The problem with passwords ….
… is that we’ve got too many of them these days. Since we all use good passwords and never use the same passwords for different services and sites (hhmm, ok, the other 31% of us anyways) then we inevitably end up with lots of passwords that need to be stored somewhere. Speaking personally, I have trouble retaining much more than 10 passwords in my head (and I passed the 10 password mark quite some time ago, I think I’m currently running with over 60 current username/password combinations) – so I’m left with a bit of a problem. I have a few options,
- I could start using biometrics such as my fingerprint rather than passwords (we’re getting closer to this being feasible too – my IBM Thinkpad T60 has a pretty decent fingerprint scanner built in).
- I could start using OpenID or something similar to reduce the number of unique usernames and passwords I need (although this isn’t really going to work until more of the big guys starting supporting it )
- I could write ’em down (which, after years of being labelled a bad thing, is now being recommend by the experts).
I’ve decided to go with another option, which is a distant cousin of writing them down – with a little 21st century cryptography thrown in for good measure (hey, it even sounds more secure than writing them down as soon as we say that). The basic idea is to store your passwords in a file, which is then encrypted with a single master password. If you lose the file, providing it is encrypted with strong encryption such as AES, it should be extremely difficult for anyone to read the contents of the file and recover your passwords. I say extremely difficult rather than impossible because at some stage in the future, all current encryptions algorithms will be found to have weaknesses or computers will become powerful enough to brute force the encryption. With currently recognised strong encryption algorithms, this point should hopefully come in decades though, so it’s not worth any sleepless nights just yet.
There are a number of open source tools out there for doing this. There may be commercial tools for doing this too – but personally, I’m inclined to have as much faith in the open source tools (although neither approach to software development necessarily makes for a more secure product, as discussed in the Secure Programming for Linux and Unix HOWTO). The first tool I used for doing this is PasswordSafe which was designed by Bruce Schneier and has been around since 2002. I’ve been using this for about 3 years and it does exactly what it says on the tin. It’s still being actively maintained and is a good choice, especially if you’re working only on Windows only.
For the last few months, I’ve been considering moving away from PasswordSafe to something else, because I spend half of my time working on a Linux desktop and PasswordSafe won’t run on Linux. There are some PasswordSafe clones which run on Linux – notably MyPasswordSafe and PasswordSafeSWT which mostly work – but which don’t give quite the same user experience as you move between Windows and Linux. With this in mind, I went looking for an alternative solution and turned up KeePass which runs on Windows and KeePassX, a port of KeePass which runs on Linux and MacOS X. What’s nice about KeePassX is that it comes bundled with Debian (and probably the other main Linux distributions).
The icing on the cake for me in migrating to KeePass is that it comes with a plugin for importing the encrypted PasswordSafe files so it was pretty hassle free to move to using it. I’ve been working with KeePass and KeePassX now for a few weeks and so far I haven’t hit any problems. In practice, I think that both PasswordSafe and KeePass/X are good tools and both are worth evaluating. Using either one is a huge improvement over writing the passwords down on a post-it stuck to your PC or in an unencrypted file stored on your PC.
On a closing note, if you are going to go to this effort to secure passwords, try to avoid giving your passwords away to random strangers for a chocolate bar, it’s surely worth at least an Easter Egg! 🙂
2 Comments to The problem with passwords ….
Interesting writeup – I must check out KeePass/X. I currently use the firefox plugin from http://passwordmaker.org/ to create a hash to use as a unique password for each site. The generated passwords are not susceptible to dictionary attacks. I only have to remember one password to recreate all the others on any machine I use. Worth a look.
March 25, 2008
Hi James,
Thanks for stopping by. PasswordMaker looks interesting but I’d prefer to store my passwords in a separate sandbox to my browser if at all possible (for no sound reason other than keeping them separate seems like a good idea, it may well be only giving my an illusion of increased security).
KeepPass also includes a password generator – I’m not sure how strong the resulting passwords are though – more at http://keepass.info/help/base/pwgenerator.html
March 11, 2008