Sunday, January 21, 2007

Password Management

With hundreds and thousands of potential sites that you may register on during your lifetime, managing all those usernames and passwords can become a real mess. Most people use a single username and password combo for all the web sites they use. It maybe easy to remember but from a security viewpoint, this is absolutely the worst practice. The recommendation is to use a different username and password for each site. As this maybe practically impossible to remember, you should at least have unique passwords for each site or use a password manager. Plus, you need to make sure your password is not easily crackable. A strong password will be a alpha-numeric mix of upper and lower case letters and/or symbols with a length of at least eight characters. Example: “sitKri247” is a strong password. “letmein” is a weak, easily guessable password.

Your web browser has a built-in password manager. When you logon to a site, the password manager will prompt you to confirm whether you want to save the login information. Once you save, it becomes easy on your return visit to the website. The browser will automatically fill in the login details relieving you from having to remember the exact username and password combo for that site.

Many websites support saving your login details (the Remember Me / Automatically Sign In checkbox). This is done by placing a small text file known as a cookie on your computer, which uniquely identifies you. This also saves you the time and hassle of having to manually log on each visit to that website. If, however, you clear the cookies from your computer you will need to re-login. Also, leaving your cookies on the computer can be security risk if your computer is used by many people, especially strangers.

Both the two most popular browsers – Firefox and Internet Explorer – have password managers. But, even with the release of Internet Explorer 7, Firefox 2.0’s password manager is still the better of the two in the key areas of security and usability (see
here and here).

The importance of protecting your logon credentials cannot be overstressed. An attacker who gains access to your logon information can wreak havoc. He or she can compromise your reputation and also cause financial loss if the logon information provides access to your bank or credit card information.

Addtionally, in Firefox you can set a Master Password, (Tools Options Security, check ‘Use a master password’, click on the ‘Change Master Password…’ button and set the password) and increase the encryption protection (Tools Options Advanced Encryption Security Devices, click on ‘Enable FIPS’). Once the Master Password is set, your will need to enter the Master Password once every time you open Firefox and login to a site.

However, both Internet Explorer and Firefox password managers are not totally secure. A vulnerability with Firefox’s password manager goes by the rather exotic name: Reverse Cross Script Request (RCSR) attack. As of this writing a security patch is still not available. So be careful when viewing content on sites where user’s can insert HTML code, like on social networking and blogging sites like My Space, MSN Spaces, Blogger, WordPress and so on. Visitors can be conned into clicking on a link, invisible form, or image that will send the users login details for that site to a totally different site! While this is not a very widespread exploit Firefox users need to exercise caution till a security update fixing the RCSR problem is released. With Internet Explorer, anyone who gains access to the user’s Windows account (physically or using any spyware type software) can gain access to the passwords. While on Firefox, enabling the master password will protect your login information from being stolen, you will not be able to access the login data stored in Firefox if you forget the master password.

Another option is to use 3rd party password managers. Both free and commercial products are available. The main drawback with most of these password managers is that they are cumbersome to use. While the user names and passwords are stored in a highly secure database (and can take a few thousand years to crack with even the most sophisticated computers today!) you need to manually enter (or copy-paste) the login details for each of your sites into the program and likewise copy the password back when logging in. This can quickly become a very frustrating experience. Two exceptions to this are the open source and free software KeePass (http://keepass.info) and Roboform (http://roboform.com). Both support some good usability features that makes the users life much easier.