recent posts

Online Sellers: Beware of Fake Check Scams
Adobe Plugs 8 Security Holes in Reader
Mozilla Distributes Virus-Infected Language Pack
Robotraff: A Hacker's Go-To For Clicks
Microsoft Releases Windows XP Service Pack 3

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Safeguarding Your Passwords

It's tough to navigate the Web and do business online without having to remember dozens of passwords, yet in my experience, very few people give much thought to securing these precious credentials. Most folks simply take advantage of the simple password storage features built into Web browsers like Internet Explorer and Firefox. However, there are some alternatives that I'd like to spotlight, which can help Web users more safely generate, manage and store passwords.

I've never trusted the password store feature in Internet Explorer, perhaps because the methods for filching data stored in IE's "protected storage" area are well-documented, not to mention used in a ton of malicious software (plus, I also don't use IE for regular Web browsing). I do use Firefox's password storage feature, but only for sites that do not store my personal or financial data, such as the Web site of my local library, and certain online user forums.

One thing to note about password storage in Firefox: If you have not enabled and assigned a "master password" to manage your passwords in Firefox, anyone with physical access to that computer and user account can view the stored passwords in plain text, simply by clicking "Options," then "Show Passwords." To protect your passwords from local prying eyes, drop a check mark into the box next to "Use Master Password" at the main Options page, and choose a strong password that you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords.

There are several third-party programs that can help users safeguard more sensitive passwords. My favorite -- Password Safe -- is a simple and free program for Microsoft Windows that also protects your passwords with a master password using the secure "twofish" encryption algorithm. (Take care to pick a strong master password, but one that you can remember: Just as with the Firefox master password option, if you forget the master password you are pretty much out of luck.)

Once you have protected Password Safe with a master password, you are ready to start adding passwords. A nice feature of this program is auto-fill. With the main Password Safe window open, right click on an entry, select "browse to URL" and it will load the request site in your default browser. Then, right click on the Password Safe entry again and select "perform auto fill," and watch the program enter your stored username and password at the site and log you in automatically.

Password Safe includes a built-in password generator that can create strong passwords for you, and the program will give you feedback about whether any phrase you create is strong enough to avoid being guessed by automated password-cracking tools. By default, the program locks you out after five minutes of inactivity, requiring you to enter the master password again before using the program (you can change this and a myriad other settings from the Password Safe "options" menu.)

Keepass is another robust, free password manager program that works similarly to Password Safe. You can install Keepass as a desktop application, or to a removable flash or USB drive to keep your passwords wherever you go in an encrypted format. Keepass also has been ported over to just about every platform, including Mac OS X and Linux, and even installs on hand-held devices, such as Blackberry, Palm and Symbian-based mobile phones. It also plays nice with multiple browsers, including Firefox, IE, and Opera. In addition, there is a very active user forum at Sourceforge.net that users can turn to for help.

These two programs are hardly the only password safes available: I know a lot of people use and enjoy Roboform, a program that is free to try and $29.95 after the trial. A separate application, Roboform2Go, is designed to be installed to a USB or U3 stick. I tried out latter program thanks to an evaluation copy sent by the vendor, and found it to be a feature-rich - if somewhat more bloated and less intuitive - program. It works only for Windows 2000/XP/Vista users, and appears to be designed to work primarily with IE, although I was able to get it working in Firefox after installing an add-on.

Some of these products claim that their "autofill" function is designed to defeat "keystroke loggers," or malicious programs that record everything the victim types on his or her keyboard. By saving the user the trouble of manually typing their usernames and passwords, a keylogger would have no keystrokes to record, the theory goes. I have not independently tested any of these programs to verify those claims, but I'd argue that trusting these applications to secure your passwords on a machine that is already loaded with spyware or keylogging programs is unwise.

A feature that's been included for some time now in many of the more advanced keyloggers - such as the Gozi Trojan - rips the username and password right out of an active login page, even when the data sent from the user's machine to the Web site using secure sockets layer (SSL) encryption (a site that begins with https://). Gozi simply captures usernames and passwords as they are posted to the site before they get encrypted with SSL.

Readers sometimes ask my advice for protecting their passwords and other sensitive data when they transmit it over an unfamiliar machine, such as an Internet cafe, kiosk or hotel business unit. My standard take on this is that while tools like those described above may be able to add a layer of security to your data on an unfamiliar system, the reality is that if you can't vouch for the security of the machine, you really have no idea what's on it. Accordingly, you should weigh whether the e-mail you want to fire off or the stock sale you'd like to make is worth the risk, or whether you can wait until you're in front of a trusted computer.

By Brian Krebs |  January 13, 2008; 9:20 AM ET Misc. , Safety Tips
Previous: Report: TSA Site Exposed Travelers To ID Theft | Next: Scareware Program Targets Mac Users

Comments

Please email us to report offensive comments.



I have tried many keylogger software, such as key logger from http://www.paqtool.com.
However, many anti-virus software can find it. Seems http://www.paqtool.com can develop one special version for me that other software can not find it, but it is too expensive.

Posted by: Kris | January 14, 2008 10:38 AM

Anyone using Mac OS X can use the built-in Keychain application with Safari or Camino browsers (as well as many other applications). Lots of articles about password storage fail to mention this, and when they do highlight a 3rd-party product for Mac, there is no rationale given about why it may (or may not) be better than simply using the supplied Keychain feature. A cross-platform 3rd-party solution may be useful IF a common database can be used by different binaries (i.e., taking your password database from platform to platform).

Posted by: Logical Extremes | January 14, 2008 11:03 AM

another simple fix is to jyst type you username/password details into the IE/Firefox bookmark link...

Posted by: dj | January 14, 2008 11:05 AM

The most secure password storage is between your two ears!!

Also, best practice dictates turning OFF any "AutoComplete" functionality!

@dj

Not a good idea. Doesn't give you a chance to review the status of the website and its site certificate before presenting your credentials. Not to mention how those credentials are easily accessed (in the bookmark) for anyone with physical access to the system.

Better security means less convenience!

Posted by: TJ | January 14, 2008 12:09 PM

To be honest, any online password storage could be hacked and your security compromised a sheet of paper on your desk that you lock in a safe when you leave the house is the only way, either that or memorise all the little blighters

db

Posted by: David Bradley | January 14, 2008 2:23 PM

PassPack is a free online password manager. It supports antiphishing, disposable-logins (anti-keylogger) and a great 1 click autologin. It is a good alternative to installed software. Have a look at http://www.youtube.com/watch?v=Zjc7syolpOE for a quick introduction.

Posted by: Francesco | January 14, 2008 3:02 PM

I like having a word document on my thumb drive. It reads like a short story. However, in the story are parts to my passwords and logins such that I open it and cut-and-paste the pieces into the proper spaces on the websites. There's no typing so keystroke loggers are useless.

Posted by: | January 14, 2008 3:22 PM

If someone has access to my machine then it's not my machine anymore. So that's where I worry about securing it.

Passwords are kept in as text file. There's a standard password I use, and the file just lists the variations for each site. "Usual pass, 1 for i, 0 for o,double the suffix, no prefix." I just have to know the standard password.

Posted by: wiredog | January 14, 2008 3:41 PM

There is KeePass, http://keepass.info/ which encrypts your password and you can configure it with favorites URL to call up and fill out your userid/password for you. Couple this with a USB with fingerprint biometric and you can feel pretty safe from any keylogger app.

Posted by: SpecTP | January 14, 2008 4:30 PM

I use a handwritten cheat sheet for my passwords, except I don't write the actual password--only a cryptic clue to the password. It saves me from the frustration of getting mixed up about which password matches up with which site, and if someone comes across it, they still won't know what the actual password is.

I'm curious, though, about what is more risky--entering financial data every time I make a transaction online, such as my credit card number, or having that credit card info stored on the retailer's server, such as when Amazon.com saves credit info to make purchasing faster?

Should I opt out of retail websites "remembering" my financial information and enter it from scratch every time?

Posted by: Sean | January 14, 2008 7:40 PM

@Logical Extremes: OS X and its keychain have a number of security holes relating to its use of bundle identifiers. Some of these vulns are fixed in Leopard.

Posted by: Rick | January 15, 2008 1:02 AM

There are a lot of security people who endorse writing down passwords and putting them in your wallet. I prefer using a system like Keepass, with a strong password or two-factor, but as long the passwords aren't clearly linked to specific sites, I guess writing them in a secured location would be better than the all-too-common alternatives (writing IT down in an unsecured location and using IT for every site and application). Here's the write-down-your-passwords URL I most often receive as support for that argument:

http://www.schneier.com/blog/archives/2005/06/write_down_your.html

Posted by: MarvinK | January 15, 2008 1:21 PM

Ive used RoboForm for years. Works even with Vista !
Great Article.

Posted by: Doug Woodall | January 15, 2008 7:43 PM

MarvinK> There are a lot of security people who endorse writing down passwords and putting them in your wallet.

Well, really, there's one: Bruce Schneier. Others may quote him, but he is the historical promulgator of this strategy, which is why the link you receive goes to his blog.

Despite being endorsed by Mr Schneier, the strategy is based on fallacious logic. The argument is that since one is already accustomed to protecting one's wallet, it's therefore a good place to keep passwords as well because they will benefit from the protection already invested in the wallet. There are two problems with this:

1. We actually accept that our wallets might be lost or stolen. That's why we don't keep *all* our money in them, or even thousands of dollars. Just what we need, and only a few credit cards.

2. How many people can, off the top of their heads, enumerate all the passwords they would write down in this scheme? Once the wallet is lost, all those passwords have to be changed, but how do we know which ones? Obviously a copy of this list has to exist somewhere else and be kept up to date, which nullifies the argument for putting the list in the wallet in the first place.

Mr. Schneier is an extremely intelligent and interesting person, but he is not infallible.

Posted by: antibozo | January 15, 2008 10:29 PM

If you wish to rely on Firefox's password storage, with or without a master password, be very cautious about what extensions (Add-ons) you install. Extensions execute in "chrome" context, like the rest of the browser GUI, which means they can do anything the browser can do: read/write local files, execute programs, and access *all* of the password information in the password storage, i.e. every URL, username, and password.

This results in two threats:

1. An extension that has a bit of malicious code in it can send your password data anywhere it pleases.

2. An extension that has a cross-site scripting (XSS) vulnerability (a bit of a misnomer in this case, but it will do) can compromise your password storage when it processes malicious content. For example, an extension might display web content in a chrome window (chrome windows are the various windows and panes outside the main browser windows in Firefox, such as toolbars and sidebars). If not written correctly, such an extension may execute malicious Javascript supplied by an attacker, in chrome context.

Really, one should be choosy about extensions even if one is not using password storage: again, they can run arbitrary code. Unfortunately, the extensions infrastructure is not well vetted security-wise, and few extensions use code-signing or even SSL to secure upgrades.

Posted by: antibozo | January 16, 2008 12:32 AM

What are some people's thoughts about the sxipper Firefox extension for password management?

Posted by: N Barber | January 18, 2008 12:41 AM

N Barber> What are some people's thoughts about the sxipper Firefox extension

I haven't used it, but I just downloaded the .xpi to take a look. Nearly 36000 lines of Javascript in 69 separate files. Would be a pain in the butt to do a security audit, which may mean no one ever has. Personally, I wouldn't trust it.

Curious: what does this do for you that the built-in password manager does not?

Posted by: antibozo | January 18, 2008 2:54 AM

Great topic. Does anyone trust or use the Norton Internet Security 2008 "Identity Safe" to store and automatically fill in user names and passwords (and rate password strength) for the sites you choose via IE or FireFox? I keep my passwords locked in my Palm T|X, though the important ones are firmly committed to memory. The user names are stored in their complete form or stored only as a clue, depending on the site it's for. But the passwords I leave incomplete...perhaps with only the first and last characters as a reminder or some other form of a clue...unless it's for something w/o security issues, such as a discussion group or a news site. The data on my Palm is backed up to my computer. The data on the Palm itself can be encrypted using one of several algorithm choices in addition to being password protected. When it comes to using public access, I don't use public computers or wireless public access to reach sensitive sites to log onto, such as my bank...I wait until I use my own computer wired...or, if in public and wireless, I'm using a VPN.

Posted by: Marcus | January 19, 2008 4:16 AM

(As an arbitrary rule I don't use the FireFox password storage...and definitely not with IE.) BTW, I've not used NIS 2008 Identity Safe to store credit card numbers...only certain passwords and usernames. The question by Sean about whether to have one's financial data stored on a company's server is a good one. Any thoughts? Any rules of thumb? It's convenient but seemingly risky, given the unknown IT security practices of various companies and the intermittent stories in the news of data loss/theft involving companies.

Posted by: Marcus | January 19, 2008 4:46 AM

Though I use FF password storage, I encrypt and password protect the feature, and use an additional add-in which forces a "disconnect" after (user-configurable) 5 minutes of inactivity, thereby forcing me to properly access the storage again, even in the same session. Thus, even if I hit a rogue web site will access is denied, my information is safe. (Q: What is a good, safe time-out setting?)

As for saving my credit card information on a retailer's site - forget it. Don't rely on a third party to protect your personal information. You leave it somewhere else, it is no longer yours to control. It really does belong to the key-keeper(s).

Now to check out some of the other apps mentioned in the article and following comments...

Posted by: Gryphon | January 20, 2008 2:10 PM

Passwords are a cheap lock! Implementing some kind of two-factor authentication is a much more sure fire way of protecting access, plus it can help mitigate the need to change passwords as frequently. Here's a helpful link: https://secure.entrust.com/contact/index.cfm?action=wpdownload2&tpl=resources&resource=WP_Enterprise_Auth_Final_July07.pdf&id=22741

Posted by: AM | January 28, 2008 11:11 AM

To protect my passwords, I normally refrain from having them remembered by web browsers like IE and firefox.

I also frequently remove history files and files which can be used by hackers from my computer. An easy way to accomplish this is covered in my blog:
http://evidenceeraserreview.blogspot.com/

Posted by: Dami | January 29, 2008 2:12 PM

I don't understand at all why you recommend Keepass -- it's pathetic -- on windows xp anyway. No way a basic user can install and use that piece of overly complexified crap.

I use 1Password on OSX and it's so superior to KeePass I'm shocked you would recommend it -- doesn't do what it says, on windows xp anyway. horrible. Avoid unless maybe you're a programmer.


Posted by: KeePass SUCKS! | February 9, 2008 10:36 PM

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




 
 

©  The Washington Post Company