The problem with passwords ….
… is that we’ve got too many of them these days. Since we all use good passwords and never use the same passwords for different services and sites (hhmm, ok, the other 31% of us anyways) then we inevitably end up with lots of passwords that need to be stored somewhere. Speaking personally, I have trouble retaining much more than 10 passwords in my head (and I passed the 10 password mark quite some time ago, I think I’m currently running with over 60 current username/password combinations) – so I’m left with a bit of a problem. I have a few options,
- I could start using biometrics such as my fingerprint rather than passwords (we’re getting closer to this being feasible too – my IBM Thinkpad T60 has a pretty decent fingerprint scanner built in).
- I could start using OpenID or something similar to reduce the number of unique usernames and passwords I need (although this isn’t really going to work until more of the big guys starting supporting it )
- I could write ’em down (which, after years of being labelled a bad thing, is now being recommend by the experts).
I’ve decided to go with another option, which is a distant cousin of writing them down – with a little 21st century cryptography thrown in for good measure (hey, it even sounds more secure than writing them down as soon as we say that). The basic idea is to store your passwords in a file, which is then encrypted with a single master password. If you lose the file, providing it is encrypted with strong encryption such as AES, it should be extremely difficult for anyone to read the contents of the file and recover your passwords. I say extremely difficult rather than impossible because at some stage in the future, all current encryptions algorithms will be found to have weaknesses or computers will become powerful enough to brute force the encryption. With currently recognised strong encryption algorithms, this point should hopefully come in decades though, so it’s not worth any sleepless nights just yet.
There are a number of open source tools out there for doing this. There may be commercial tools for doing this too – but personally, I’m inclined to have as much faith in the open source tools (although neither approach to software development necessarily makes for a more secure product, as discussed in the Secure Programming for Linux and Unix HOWTO). The first tool I used for doing this is PasswordSafe which was designed by Bruce Schneier and has been around since 2002. I’ve been using this for about 3 years and it does exactly what it says on the tin. It’s still being actively maintained and is a good choice, especially if you’re working only on Windows only.
For the last few months, I’ve been considering moving away from PasswordSafe to something else, because I spend half of my time working on a Linux desktop and PasswordSafe won’t run on Linux. There are some PasswordSafe clones which run on Linux – notably MyPasswordSafe and PasswordSafeSWT which mostly work – but which don’t give quite the same user experience as you move between Windows and Linux. With this in mind, I went looking for an alternative solution and turned up KeePass which runs on Windows and KeePassX, a port of KeePass which runs on Linux and MacOS X. What’s nice about KeePassX is that it comes bundled with Debian (and probably the other main Linux distributions).
The icing on the cake for me in migrating to KeePass is that it comes with a plugin for importing the encrypted PasswordSafe files so it was pretty hassle free to move to using it. I’ve been working with KeePass and KeePassX now for a few weeks and so far I haven’t hit any problems. In practice, I think that both PasswordSafe and KeePass/X are good tools and both are worth evaluating. Using either one is a huge improvement over writing the passwords down on a post-it stuck to your PC or in an unencrypted file stored on your PC.
On a closing note, if you are going to go to this effort to secure passwords, try to avoid giving your passwords away to random strangers for a chocolate bar, it’s surely worth at least an Easter Egg! 🙂
AVG Anti-Virus 8.0
Updated 10-Mar-2008: An old college friend noted that the plural of viruses is viruses, not virii! Thanks for that Mike 🙂
Updated 07-Mar-2008: MessageLabs new advertising campaign includes digital images of viruses created from their actual code.
Wow — where did the first 2 months of 2008 disappear to? I figured I better get back blogging before tomorrow or I might be accused of only blogging every 4 years 🙂
I don’t usually talk about commercial products here and I certainly haven’t spoken about Windows software in the past, but where I find a useful Windows tool (commercial, open source or indeed free software) that does its job and offers value for money (either in terms of the cost of licensing it or the cost in time to install and use it) I’m inclined to sing its praise – if only to give it a bit of extra publicity. Before anyone asks, I’m not getting any freebies from Grisoft for blogging about their product.
I initially started using AVG when I came across the free version which has been available for a number of years for home and non-commercial use. It’s an interesting marketing trick – when it came to choosing an anti-virus solution for the office AVG was on my list of contenders. We have about 10 desktops and laptops in use around the office, only some of which are running Windows (we tend to use a mixture of Windows and Linux on the desktop depending on our developers personal preference and the needs of the customer projects they are working on) so initially the small business version of AVG met our requirements. My experience of using AVG is that,
- It’s lightweight – unlike some of it’s competitors (M****e and S******c) it doesn’t hog all of your system resources while it sits in the background.
- It’s easy to install and uninstall – again, unlike some it’s competitors who require you to deinstall about 4 different packages in the correct order before you can rid your PC of them.
- Licensing is straighforward and uncomplicated – Grisoft (the makers of AVG) allow you to buy bundles of licenses in units of 5 and have hassle free upgrades when moving to large numbers of licenses or indeed to their more advanced products such as the Network edition. They don’t force you to jump through hoops to upgrade or require you to buy a whole new suite halfway through your current licenses.
- The price is right.
- It works (I thought this was a given but just in case anyone was wondering, we did opt for an anti-virus solution that actually catches viruses, not just the cheapest one).
The lightweight thing is a big selling point for me. I recognise that I need anti-virus software on all of our Windows systems – but I don’t want to have to buy a second CPU just for the privilege of running it – AVG seem to get that. Sure, running a virus scan will slow down the system a little – but it largely sits in the background with impacting system performance.
I suspect once we have more than 5 Windows systems in use I’ll probably move to the network edition of AVG but for now, we’re just sitting on the tipping point where it’s as easy for our guys to maintain their own systems and run their own updates when it suits them (especially since we trust our guys to do the right thing and run regular updates — right lads? 🙂 )
So why am I only talking about AVG now when we’ve been using it for about 3 years? Well, AVG just released v8.0 of their product today. For the moment at least, it doesn’t look like v8.0 of the product is available as a freebie, hopefully this will change over time. Not only have they upgraded the interface in v8.0 – they’ve also introduced a bunch of new features some of which used to be previously distributed as separate products or freebies. As well as the existing anti-virus and email scanner, AVG 8.0 introduces the following,
- Anti-Spyware – I’ve previously used Spybot-S&D as an anti-spyware solution – it has a good reputation and works well, but we’ve never deployed any anti-spyware tools on our company network because of the extra effort involved in managing multiple tools. It’s nice to see AVG including this in their core product now (it was previously available as a separate tool).
- Anti-Rootkit – again, this was previously available as a separate component but we didn’t have it deployed on our network. It’s nice to now that our AVG now includes support for rootkit scanning also.
- Web Shield and Link Scanner – AVG 8.0 also introduces some new tools for scanning both web pages as your browse them and instant message traffic (currently only supporting MSN and ICQ it seems) for malicious content. I’ve no idea how useful these will be in practice but it’s good to see Grisoft continuing to add value to their core product without gouging the customer for these additional features.
I’m just running my first full scan with the new version now — I’d be surprised if it turns up anything since I regularly ran AVG 7 on the system but I’ll be sure to report if it does. To steal a line from Hill Street Blues –
All right, let’s roll… Hey… Let’s be careful out there.
(am I showing my age with that one?)
Atlantic Linux launches new website
Atlantic Linux, the Linux® business of Applepie Solutions has just launched it’s new website. Atlantic Linux will focus on delivering Linux consulting, design and support services to small, medium and large organisations. We look forward to your feedback and comments on our website.
Categories
Archives
- September 2010
- February 2010
- November 2009
- September 2009
- August 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- November 2007
- September 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- September 2006
- July 2006
- June 2006
- April 2006