Mad, Beautiful Ideas
Password Management

I think it’s worth talking about Passwords. Most of them suck. Most people use the same password (or small set of passwords) for everything from their banking to the membership of discussions forums, to signing up for free iPod giveaways. Most people’s passwords are based on dictionary words, personal information, and simple transfomations of letters to numbers or symbols (a = 4 = @, etc).

It’s hard to blame anyone for this, passwords are asked for everywhere on the internet, we can’t possibly remember a unique password for everything. The trick is simple. Password management. A good password manager only requires you to remember one password, and then you’ll be able to use unique passwords on every new site, and easily access them. While I have yet to find what I would consider to be a “perfect” password manager, there are some decent products out there.

There are a small handful requirements I have for Password Management software. First, the software must have tools to generate strong passwords, with customizable rules. Second, the password files must be stored on the disk in an encrypted fashion, and have controls to prevent unencrypted versions of the content from ever being written to disk. The software must be able to store a wide array of passwords. Finally, the software must be easy to use.

First, there are several built-in password managers in different pieces of software, Firefox and Internet Explorer being the popular two. While convenient, these typically have very poor security. In Firefox, the passwords are merely saved in Base-64 Encoding and can be easily translated if anyone can get access to your files. While Master Passwords will make this harder, they too can be easily recovered if an attacker has phsyical access to your system. Even IE7 suffers from a similar plight, which makes the passwords trivial to recover. These solutions both fail because the passwords are not stored using strong encryption, they can’t generate strong passwords on their own, and they can only store passwords for FTP and Web sites. Very useful, but could be a wider range.

First, there are the software password managers. On Windows, Password Safe is a popular choice, having originally been written by Bruce Schneier, and since Open-Sourced, this is a solid bit of software that has an heirarchical method of organizing passwords, can generate passwords for you, and keeps your passwords secure using TwoFish encryption. This is really handy, and the fact that Password Safe (or it’s Python-cousin for GTK Revelation), can run from a flash drive without full installation make the software that much more useful. Carry your encrypted passwords with you on a flash drive, and the software to access them with. These two programs, individually, fulfill the needs I list above, and do a fine job. Each of them can be set up to launch access to the accounts listed, even to a wide variety of different types of accounts. The problems I have is that the password manager has to do the unlocking, and it’s far, far from seamless. Also, the passwords aren’t always available. If you don’t have a computer available, or a computer that can run your password manager, you’re unable to access them.

The next great platform are portable password managers. In this arena, we have the Mandylion Passwrod Manager, a excellent little keychain fob which will store and generate passwords for you, and is likely to always be on your person. Even if someone steals it, the passwords are protected by a configurable passphrase using the buttons on the front, and the device can be configured to ‘self destruct’ and eliminate all of it’s data if someone appears to be trying to break into the device. It’s weaknesses are that it can only store a handful of passwords (50), and for most people it’s just one more, unwelcome thing to carry around. The next generation smartphones seem like a good candidate for password management software, as most people wouldn’t dream of going anywhere without their phones. Of course, this arena would require several different versions of the software, as there are just too many target platforms (Palm, WinCE, iPhone, Android, J2ME, etc). As great as these tools would be, they suffer from the fact that good passwords don’t usually flow when typed, and they lack the ability to copy and paste. This seems like a minor tradeoff for the benefits of ubiquitous access, but these solutions do lose points for a lower level of user-friendliness.

Becoming more common, we have user keyrings being built into computing environments. Mac OS X Keychain was the first strong example of this idea, where a user has an encrypted password safe, which authorized applications can query to get passwords out of (and save passwords in), which allow the system to take over the role of managing passwords in a secure fashion. The Keychain is an excellent example of how this sort of technology is supposed to work, offering tight integration with Safari, Mail, Finder, and most other Apple-provided applications. GNOME is working on their own keyring, and Mozilla is to extending Firefox and Thunderbird to support Operating Environment Keyrings like Apple and Gnome’s. While these solutions are great, and offer wonderful integration with a computing experience, neither can create their own passwords, and neither can be easily carried with you.

Currently, I tend to favor Password Safe and Revelation. They’re great programs, that offer great security. Mac users will probably be happy with Keyring, and as GNOME Keyring improves, I suspect my reliance on Revelation will fade. Ultimately, though, I want to be able to carry my passwords with me. I like the Mandylion device, and I’ve planned to buy one for quite some time, but as Smartphones become more cost effective, I think they might be the answer, espeically if they can be easily synced with a computer’s keyring.

The most important point, however, is that there are other options out there, and excercising them will help your own security tremendously. Stop using the same password for everything, stop using passwords based on the dictionary or personal information. Come up with one strong password or passphrase that you can remember, and use a good tool to manage the rest. It will take a tiny bit more effort up front, but the peace of mind and protection of your personal data should be worth it.