We all have them – passwords for our email, Facebook, Twitter and bank accounts.
Some people use the same password for all accounts – something which is inherently insecure because if one system is compromised an intruder will have access to everything.
Choosing different passwords for each account can, however, make them difficult to remember, so often you might rely on your web browser’s “Save Password For Next Time” type of feature. But have you ever considered what might happen if your computer or laptop was stolen? If you run a business online, the consequences of a thief being able to fire up your computer and access your entire empire doesn’t bear thinking about.
The solution
There are a number of ways to tackle this problem, and if you must allow your browser to store your account passwords then Firefox’s Master Password feature is a good solution. This stores all of your web-based account passwords in an encrypted format which can only be unlocked using a Master Password. This means you can have a different password for each web-based account which is remembered by your browser and automatically filled out when required, providing you enter the correct Master Password at the start of your session.
When a Master Password is in use, all of your regular passwords are encrypted using 3DES. If you choose a good, strong password, then this level of encryption is pretty secure and will definitely protect you from the casual thief.
To enable a Master Password in Firefox see this knowledge base article.
Other options
At the time of writing, Internet Explorer doesn’t have a “Master Password” facility like Firefox, so if you use IE you might want to consider alternatives.
One such option is to store all passwords in a text file or Word Processing document ready to cut and paste when required. The implications of this should be fairly obvious. If an unauthorised person steals or opens the file, they will have every single password at their disposal.
You could password protect the document itself, but keep in mind that this level of protection is incredibly insecure when using the Microsoft Office suite (i.e. Word or Excel documents). Applications exist to crack or bypass Microsoft Office passwords within seconds.
OpenOffice is a free, open-source equivalent to Microsoft Office and features more secure password protection of its documents, so might be a better choice. However, an even better option would be to store your password file inside an encrypted file container. An application that makes this very straight-forward is TrueCrypt.
FTP accounts
If you transfer files via FTP using multiple accounts, you’ll possibly face the same issues as those discussed above. Saving the passwords in your FTP client is tempting but open to the same risks as before. In fact, hosting companies are reporting a rise in the number of customers who get infected with viruses or malware and have their account passwords “stolen” from within the saved area of their FTP software. Many of the most common FTP applications such as CuteFTP and Filezilla are known to store passwords in an insecure manner.
WinSCP on the other hand has a similar “Master Password” feature as Firefox and uses a strong AES cipher to to store your account passwords. Again, choosing a secure master passwords is critical to the strength and reliability of this feature.
Choosing a secure password
- Use at least eight characters or more. The longer the password the better.
- Use a random mixture of characters including upper and lower case, numbers, punctuation, spaces and symbols.
- Never use a word found in a dictionary, English or otherwise.
Things to avoid
- Don’t simply add a number or symbol before or after a word. I.e. “goose61”
- Don’t use combinations of dictionary words, I.e. “goosechicken”
- Don’t simply reverse a word, I.e. “esoog”
- Don’t use common key sequences that can easily be repeated. e.g. “qwerty” or “zxcvbnm”.
- Don’t simply garble letters, e.g. converting e to 3, L or i to 1, o to 0. A brute-force attack can substitute such characters.
A reasonably powerful computer can run through every word in the dictionary in a matter of seconds. A brute-force intruder can therefore run an automated process which tries every word in the dictionary against your password, along with combinations of other words, numbers and characters. The longer the process runs for, the more chance that your password will eventually be guessed if it’s based on a dictionary or common word.
Long, totally random passwords are best, and these can be stored securely using the methods outlined at the start of this article.
Keeping your passwords secure
Keeping your computer clean and virus free is also critical to security. Keyloggers, phishing emails and other threats can all impact security.
Don’t assume that your Windows login password will be capable of securing your entire computer.
Try and keep passwords stored in a secure manner (as described above) and delete emails that may contain sensitive information. Run up-to-date virus and spyware software across your network.
Remember, no approach can guarantee 100% security, but a little extra thought and effort can make it easier to sleep at night.
Good luck!