Sunday
17Feb2008
How do you keep track of your passwords?
Sunday, February 17, 2008 at 4:31PM
We all live in the same world (well, most of us anyway) and we all have 20 different passwords at any given time. Sometimes sites/services don't allow more than 8 characters, others require at least 9 characters, some do allow special chars and others don't. It's a nightmare trying to figure out a password scheme that works and allows you to use the same one across the board... And then there is the all problematic issue of using the same password everywhere means if one is compromised then they all are. What to do? A password manager might be the answer.
There have historically been three main options for managing passwords with regards to the computer. First there was memory (not the RAM kind). That worked well for 1-3 passwords. Then there was the pencil and paper. This was a fail-safe method was had no security, could get lost or thrown out and eventually got dirty if you erased it too many times. Finally there was the computer. Using programs like KeePass and RoboForm users could record their passwords in a secure, recoverable environment that never got dirty due to too many eraser marks on a piece of paper. It seemed like all the issues were solved but then the internet came and blew it all up.
How many times are you at one of your 15 computers and that one doesn't have your KeePass container. You either have to guess/reset your password for that specific service (and then remember to update it later in your password management software) or you would have to get to the computer that the password was on. In addition to that, you might not even have your computer available. Maybe it was stolen, lost or MIA (in transit with that pesky airline luggage). What can you do then? Recently a couple new services have popped up that allow secure password management online -- that's accessible from almost any computer. PassPack and Clipperz are both startups that are trying to fix the need for remembering too many passwords and other pertinent information. While you can check out PassPack's "unbiased" comparison chart and blog entry to compare the two services, I'm just writing about PassPack today.
PassPack uses client-side (JavaScript) encryption to protect your information. You get to setup an account on their servers that stores your encrypted file that has used a pass key called your "packing key" to uniquely and securely (AES) encrypt your information. While there are trust issues that have to be overcome when storing your information almost anywhere, the guys (and girls) at PassPack have been open and honest about what they're doing and how they're doing it.
In addition to offering its users an online storage area (while currently limited to 32k) for their information, PassPack has also unveiled some pretty neat features. Their "1 Click" logon allows a user to add a bookmarklet to their browser and simply go to a page that they have saved information for and with a single click (get it?) log into the site. It uses JavaScript layed over the actual site and doesn't use the clipboard to log the user in. Pretty neat, huh?
Some of the new features that they're coming out with are even more impressive. The ability to share certain passwords securely with other users will be a big help if they want to break into the commercial/small business area. Having the ability to share a password with a colleague on a temporary basis without emailing it to them or sending it to them via mail or the dreaded fax machine would greatly increase productivity as well as security (if they build it right, the end user would never even have to see the password with 1 Click logon).
While PassPack has a long way to go before they accepted by most users or better yet the corporate environment, they're on the right track. The possibilities are endless with the configuration that they have so far. Maybe encrypted document storage, better offline support or secure transmitting of information (like encrypted email) that can not be broken by anyone (I know, a far-off wish). What do you think? Would you store your passwords online? If they were encrypted? What would a company have to do to prove to you that they were honest and could do what they said they could do?
There have historically been three main options for managing passwords with regards to the computer. First there was memory (not the RAM kind). That worked well for 1-3 passwords. Then there was the pencil and paper. This was a fail-safe method was had no security, could get lost or thrown out and eventually got dirty if you erased it too many times. Finally there was the computer. Using programs like KeePass and RoboForm users could record their passwords in a secure, recoverable environment that never got dirty due to too many eraser marks on a piece of paper. It seemed like all the issues were solved but then the internet came and blew it all up.
How many times are you at one of your 15 computers and that one doesn't have your KeePass container. You either have to guess/reset your password for that specific service (and then remember to update it later in your password management software) or you would have to get to the computer that the password was on. In addition to that, you might not even have your computer available. Maybe it was stolen, lost or MIA (in transit with that pesky airline luggage). What can you do then? Recently a couple new services have popped up that allow secure password management online -- that's accessible from almost any computer. PassPack and Clipperz are both startups that are trying to fix the need for remembering too many passwords and other pertinent information. While you can check out PassPack's "unbiased" comparison chart and blog entry to compare the two services, I'm just writing about PassPack today.
PassPack uses client-side (JavaScript) encryption to protect your information. You get to setup an account on their servers that stores your encrypted file that has used a pass key called your "packing key" to uniquely and securely (AES) encrypt your information. While there are trust issues that have to be overcome when storing your information almost anywhere, the guys (and girls) at PassPack have been open and honest about what they're doing and how they're doing it.
In addition to offering its users an online storage area (while currently limited to 32k) for their information, PassPack has also unveiled some pretty neat features. Their "1 Click" logon allows a user to add a bookmarklet to their browser and simply go to a page that they have saved information for and with a single click (get it?) log into the site. It uses JavaScript layed over the actual site and doesn't use the clipboard to log the user in. Pretty neat, huh?
Some of the new features that they're coming out with are even more impressive. The ability to share certain passwords securely with other users will be a big help if they want to break into the commercial/small business area. Having the ability to share a password with a colleague on a temporary basis without emailing it to them or sending it to them via mail or the dreaded fax machine would greatly increase productivity as well as security (if they build it right, the end user would never even have to see the password with 1 Click logon).
While PassPack has a long way to go before they accepted by most users or better yet the corporate environment, they're on the right track. The possibilities are endless with the configuration that they have so far. Maybe encrypted document storage, better offline support or secure transmitting of information (like encrypted email) that can not be broken by anyone (I know, a far-off wish). What do you think? Would you store your passwords online? If they were encrypted? What would a company have to do to prove to you that they were honest and could do what they said they could do?
Reader Comments (21)
I found your site on google blog search and read a few of your other posts. Keep up the good work. Just added your RSS feed to my feed reader. Look forward to reading more from you.
- Sue.
I found your site on google blog search and read a few of your other posts. Keep up the good work. Just added your RSS feed to my feed reader. Look forward to reading more from you.
- Sue.
[viddler_video=efb95b58]
Some other password managers worth mentioning are Password Safe and Password Gorilla. These are fat client based but are nice because they can be installed on multiple OS's. I guess I am a bit security paranoid a would rather store my password database on my own machine or a USB key vs. third party. But thats just me! :)
@agent0x0,
I've used Password Safe before and I was happy with it. To each their own is my motto (well, today it is). I find it too much work to keep a USB key with me all the time to keep my passwords on. I'm generally very lazy when it comes to this kind of thing or too forgetful to remember to bring they around with me all the time.
Some other password managers worth mentioning are Password Safe and Password Gorilla. These are fat client based but are nice because they can be installed on multiple OS's. I guess I am a bit security paranoid a would rather store my password database on my own machine or a USB key vs. third party. But thats just me! :)
@agent0x0,
I've used Password Safe before and I was happy with it. To each their own is my motto (well, today it is). I find it too much work to keep a USB key with me all the time to keep my passwords on. I'm generally very lazy when it comes to this kind of thing or too forgetful to remember to bring they around with me all the time.
Recently discovered your blog through the Geekadelphia link. Really interesting posts and quite an impressive resume as well! It's refreshing to find others interested in IT security in the Philadelphia area. I'm fairly new to the field so perhaps you could point me in the right direction. Look forward to reading more and hearing from you.
I have an idea for remembering your username,password and site corresponding to them. I'm using Sandy (personal assistant) with my twitter mobile application for storing all username,password,sites. It is a fast way to store/retrieve your all important notes.
thank you
buts101
@Patrick,
Thanks a lot. Go ahead and add me on Twitter or shoot me an email and I'd be happy to give you a bit on insight on how I got where I am. Although I've only been doing it for a few years I've learned quite a bit about all different types of security from network to application/server to physical security boundaries as well.
Look forward to hearing from you.
@ashish,
That's an interesting idea. The one thing that would scare me about something like storing passwords in Sandy is that it's unencrypted. Possibly if you stored something like a password hint it might make more sense but from what I've seen with the small interaction that I've had with Sandy is that there is no encryption or even relative guarantee that your information stays private.
@Rachel,
For some reason the video isn't playing. Hopefully I'll figure out if it's my blog or the Viddler site that's causing the issue.
Recently discovered your blog through the Geekadelphia link. Really interesting posts and quite an impressive resume as well! It's refreshing to find others interested in IT security in the Philadelphia area. I'm fairly new to the field so perhaps you could point me in the right direction. Look forward to reading more and hearing from you.
I have an idea for remembering your username,password and site corresponding to them. I'm using Sandy (personal assistant) with my twitter mobile application for storing all username,password,sites. It is a fast way to store/retrieve your all important notes.
thank you
buts101
@Patrick,
Thanks a lot. Go ahead and add me on Twitter or shoot me an email and I'd be happy to give you a bit on insight on how I got where I am. Although I've only been doing it for a few years I've learned quite a bit about all different types of security from network to application/server to physical security boundaries as well.
Look forward to hearing from you.
@ashish,
That's an interesting idea. The one thing that would scare me about something like storing passwords in Sandy is that it's unencrypted. Possibly if you stored something like a password hint it might make more sense but from what I've seen with the small interaction that I've had with Sandy is that there is no encryption or even relative guarantee that your information stays private.
@Rachel,
For some reason the video isn't playing. Hopefully I'll figure out if it's my blog or the Viddler site that's causing the issue.
Ahhh! Password management. I've been down that road a few times myself. I finally settled on KeePass Portable. It's a portable version of KeePass that installs on a USB drive using PortableApps. I have had no problems with it and always carry my USB drive with me. The online options sound like a nice option, but I am still a bit cautious about trusting that sort of info to an online 3rd party. Maybe some day..
Ahhh! Password management. I've been down that road a few times myself. I finally settled on KeePass Portable. It's a portable version of KeePass that installs on a USB drive using PortableApps. I have had no problems with it and always carry my USB drive with me. The online options sound like a nice option, but I am still a bit cautious about trusting that sort of info to an online 3rd party. Maybe some day..
@Ed,
All great points. The only issue I've found is that there are many times when I do not have a USB drive with me or when I might be using it for something else at the minute. I guess I could get a separate smaller one and put it on my key chain but then I wouldn't have this blog post to talk about it. :)
@Ed,
All great points. The only issue I've found is that there are many times when I do not have a USB drive with me or when I might be using it for something else at the minute. I guess I could get a separate smaller one and put it on my key chain but then I wouldn't have this blog post to talk about it. :)