Keep track of all of your passwords with KeePass, a
free password manager
How many passwords do you rely on every day
to live and function online? Think hard about all the accounts you have to log
into - we're sure it reaches a dozen, including news sites, forums and others.
Do you leave them all logged in or do they generally all have the same
password? It's an uncomfortable question, because password management skills
are something to which most of us would rather not draw attention. People in
offices, for example, often write passwords on whiteboards.
Opt to run KeePass normally,
otherwise the database won’t be saved.
The need for passwords is a problem that
won't go away, but as we've seen recently, some cross-site scripting
vulnerabilities rely on you leaving yourself logged into online accounts to do
their fiendish work. Luckily, there are ways of securely and portably managing
all of your essential passwords.
|
Project Goal: Protect your passwords
Don’t dumb down your passwords because you can't
remember them all. Instead use a password management program to keep your PC
and accounts safe without worrying about forgetting their account details.
Requires: KeePass
This software is an open source solution for online
password management. You can download it from www. keepass.info.
|
Why passwords?
Passwords have been around since antiquity.
Guards would challenge people trying to enter restricted areas and only let
them pass if they knew that day's word - hence the term. Used correctly,
they're still an excellent method of securing access to resources. The problem
is that the need to remember so many of them means vulnerabilities quickly
creep in.
Today we have so many passwords and there
are so many people trying to gain access to them that using some form of
password management tool is becoming essential. The results of not doing so can
be embarrassing to say the least. How many times have you seen Facebook friends
post shocking status updates, only to discover that a friend or family member
had taken advantage of the logged-in account for a laugh?
Beyond the embarrassment, reputations and
even whole identities can be taken, and the rightful owner locked out, simply
by changing the password on an account that's been left logged in.
|
Toptips: sandboxes
Some AV products try to mate KeePass open
in a sandbox – a controlled environment. Override your antivirus by asking it
to open KeePass normally, or you’ll lose your data when you close it
|
Management tools
There are several excellent password
management tools that will help you keep track of all the passwords you need
for life online. They fall into four basic categories. First, there are those
that store your passwords securely on a local storage device and let you I
access them via a secret master key. Next, there are those designed to run on
mobile devices, such as smartphones. With the rise of cloud computing, there
are now several password managers designed to follow you anywhere, which are
accessed through a web interface. Finally, there are hardware password
management devices integrated into services, such as those used by banks which
generate complex sequences of challenge and response codes to authenticate you.
What all these password managers have in
common is the simple requirement to remember a single, master password that
grants access to all the credentials they store. Many password managers will
even fill in web forms for you, making login procedures more convenient.
Set up a master password to keep all
your others safe
Cracking passwords
Cracking passwords is a complex business
for a PC. The two basic approaches are brute force and dictionary attacks.
In a brute force attack, the software
might begin with 'aaaaaaaa' and work through to 'zzzzzzzz'. This can be very
time-consuming - for an eight- letter, lowercase password consisting of the
letters a-z, the there are 268, or 208,827,064,576 possibilities. Remotely
try ingl.000 options a second would take roughly 6.6 years.
Analysis of cracked passwords has
revealed that some are more popular than others. Believe it or not, ‘123456'
is the world's most popular password, followed by 'password' and the
username. In July 2011, Hotmail actually banned the password ‘123456'. Other
sites such as Twitter have also banned easily guessed passwords.
Dictionary attacks were developed to
speed up password cracking. Common passwords are tried first, including
simple variations. This technique can substantially reduce the time needed to
crack passwords.
Things should be easier if an attacker
can obtain a password file and work on it locally and a desktop computer can
try millions of passwords per second. The problem is that passwords are
stored encrypted. The only way the attacker has of telling if he has found
the correct password is to encrypt it and test this against the stored,
encrypted version.
