I want a "Red Teaming"
Michael Schneider
One of the most exploited vulnerabilities that happen in an untargeted manner are passwords. Oftentimes, they’re easy to guess and if they aren’t, they’re often re-used with only slight variations. That’s not that astounding, seeing as I’m a security expert myself and I didn’t follow my own advice for the longest time. It’s too much effort. Or so I thought.
The most difficult part for me is to remember a complex string of characters that does not make any sense. I am not even going to think about remembering many of them. Even if XKCD is funny, it’s not a practical solution. The average internet user has anywhere between 10 and 50 passwords. Try the XKCD method times fifty. However, rephrasing the question makes «How can I remember ten to fifty random strings of characters?» into «Must I remember ten to fifty random strings of characters?»
We assume that we must know our passwords, but that’s wrong. There’s this thing, uhm, device that makes our lives easier – it’s called computer. So get a program that remembers passwords for you. These programs are called Password Safes. While they don’t solve all the problems related to passwords, they do take care of the remembering of passwords.
One such solution is called KeePass. Installing is easy. In Windows, you download the installer of the professional version from the official KeePass Website and you follow the installation menu.
In Debian based Linux distributions such as Ubuntu, use the following line in Terminal.
$ sudo apt-get install keepassx
or go with a graphic installation tool.
For Mac OS X, the software is available here and a double click starts installation.
After the first start of KeePass, you will have to create a database in which the passwords are being stored. This happen by clicking the image under file
.
Next, KeePass asks you what the password for the database should be. This is the only password that’s relevant to remember as it will be required at every start. It should be a very secure password.
Confirm it:
Save the database now. Click on File
—> Save Database
Most of us have many passwords. There are two different ways how to go about changing these. Either you log into everything at least once and change the password and then save that in the database. Or you change it one by one, every time you need a service. The way you go from insecure passwords to secure ones in the database doesn’t matter, though. Start with your e-mail password, as it’s one of your most important ones. For our example here, we’ll use Facebook, though.
Click on Entries
—> Add New Entry...
A dialog pops up where all the relevant data can be entered.
The button labeled Gen.
opens the password generator.
There are various settings for the password that’s being generated. Length, complexity, characters and so on. After entering the settings, click on generate
and that fills out the password field as well as the confirmation.
After a final click on OK
you’re back to the main screen.
If you want to enter the password you generated into a website’s password field, simply doubleclick the asterisks in the list of passwords. Then you can just paste them into the password field. A nice side effect of this is that the password is never displayed on screen and the password is only stored in the clipboard for a short period of time, which eliminates attacking the clipboard as a vector.
In case you want to see the setting up of a KeePass password in a video:
If you’d rather have you passwords stored on a portable device such as a USB stick, you can use the portable version that can also be found on KeePass’ official website. There, you’ll also find a list of unofficial versions running on Android, Windows Phone and Blackberry.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!