This adds onto my recent series of posts on personal security on the Internet, with some suggestions on software that can help you secure yourself more completely. OK, so even if you’re following my suggestions in my last post (here) for a simple password scheme, it can get a little confusing, so here’s a few software products that can help out. We’ll start out discussing password databases, and then a file-encryption vault in the next post.
Storing passwords.
The problem here is that if you get some malware on your machine, it will snoop around looking for the file you made called “passwords” and send a copy of that file off to it’s master somewhere. Even if you called this file “Uncle Otis’ Birthday,” most malware is smart enough to just look inside your files and find the neatly-arranged ID / password pairs and presto: you are penetrated. The way you avoid this is by having this data in an encrypted data store, where only you know the key. Don’t even think about using Excel and having Excel “encrypt” the data, this is baby-step encryption and it can be brlken in less than 3 seconds by several password crackers on the market.
So what to use? My most basic suggestion is called PasswordSafe, a free program invented by security maestro Bruce Schneier. I have used PasswordSafe for several years and it’s a fine product and is supported by bombproof, government-grade encryption. What it does is keep an encrypted database of ids/passwords (and other stuff, like the idiot “secret questions” and so on that some sites demand). You open the database with one password, and double-click the appropriate site’s entry. The password is copied to the clipboard, from whence you paste it into the password field on the website. PasswordSafe then erases the clipboard. It has lots of other features including the ability to generate completely random passwords for you if you wish.
PasswordSafe has served me well for several years until I started using LastPass, which I’ll discuss below. Its very straightforward to use, free, and available here.
I have now started using a different password repository called LastPass, available here. LastPass does everything PasswordSafe does, but with a while bunch of added features. Mainly, it interacts through a plug-in with your browser(s), so that when you have it opened and in force, and it arrives at a site where you have an account, it fills the ID and password fields, and can even hit “enter” for you if you want it to. You don’t have to pull up PasswordSafe’s panel, find the site, double-click it, and paste it in. LastPass does all that for you, slick as anything. You can set it to auto-log you in to familiar sites, ask you to review it’s form-fields for some more sensitive sites, and even demand another login to LastPass for some sites, as for instance your bank.
LastPass is cross-platform (Windows, Linux, and Mac) and has plug-ins for essentially all the browsers in common use — IE, FireFox, Safari, and Chrome. So you are totally covered. And it has a host of very cool capabilities, for example generating and managing some one-time passwords for use if you’re on public machines, and the ability to use an on-screen, mouse-driven keyboard for entering your LastPass id and password (to foil keyboard-logging software on a public machine), and the ability to work off of a USB drive. It’s an extremely well thought-out and comprehensive platform and I recommend it highly.
One of it’s other key features is it’s ability to transfer and sync your encrypted database across all the machines you use, so you never have to do this yourself. And it can do this without the company having access to your passwords at all, they do store it but they don’t have the password, only you do. If you’re interested in the detailed security features built into all this, I recommend Steve Gibson’s Security Now podcast, specifically this one.
The password to your passwords
Both of these make the assumption that you have one password that is the master, that unlocks the vault for you. With both products, you need to remember this password at all costs, since if you forget it, they can’t help you — the company doesn’t have it either. So, write it down in a couple of places (NOT in a file on your computer!) such as in your wallet, or even a copy in your safe-deposit box, or whatever. Make sure this password 1) is not a word, or a series of words, 2) is not something obvious like your phone number or social-security number, and 3) that you can easily remember. If you’re stuck about this, you could use the first letter of a phrase that means something to you — but mix in some numbers and capitalize one or two of the letters.
Hope this helps you out!
[...] for protecting yourself out on the Internet — as outlined in my previous posts (here, and here), including using an ID / password database like LastPass. But right on your own machine you have [...]
[...] Password Safe, which I used to use, and LastPass, which I now use. I discuss these options here so I won’t do it again. LastPass has also the advantage of being [...]