database and the one residing on the RoboForm servers. Synchronization is automatic and almost instantaneous. The advantage is that I have the same password and other data files on every computer and smartphone I use. The RoboForm software starts automatically every time I log in to my computer, but it asks for the master password every time, and after an interval I set if I haven’t used it for a while.

As I log into a new website, RoboForm asks me if I want to save that login data. If I answer “yes,” the URL and login data are saved automatically. You can set up multiple nesting folders for logins, what RoboForm calls “SafeNotes,” and other information, so that you see only the lists you want to see. For example, I keep the logins and notes for my employer in a separate folder from my own. If I have multiple logins for the same website stored (as with different accounts for Google, Facebook, etc.), when I go to that site’s login page, RoboForm gives me a list of the stored logins and asks me which I want to use.

I can store multiple credit cards, shipping addresses, and even personal data like driver’s license and passport number, and keep separate sets of these under different “identities,” if desired. I just counted, and saw I have 920 website logins stored in RoboForm, so obviously keeping all of this straight is kind of important for me.

RoboForm is updated constantly—as often as every week. When I new update is available (usually to deter a new intrusion scheme), I get a notice that I’m using an outdated version. Downloading and installing the latest version seldom takes more than a minute.

Written by Tim Dees on May 18th, 2014