Safeguarding Your Passwords
It's tough to navigate the Web and do business online without having to remember dozens of passwords, yet in my experience, very few people give much thought to securing these precious credentials. Most folks simply take advantage of the simple password storage features built into Web browsers like Internet Explorer and Firefox. However, there are some alternatives that I'd like to spotlight, which can help Web users more safely generate, manage and store passwords.
I've never trusted the password store feature in Internet Explorer, perhaps because the methods for filching data stored in IE's "protected storage" area are well-documented, not to mention used in a ton of malicious software (plus, I also don't use IE for regular Web browsing). I do use Firefox's password storage feature, but only for sites that do not store my personal or financial data, such as the Web site of my local library, and certain online user forums.
One thing to note about password storage in Firefox: If you have not enabled and assigned a "master password" to manage your passwords in Firefox, anyone with physical access to that computer and user account can view the stored passwords in plain text, simply by clicking "Options," then "Show Passwords." To protect your passwords from local prying eyes, drop a check mark into the box next to "Use Master Password" at the main Options page, and choose a strong password that you can remember. You will then be prompted to enter the master password once per session when visiting a site that uses one of your stored passwords.
There are several third-party programs that can help users safeguard more sensitive passwords. My favorite -- Password Safe -- is a simple and free program for Microsoft Windows that also protects your passwords with a master password using the secure "twofish" encryption algorithm. (Take care to pick a strong master password, but one that you can remember: Just as with the Firefox master password option, if you forget the master password you are pretty much out of luck.)
Once you have protected Password Safe with a master password, you are ready to start adding passwords. A nice feature of this program is auto-fill. With the main Password Safe window open, right click on an entry, select "browse to URL" and it will load the request site in your default browser. Then, right click on the Password Safe entry again and select "perform auto fill," and watch the program enter your stored username and password at the site and log you in automatically.
Password Safe includes a built-in password generator that can create strong passwords for you, and the program will give you feedback about whether any phrase you create is strong enough to avoid being guessed by automated password-cracking tools. By default, the program locks you out after five minutes of inactivity, requiring you to enter the master password again before using the program (you can change this and a myriad other settings from the Password Safe "options" menu.)
Keepass is another robust, free password manager program that works similarly to Password Safe. You can install Keepass as a desktop application, or to a removable flash or USB drive to keep your passwords wherever you go in an encrypted format. Keepass also has been ported over to just about every platform, including Mac OS X and Linux, and even installs on hand-held devices, such as Blackberry, Palm and Symbian-based mobile phones. It also plays nice with multiple browsers, including Firefox, IE, and Opera. In addition, there is a very active user forum at Sourceforge.net that users can turn to for help.
These two programs are hardly the only password safes available: I know a lot of people use and enjoy Roboform, a program that is free to try and $29.95 after the trial. A separate application, Roboform2Go, is designed to be installed to a USB or U3 stick. I tried out latter program thanks to an evaluation copy sent by the vendor, and found it to be a feature-rich - if somewhat more bloated and less intuitive - program. It works only for Windows 2000/XP/Vista users, and appears to be designed to work primarily with IE, although I was able to get it working in Firefox after installing an add-on.
Some of these products claim that their "autofill" function is designed to defeat "keystroke loggers," or malicious programs that record everything the victim types on his or her keyboard. By saving the user the trouble of manually typing their usernames and passwords, a keylogger would have no keystrokes to record, the theory goes. I have not independently tested any of these programs to verify those claims, but I'd argue that trusting these applications to secure your passwords on a machine that is already loaded with spyware or keylogging programs is unwise.
A feature that's been included for some time now in many of the more advanced keyloggers - such as the Gozi Trojan - rips the username and password right out of an active login page, even when the data sent from the user's machine to the Web site using secure sockets layer (SSL) encryption (a site that begins with https://). Gozi simply captures usernames and passwords as they are posted to the site before they get encrypted with SSL.
Readers sometimes ask my advice for protecting their passwords and other sensitive data when they transmit it over an unfamiliar machine, such as an Internet cafe, kiosk or hotel business unit. My standard take on this is that while tools like those described above may be able to add a layer of security to your data on an unfamiliar system, the reality is that if you can't vouch for the security of the machine, you really have no idea what's on it. Accordingly, you should weigh whether the e-mail you want to fire off or the stock sale you'd like to make is worth the risk, or whether you can wait until you're in front of a trusted computer.
The comments to this entry are closed.