Tuesday, January 23, 2007

Password Tools

Passwords are the bane of security. Users hate them. Technical support spends too much time with password problems. Other options cost too much up front imagine spending thousands of dollars to setup a solution that costs an additional $100 or more for each user.

Different systems have different requirements for user IDs and passwords. Password expire at different times.

Some site use pre-defined questions and answers for password "recovery." Others require you to use your e-mail address to verify your identity.

Many people use a standard ID and password for multiple sites. Then there are those sites that won't work with the "standard." So a variant is used, but how many variants can be remembered?

What to do... write down IDs and passwords? Then you have to remember to change your paperwork when the password changes.... and how well does that work for most people.? Then there is the lost paper syndrome. There is no know recovery method for a lost password list.

Now let's look at standard IDs and passwords. With all the site hacked and compromised. It only takes one site to that is compromised to give the "keys to your kingdom" away. Imagine some minor site gets hacked and now your keys (standard ID, password, and e-mail address) are now public domain. It is a small step to access your e-mail. Monitoring e-mail reveals things like your bank...

What most people need is a secure password repository. A password repository needs to have a long complex master password. The master password is used to unencrypt the stored passwords and IDs. The repository should generate random passwords for use on sites. The repository has to allow automated use of the ID and password (it should not force a user to read and retype the password).

Password Safe

One option is Password Safe (http://passwordsafe.sourceforge.net). Password Safe is an open source windows application originally developed by Bruce Schneier's Counterpane Labs (http://www.counterpane.com/).

On the technical side Password Safe uses Twofish and SHA-256 for encryption since version 2.0. The original database used Blowfish and SHA-1. Since it is open source there are versions for other operating systems, but be careful about the data base encryption for compatablilty. Password Gorilla (http://www.fpx.de/fp/Software/Gorilla/) is a Tcl/TK version that will work with Windows, Mac and Linux, and uses the newer encryption (twofish and SHA-256).

On the usability side installation can install it on a thumb drive saving the settings to an ini file or on a hard drive using the registry. Password Safe can run on login. Either prompting for the master password or minimizing as a icon on the taskbar. A tree structure can be used for organization. Right clicking on an item provides several options including:

  • Open the website

  • Autotype the ID and password

  • Edit the entry

  • And more...

When editing an entry there are a number of options including generat a password. Options for this include the number of characters ans the character sets. ( a-z, A-Z, 0-9, punctuation symbols, etc.)

UPDATE 3/8/2007: U3

There is now a U3 version of Password Safe available.


RoboForm(http://www.roboform.com/) is a commercial password repository product. It includes a toolbar for your browser that simplifies its use. It will monitor your browser and save IDs and passwords with the "autosave" feature. With AES encryption the length of you password determines the strength of the algorithm.

AES key length depends on Master Password (MP) key length*:
  • 128 bit for MP less than 32 chars,
  • 192 bit for MP from 32 to 47 chars,
  • 256 bit for MP 48 chars or longer.
RoboForm has two variants designed for use with USB drives RoboGorm2Go (http://www.roboform.com/pass2go.html) for standard USB drives and RoboGorm2Go for U3 (http://www.roboform.com/pass2go-u3.html) that is designed for U3 (http://www.u3.com/) thumb drives. [Note:] U3 is designed to make U3 versions of programs portable storing registry information on the U3 USB drive. I have one and have mixed feelings about the technology.

Feature list*:
  • AutoSave passwords in browser.
  • AutoFill passwords to login form.
  • Click Login button for you.
  • Fill personal info into online forms.
  • Save offline passwords & notes.
  • Generate Secure Random Passwords.
  • Encrypt passwords and personal data using AES, Blowfish, RC6, 3-DES or 1-DES algorithms.
  • All personal info is stored on your computer only.
  • Take RoboForm with you on USB disk for ultimate portability.
  • Sync your passwords and notes to Palm or Pocket PC.
  • Backup & Restore, Print your passwords.
  • More features: drill down for more.
  • It is well-behaved: NO ADWARE, NO SPYWARE.
  • Works under Windows as an add-on to IE-based browsers.
  • Works with Netscape, Mozilla, Firefox under Windows.
* Taken from http://www.roboform.com/features.htm

No comments: