Thursday, November 3, 2016

Password Managers

In my last post on password managers I detailed how to use KeePass to manage your passwords. In this post I will explain the differing types of password managers and their relative benefits and issues.

First a few words on security.  Systems such as web sites, documents and computer systems for example may be protected in several ways. The oldest and simplest are username and password. Even today most systems are as simple as this. It has been recognised for decades now that this is in and of itself woefully inadequate. If the credentials are sent over the network unencrypted then anyone with a network sniffer (yes, this is a thing) can see your credentials. So if you are connecting to a site make sure that the URL starts with HTTPS (not the S at the end). The "S" means that the connection is secure. This is not a guarantee of security but it is a good start. Browsers have a small padlock icon, usually next to teh URL bar to indicate a secure or insecure connection (locked or unlocked).

Many systems use a key to provide access. This is a long number with special properties that you need to unlock the system, whether it be a file, web site, computer system et al. Sometimes the keys are in pairs (usually a public and private key, one for the user (public) and another for the system (private) and can be used with a pass code to unlock the key. This key can be stored on a USB key which itself is protected or it may be on your computer rom which you access the system.

It is now quite common that systems can use biometrics. Simply put this is part of you which uniquely identifies you, say fingerprint, retina scan, facial characteristics.  For instance to use Apple Pay on my iPhone I simply hold the phone over the POS reader and hold my finger over the fingerprint reader.

Finally and old system but highly effective are tokens. This may be in the form of a small device with a display with a 6 digit number that changes every 60 seconds. This number is called a one time code and it is synchronised with the verifying system and when your code is verified it unlocks the system being accessed. Ther are also apps that will generate these codes for you such as Authy and Authenticator. You system (Dropbox for instance) gives you a unique number, the Authenticator app reads this number and sets up your one time code generator. When prompted to login to Dropbox and you enter your user name and password you then have to provide the current code from Authenticator. In the case of Facebook there is a menyu option in Facebook which can generate a unique code for you. So if you login using a new device you get asked for a Facebook code. You then go to another device using Facebook and get a code which you then put into the new device to confirm your login. The token may also be generated by the system itself and sent to your SMS. Banks are very fond of this technique but again, this SMS may be intercepted. True, not easy but not impossible if someone has cloned your phone. Yes, this is a thing and not just on CSI.

So to summarise the security systems the best security is something you have, something you know and something you are. Any system should use two of these three, hence two factor authentication. Something you know is your passord or pin, something you have could be a token generator or mobile phone for SMS. Something you are may be your fingerprint. The idea being that if they get your password then they cannot login without that second factor.

Next a word on password recovery systems. It is common to use "secret" questions for password recovery. This is the single worst idea since the invention of the computer. Every way you look at it it is wrong. There is nothing secret in secret questions. Anybody good at social engineering can get the answers. Your first pet, your mother's maiden name, give me a break. What I do if I have to use secret questions is provide random answers and store these in my password manager.

The various password manages may have one or more of the following features.
  • Encryption. This is essential and the level of encryption is one determination of the level of security.
  • Cloud storage. This makes the solution more feature rich and flexible but will reduce the security of the solution.
  • Integration with your web browser. This makes the solution much more convenient in that you can login to web sites automatically but there are trade offs. Tou can use more complex passwords since you do not need to type them but it does reduce the security.
  • Integration with apps. 
  • Integration with mobile devices. (Mobile app typically.)
  • Free, add supported, one off coast or subscription. 
  • Two Factor Authentication
There are basically two general types of password manager. Off line and online.

Off line is where the password database is stored on your local computer. This is by far the more secure password manager. Of these the go-to application is the open source project KeePass which I mentioned in my previous post. For the full detail of how to use KeePass and to integrate with iOS see my previous post linked at the top of this blog entry. You can use very secure encryption for KeePass with multi factor encryption. Obviously the higher the encryption the harder it is to get to your file and the more likely that you can lock yourself out. Swings and roundabouts. So if you are a security freak and you are paranoid about your security the offline is for you. The other advantage is that you do not need to be connected to open your password database. Some give you the option such as 1Passowrd which will allow you to store the database off line but if you pay for a 1Passowrd account you can store the database online.

Online is where the password database is stored on a site of the application owner's choosing. LastPass for instance stores your password database online so whenever you retrieve a password it comes over the internet to your computer or device. Now any good password manager such as 1Password or LastPass will use secure encryption so that your passwords or details for that matter cannot be sniffed. You are however trusting that the company is using the security that they claim.

For any password manager, but more so for online managers there is a huge question of trust. We know from recent revelations that many companies, particularly US based companies, have build into their encryption algorithms back doors to allow such TLAs such as the NSA to spy on your activity at will and some of the spying has been done (take Yahoo for instance) without due process. This leads us to the next topic, how secure is secure?

Any encryption method which is proprietary has inherent risks because it cannot be scrutinised. An open source program such as KeePass can be scrutinised and analysed to see if there are any flaws. This makes it potentially more secure since it can be subject to review by security and code experts. On the other hand proprietary systems such as 1Password and LastPass which are closed requires a level of trust that the coders know their stuff and have not been compromised with back doors.

To be honest this level of paranoia is maybe overkill for most of us. However there are situations where you need to be overly cautious. For instance if you are living under an oppressive government and you are a dissident. If you are a whistle-blower. If you deal with highly secure information. All of these are situations where you can never be too cautious. On the other hand most of us would be perfectly fine using any of these managers so long as we take proper precautions.

All of these password managers use two factor authentication of some type.

Finally let me give you some pointers to keeping  your information secure.
  • Do not use the browser's inbuilt password manager, always use a separate third party manager.
  • Use a complex but easy to remember password as your password manager's master password.
  • Use multi factor authentication where possible.
  • Use complex auto-generated passwords from your password manager. Ie. let the password manager generate passwords for you.
  • Never never never use the secret questions, they are never secret. If you have to, provide random nonsense answers and store the answers in your password manager
  • Make sure that the password manager is reputable, if necessary google them to make sure there are no known issues.
  • Share your master password with a trusted friend or family member just in case.
  • Never run a program install unless you are sure that it is safe and from a safe source.
  • Never open an email unless you know who it is from and who sent it.
  • Never tell anyone who rings you your password or give out a caller any identifying information.
  • If an email wants you to follow a link from that email to their web site - never do it. Always get to the web site some other way by using a stored bookmark, typing in the site manually or googling the company, bank etc.
  • Never use apps on a social network site.
  • Never use a social network site to automatically login to another account, for instance using Facebook to login to Spotify.
  • Regularly check your social network app permissions to verify that no unwanted apps are using your social network account.
  • And finally educate your children on the safe use of social networks before they are allowed to get a login and monitor their usage. A chain is only as strong as the weakest link.
Online security is now more important than ever considering how much of our life is online. There are reports of security breaches almost weekly and most, if not all of us have been compromised or know someone who has. Sometimes it is just annoying and sometimes it is dramatic. A pinch of prevention is worth a pound of cure and no more than for your online security.