The Web    Google
Protect Your Passwords -- Part 1

Protect Your Passwords -- Part 1
December 14, 2004
Brian LivingstonBy

Quick! Can you remember all the user names and passwords that you've used at every Web site where you've ever registered?

I'll bet you can't. But it's no shame not to remember all these things off the top of your head. No one can.

That's why people write their passwords on Post-It notes and stick them on their monitors. And it's why Web browsers such as Internet Explorer and Firefox offer to "help you" remember your passwords °™ which means that anyone who borrows or steals your computer can log on and impersonate you at any of the "memorized" sites.

Fortunately, the plunging cost of memory has given rise to a possible solution to the password-recall problem: store your user names and passwords on a removable USB Flash drive. You protect the device with a single, "master" password. All you have to do is remember that one code to access all the passwords you've stored.

Is this solution good enough for serious use? Let's look at the problem and see.

Your Oh-So-Helpful Browsers

The rise of the Internet and corporate intranets was the impetus behind the "browser paternalism" of passwords:

? Internet Explorer. Microsoft's browser, known affectionately as IE, years ago began offering an "AutoComplete" function. This feature offers to remember IDs and passwords that you type on your keyboard. IE stores them in an encrypted file. In theory, those passwords are made available only when the person who stored them is logged on to Windows under his or her own account name (such as Brian123 or whatever).

The problem with this is not just that anyone can walk up to your PC in your absence, look through IE's history, and then log on as you at any password-protected site. Much worse is the fact that, even if you've logged off your Windows account, anyone can run a simple utility and read IE's "encryption-protected" file to discover your passwords.

One of the best-known makers of password-reading software is ElcomSoft Co. Ltd. This programming firm, located in Moscow, Russia, was acquitted of criminal liability in December 2002 for cracking the password protection of Adobe PDF files.

The company's Advanced Internet Explorer Password Recovery utility, according to Computer Associates' Spyware Information Center, coughs up the passwords saved by every version of IE from 3.0 to 6.0 (the current level). The software sells for around $30 USD.

Oh, so you think, "We'll just ban this utility"? Good luck. The info center says there are some 720 different versions of password-revealing utilities currently available.

I don't mean to pick on IE. Crackers are also widely available to divulge the passwords stored by Microsoft Outlook, VBA (Visual Basic for Applications), Intuit Quicken, and many other apps.

? Mozilla Firefox. The new, free Firefox browser, developed by the not-for-profit Mozilla Foundation, also offers to store user names and passwords that you enter at Web sites you visit. To its credit, Firefox 1.0 can store this sensitive data in an encrypted form that I don't believe has been compromised.

Unfortunately, Firefox doesn't encrypt your saved passwords by default but leaves them wide open. You can only have your passwords encrypted if you take steps to set a "master" password. (To do this in Firefox 1.0, click Tools, Options, Privacy, Set Master Password.) Before Firefox will then provide your passwords to a Web site or anyone else, the master password must be entered.

If you use a USB drive to store your passwords in a secure manner, as described below, you can make your browser stop storing passwords on your hard disk. To do this in Firefox, click Tools, Options, Privacy and turn off "Remember Passwords." In IE, it's Tools, Internet Options, Content, AutoComplete and turn off "Use AutoComplete for user names and passwords on forms."

In a corporate environment, you can use Group Policy to prevent browsers from storing login passwords. To do this for IE, set Active Directory to "Disable AutoComplete for forms" and "Do not allow AutoComplete to save passwords."

The USB Flash Drive Alternative

Siber Systems Inc. released last month a software program designed to eliminate the need (and the temptation) to store your user names and passwords via your browser.

The company, which has published RoboForm password-management software for desktop PCs for many years, is now shipping Pass2Go. The new program is a "portable RoboForm" that can execute within a USB Flash drive or any other removable medium, such as Iomega Zip drives and even rewritable CDs.

The new product has the following interesting features:

? Lack of Tracks. If you store user names and passwords via Pass2Go on a USB Flash drive, the computer you were using at the time loses access to those passwords completely when you remove the Flash drive from its USB port.

? Transportability. You can then insert the same Flash drive into the USB port of a different PC. As long as you remember the master password you set, you can automatically log in to your favorite Web sites on the second PC. Removing the drive, as before, deprives the second PC of the passwords as well.

? Flexibility. In addition to user names and passwords, you can use the Flash drive to store e-mail contact information from Microsoft Outlook, bookmarks from your browser, and other data that's handy when you're traveling.

Pass2Go can be licensed for $39.95 for a quantity of one, or $9.95 for users who already own a $29.95 license for the desktop product, RoboForm. Pass2Go, however, can be used for 30 days for free, after which (if you don't pay for it) it can still securely hold 10 passwords for up to two different users.

At this writing, Pass2Go works only with Internet Explorer. That's a problem for users of Firefox and other alternate browsers, such as Opera, that are free from IE's well-known security problems. Integration with those applications is expected to be available in future versions of the password utility, according to Andy Finkle, Siber Systems' vice president of marketing.

The Real Deal For Login Security

Is software on a USB Flash drive really secure enough to use to access your sensitive passwords on a computer at, say, an Internet caf®¶?

A Siber Systems press release says, "Pass2Go can confidently be used at Internet caf®¶s, libraries, convention halls, airports, universities, or even at work °™ anywhere people on-the-go have a computer with a USB port."

In reality, just because your passwords are stored on a USB drive doesn't make it any safer for you to access a Web site from an Internet caf®¶ or other public location. Once you type the USB drive's "master password," a Trojan horse program that's running on the unfamiliar PC could capture every screen that appears while you're using a supposedly "secure site."

"I would never recommend any product, even two-factor authentication, to be used in an Internet caf®¶," Siber Systems' Finkle said in a telephone interview.

Two-factor authentication is a stronger form of identification than a mere password. The first factor is a physical device, such as a USB Flash drive. This is combined with a second factor, typially a PIN (personal identication number) or some other code that's easy for a user to remember.

This dual approach may, in fact, be the key to using insecure PCs (such as the ones at Internet caf®¶s) to communicate securely with distant servers.

A Meeting Of The Minds

USB Flash drives are now available with a riot of identification methods.

There are tiny "stick" drives with fingerprint recognition, reliably providing access to authorized users only.

Other Flash drives display a random number that's derived from an internal timer. The number can be used to log on to a server, which is synchronized to the same time, only once. If an eavesdropper snatches the number, it's useless as a way to read the rest of the session, which is safely encrypted.

I'll examine ways that specialized Flash drives can be combined with helpful password-storage software in this space next week.

  • 11/4: Rbot-OX Worm Has IRC Functions
  • House to Create Homeland Security Oversight Committee
  • 3/16: Trojan.Eaghouse Steals Info
  • AOL Touts Increased Broadband Security
  • Sanctum, SPI Offer Upgraded Web Security Assessment Tools
  • 11/5: Backdoor.Ranky-L Enables Attacker
  • Jenny Craig Goes on a No-Spam Diet
  • 3/9: Forbot-AB Worm Uses Network Shares
  • 3/11: Rbot-XM Worm Hits Remote Shares
  • California Police Use Wireless Fingerprinting on Patrol
  • Sigaba Adds Federated Authentication to E-Mail Security Software
  • Security Camera Price