Tuesday, July 12, 2005

Password Managers, finally

I have finally focused on tools for managing passwords in answer to one question I raised in a previous post. I have found several that seem comfortable to me. The first comes from Windows security guru Keith Brown, now at pluralsight. He described his very impressive tool in two of his MSDN Magazine 'Security Brief' columns in 2004. The first column describes the issues involved in password management including crytographic considerations and provides an overview of the design of his password mulitplexer. It has these headings:

  • Internet Explorer and Passwords
  • Writing Down Passwords
  • A Better Solution: The Password Multiplexer
  • Password Minder
  • From Master Password to Master Key
  • Picking a Good Master Password
  • Defense in Depth - discusses storage of the password file
  • More on Stretching
The second column describes in more detail some of the cryptographic techniques and addtional features along with plans for potential enhancements.
It has these headings:

  • Stretching and Salting the Master Password
  • Derived Keys
  • Password Reminders
  • Secret Management
  • Creating Good Passwords
  • Other Features and Future Direction
Keith says he has this on his laptop so he is always working on the same machine (and it must be a pretty fast one - see below). So he stores the password file in his user profile. But I work on different machines, and so want to store this on a USB flash drive. He briefly discusses this, pointing out the lack of ACL security, since they are in FAT format. I wonder whether it is better to keep the program itself off the flash drive? And is there any way to add some extra security to the file for this configuration? Maybe the USB should only be used to transfer and synch the password file?

As to using it, Keith puts in minimum requirements for the master password, and provides different levels of encryption for it. I guess this machine is pretty out of date now, because the PKCS#5 speed test takes 20 seconds at the default level where he starts. Well, he said the lowest level on his laptop takes 1 second, so two or three on mine is not as bad as I thought.

The advanced complex passwords he generates are an option, not a requirement. So you can use different levels of passwords for different sites. For secure financial sites I am willing to wait considerably longer than I am for some user group SharePoint portal or even some webmail sites, since I know they aren't inherently secure.

There are some neat features which I like, such as the way he injects the password right into the keystroke input queue so that you usually do not need to do a copy and paste.

Also Keith's statement that "... I benefit by using a password management tool that is not built into the operating system. Not everyone who owns Windows has this tool, which makes it a less likely target for attackers", is a thought I had in choosing his tool. It seems like it is probably quite unlikely to be attacked, but in addition, I can modify it, so no one has exactly the version I use - though I haven't figured ways I want to do that.

For folks without the .NET runtime installed Keith says "consider using Bruce Schneier's Password Safe program, which you can find via http://www.schneier.com/passsafe.html. What really matters is that you pick a password management tool that you trust and that you use it consistently." In a comment on my post referenced above Guy also mentioned that program . He mentions the blowfish encryption than Schneier uses. Thanks Guy. I haven't tried it yet.

Keith also makes a few references to cryptographic techniques that I tried to follow up on.
I found the Beginners' Guide to Cryptography is a good set of pages on cryptography.
I was pointed to it from some excellent articles at Wikipedia.


Blogger Allan Wolff said...

Keith's PWM is quite a tool. There is some very interesting code in there.
I have a couple of suggestions for the future, which I might implement.

First, I was looking for backup. But I guess you can use the export functionality for that. I suggest that there be backup functionality which prompt you with a reminder just like you can set for certain passwords.
Second, I think there should also be a timer which shuts down the program after a specified time, after showing a popup dialog which allows you to keep it open.

Another thought, is that one might go in the direction of defense in depth, that KB encourages. To me, this means choosing obscure names for the program and data files, just as he does for his admin login. And perhaps storing the current XML data in some binary form, just to make it less obvious.

One curious legacy I noticed is that the PWM.XML file is still stored in a 'developmentor' directory under AppData!

4:12 PM  
Blogger Allan Wolff said...

Keith recently blogged about the famous L0phtCrack password cracking tool. At some point its authors came above ground as the atstake company, and Symantec recently bought them. They changed the availability of the download so he suggests googling to get an older version. Sure enough I found lc5setup.exe under Password Crackers at SecWatch.org.

3:07 PM  

Post a Comment

<< Home