The magazine of the Melbourne PC User Group
How Secure Are Your Passwords?
Gordon Woolf
  

Do you have to write them down or do you just use your dog's name for them all? Gordon Woolf says there's a better way than the sticky note on your monitor.

When I went to install some Internet access software on a new computer, I realised I had lost the password. On the old computer, I could log on but the password was a set of asterisks.

Of course some people are not aware of what computer security entails. Take for example the thief mentioned in a recent edition of the Email Essentials newsletter (see http://office-watch.com/ email/latest/ ). Obviously relaxed about his crimes, he made a coffee, took some food from the fridge and checked his email on the computer. Then he made the mistake of leaving the Yahoo Webmail connection open which meant police could access his mail including the cookie that had not been deleted as it would have been if he had logged off. Even though he may have used a false name to sign up with Yahoo in the first place, his email would give some major clues to his identity.

Anything was worth a try so I searched the registry for the service name, found several references, one of which was a sequence that looked as if it might be the encrypted password. I copied that to a text file, transferred that to the new computer and pasted it in the similar place in the new registry.

It worked, and I was able to log in from the new computer, although I never did find out what was my unencrypted password. At that point, a few years ago, I was disillusioned with what passes for security on the average PC.

Of course, it takes nothing like a loose security system within a program to get round most people's idea of security.

Most browsers, when they see you entering username and password details will put up a dialog box asking if you want the browser to remember the password, and presented with the same dialog at a later time will quickly display the username and the password though it thoughtfully shows the latter as that set of asterisks.

The accompanying sidebar below tells you how to stop this action in IE and Firefox.

The result of this will be that you have lots of usernames and passwords to remember — or you'll make the mistake of using the same combination on all sites.

In reality, it will not matter a great deal if you do use the same combination on sites which do not store confidential information and where you are not making any commitments. Some usernames, such as on that favourite news media site are just for convenience, maybe so you can set up some common searches on your interests or just so the site managers know you are visiting regularly and can use you as an extra digit to add to the statistics they use to sell ads on the site.

However, you should not be using the same username or password for internet banking or on those sites which you trust enough to record your credit card number for future purchases.

And while you may want words you can remember, it is dangerous to make them easy for others to guess. How many of you are using the name of your dog, your offspring, a favourite aunt, part of your address, or use the same short word twice in a row to meet minimum length requirements. Fortunately many sites refuse to accept passwords which are in a dictionary.

It is recorded in most books on hacking that the major breakins to some of the biggest computer systems have become possible because someone had a password of "password" or kept the default that came with the program or equipment (Lists of default passwords are published on several internet sites, in theory to help techs find their way around reinstallation). And many "security breaches" turn out to be not the work of skilled school age hackers who'll one day be programmers, but rather ordinary people who walk into major company offices looking like that really invisible man — a cleaner or repair man — who can watch people at work or read the sticky notes on their monitors.

There is some good advice on creating passwords at http://www.comptechdoc.org/docs/ctdp/howtopass/.

One answer is the password safe: a program which keeps your passwords in a highly encrypted form and let you either click or drag the details in to your browser or any other program which needs this protection. This means that you have only one password (or perhaps better, a pass-phrase) to type in at those times when you are going to need to enter passwords.

One such program is KeePass, open source software from http://keepass.sourceforge.net/.

The program can be set to open and request the overall password on startup, or it can staRt locked and only request the main password when you open it from the tray. You can even set it to lock automatically after a set time of inactivity, so you need not fear leaving your computer. As you enter a password for a new site you will be given a progress-bar style indication of how secure it is, or you can let the program create a truly obscure password for you — after all you won't have to remember it.

To use a username/password combination you can double click on a web address to open it, and then drag in the username and password to the dialog box, or you can set up an auto type entry with the name of the dialog box it is to enter it in, and then use a keyboard shortcut (which is Ctrl-Alt-A by default).

In other words it offers many different methods of use.

And if you are afraid the computer will crash and you lose all the details, you can save the password file in an encrypted form to another drive or to a removable disk. As long as you can remember the one overall password or pass-phrase, you can reinstall on that computer or any other.

And if you are really paranoid, you can print out the details in open form and put it in your bank's safety deposit. But do delete that text file from your disk (and from the Recycle Bin!)

 

Some other similar programs

Password Safe http://passwordsafe.sourceforge.net/
Password Gorilla httpJ/www.fpx.de/fp/Software/Gorilla/

Stopping browsers from storing passwords

Internet Explorer:
  1. Select Tools >Internet Options>Content.

  2. Under Personal information, click on AutoComplete

  3. To stop password saving, uncheck "User names and passwords on forms".

  4. To clear all existing saved usernames and passwords, click on Clear Passwords, then click OK in the warning dialog box.
If you have web sites for which you wish to save the username and password, but do not want IE to prompt for future sites, leave "User names and passwords on forms" checked, but uncheck "Prompt me to save passwords".

Firefox:
  1. Select Tools> Options

  2. Under Privacy, select Passwords.

  3. To stop Firefox saving passwords, uncheck "Remember passwords". (You can also set a "Master password" at this point — such a password has to be entered once per session to access saved passwords)

  4. The same dialog has a button to access "Settings..." where you can opt to "Clear passwords" on a one-time basis or to select to clear all private data on exit.

About the Author
Gordon Woolf is a longtime Melb PC member who previously operated on the security-by-obscurity system: his passwords were in a notebook but no one else could read his writing.

Reprinted from the August 2006 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[ About Melbourne PC User Group ]