According to statistical data and surveys the majority of Internet users are using the same password over and over again when registering online on various Web Portals. It is somewhat okay if a given user-password combination is repeatedly used for commenting across forums or blogs, including questionable ones, however using it for email or online banking is a completely different story. Often, it’s a bitter one because an intruder who got access to a harmless social network would figure out to try the same credentials to log on to your email (specified on any social networks), or PayPal, or eBay, or even online banking. Even if the user password combination is not the same, the thief can easily reset it with the full access to your email. It happens so quickly that more often than not a victim doesn't even recognize that he or she got an email with password reset links. Meanwhile, the cyber-criminal is on the way to making online purchases, transferring funds, etc.

There’s no doubt that the safest approach is to use different passwords for the wide variety of online resources, preferably sophisticated user-password combos. However, the sheer amount of complicated logins is very hard to remember for a regular human. One could adapt an old-school approach of writing down the credentials in a notepad. This puts too much stress on fragile sheets of paper prone to a loss, theft or accidental destruction. Besides, if it’s stolen by a lucky thief the catch might be worth more than a wallet. 

Frequently, internet users trust browsers to remember their login information since it’s the principal tool of getting online work done. Google Chrome and Firefox offer synchronization of memorized logins across multiple computers (via a cloud), which seemingly simplifies matters. While it’s convenient, two problems remain:

a) an intruder with physical or remote access to a computer would  easily take advantage of any stored logins

b) in case of a browser problem or an extra thorough clean-up there’s a risk of losing stored user/password combinations.

Now is a good moment to introduce the concept of password managers which keep credentials in a safe place protected by a single master password. We would focus on free password managers.

KeePass

The first password manager that comes to mind is KeePass. This software is completely free, when it comes to computer resources it’s not demanding at all, and most importantly it’s Open-source which means that anyone can potentially verify that there are no hidden back-doors (unlike technologies by Microsoft collaborating with NSA and Co).  Of course we don’t suggest that an end user would bother with such checks however a wide-variety of programmers from all over the world did look into it and confirmed that it’s trustworthy, in other words the program doesn't send or expose your passwords to 3rd parties. It’s also important that there are plugins and extension that allow using KeePass with other applications.

Currently, there are two lines of program development: 1.xx and 2.xx. The first one is the “classic” version which lacks a few functions available in 2.xx, such as cross-platform availability. In addition there’s no backward compatibility, aka it’s two different programs using different password storage standards. This might complicate things however the problem can be resolved by using the Export function for the old version of the password database.
KeyPass
Naturally all information is encoded within the databases of KeePass and the encoding mechanisms are the most trustworthy. One can access data encoded by KeePass via a Master password or a special Keyfile generated by Keepass. Such Keyfiles should be treated with great caution because losing it would effectively destroy the data and letting this file into wrong hands would compromise the security of the data. There is also an option to require both a Master password and a Keyfile (carried on physical space like a memory-stick, mini-cd etc). It’s important to understand that all data is carried on a given computer in a data file, if there’s a need to access KeePass data on a different computer then the KeyPass data file should be carried over (potentially along with Keyfile) or it could be stored in a cloud like Dropbox.

At last we’d mention that there are mobile apps for all popular platforms like Windows Mobile, iOS and Android. That’s when the approach of cloud storage like Dropbox comes very handy. There’s also a hefty ad feature of intercepting browser’s requests for passwords and automatically fill out the fields from a KeePass encrypted data storage.

LastPass


Another popular password manager is LastPass. LastPass is also available on all Operating systems, including mobile platforms, however mobile versions are only available through a commercial subscription. The most important characteristics of LastPass is that it’s a web-service (cloud software) that works via a browser extension rather than installing an application. The advantage here is that there is no need carry around data storage with encrypted passwords – it’s all in the cloud within reach of any browser. Interestingly, this also draws the biggest criticism to LastPass because
  1. LastPass database might be vulnerable to hacker attacks
  2. service might be disrupted by Denial-Of-Service 
  3. highly sensitive data could potentially be passed to a 3rd party (Like the NSA ;) )

There have been no successful hacker attacks thus far and this service can more or less be trusted for every-day needs.

At last we’d mention a few useful features: LastPass automatically checks the strength of password upon the extraction from a browser; it allows removing potentially vulnerable databases created by browsers and automatically fills out forms on websites. There’s also an option for creating data-sets for filling out additional custom fields when registering on the web for E-commerce or service websites.


© 2017 - Allora Consulting