Passwords are, without a doubt, the perferred method of online security by online blogs, portals, e-commerce sites and just about anything else. For the most part, this is a good system. But, like all security systems, there is a point of possible disclosure, and it lies with you, the password creator, manager and holder. There are tricks to managing passwords, and free software programs to make managing passwords simple and I’ll show you some of them, right now...
You are expected to make a secure password for each site you visit, that’s a lot of responsibility for one person to manage, and because of that many people choose easy passwords or use the same passwords over and over, almost begging for trouble.
This week we are giving away a copy of Linux Made Easy: the Official Guide to Xandros 3 for Everyday Users by Rickford Grant.
All you need to do to enter is check out the latest book competition announcement on our blogs page.
Thanks go to No Starch Press for providing this fantastic prize.
Many people choose easy passwords or use the same passwords over and over, almost begging for trouble
The fact is, if you don’t choose the best possible password, the security provided by it slowly decreases to none. In an ideal world, you would have a completely unique and random password for each site. Unfortunately, remembering such a large number of passwords would be nearly impossible, and that’s where some unique tricks and tools come in to help you keep your data private, and keep the bad guys out.
Site zoning is where you decide what sites require what type of security depending on what type of content the password accesses. You’d have “low” for logging on to blogs (other than your own) and most portals; “medium” for things like IRC nickserv; “high” for things like your own blog, web hosting, site administration and online auction sites; and lastly, you’d have an “extreme” level for online banking, credit cards, ebay and your primary email account.
Why place such protection on your email account you ask? Well, many sites will email you your password back, or allow you to recover your password by sending it, or a new password back to your email. So, once someone gains access to your email account, they can pose as you on almost any website your email is connected to.
Site zoning lets you use simpler passwords for the “low” level and increasingly complex passwords up to the “extreme” level. Many people do this without really thinking about it, although if you’re not and you don’t want to use a more secure password database with random passwords (both explained below), you should consider using a system like this to give yourself at least a good security foundation.
Password hashing allows you to use one master password and then modify that password for each site you visit. A password hash can be, in simplest cases, just pieces of the site’s URL mixed in with a password at certain points. For example, you can place one letter of the URL in place of every other letter in your password.
Other more complex uses of password hashing such as the ones employed by PasswordMaker (described in more detail below) allow you to use complex mathematical equations to make sure that each password is completely unique and that the site’s owner can’t find your master password by seeing one or more of your created passwords.
Password hashing is probably the easiest way to create a large number of secure passwords without having to remember each password yourself. Of course, you have to remember what settings you use with your password hash program, or if you do it by hand make sure you remember the sequence, otherwise you’ll lose access to all sites you made a password hash for (something you’ll definitely want to avoid).
It’s also worth noting that when you do use password hashing by hand you should try to obscure the master password so somebody with access to two or more of your end result passwords can’t reverse engineer them back to your master password, that’s where programs such as PasswordMaker come in handy.
Passwordmaker.org allows you to create unique hashes easily, making it easy to create unguessable, and very secure passwords for all the sites you visit
The Firefox and IE extensions allow you to enter you master password and have the system automatically fill forms based on the sites URL and your master password (and, if you set them, the advanced options selected).
As an extra plus, PasswordMaker is free software released under the LGPL.
Password database applications allow you to keep an encrypted list of all your passwords. Because the passwords are stored (and in most cases easy to insert directly into forms), you can choose more difficult (and ideally) randomly generated passwords for the sites you visit.
With any password manager it’s important to remember to keep backups of your passwords and/or your settings, so you can restore your passwords if, for example, your hard drive crashes. If your backups are stored unencrypted, be sure to store them in an extra-safe place so no one can gain your entire identity by getting access to your backups.
fpwdman allows you to store a list of webpages, and the passwords for them, and then encrypt the entire list with one master password. It has been designed simplisticly, and is just a basic database for your passwords. fpwdman is available for both MS Windows and GNU/Linux, and has the option to import or export in various formats. It’s also released under the GPL.
Password Safe (released under the Artistic Licence) is a very advanced password database, allowing you to store and sort your passwords into groups. It also has a handy feature that will autofill forms as well as a tray application. Password Safe uses a format reconized by a number of programs, and Password itself also has forks for GNU/Linux, PocketPC, Tcl/TK for Windows/Linux/Mac and as a UNIX command-line utility.
KisKis is a password manager much like Password Safe, but is unique in that it also stores PIN numbers for bank accounts, network accounts, etc. It is written in Java which lets it run on any Java-supporting operating system. KisKis also has a built-in password generator and is released under the GPL.
I hope you have been encouraged to keep safe password security habits. Now that more and more services are moving online, more and more importance needs to be placed on password security. Keep safe!