Healthy Paranoia - Goodbye, Passwords!

Healthy Paranoia

Goodbye, Passwords!

Veit Hailperin
by Veit Hailperin
time to read: 7 minutes

One of the most exploited vulnerabilities that happen in an untargeted manner are passwords. Oftentimes, they’re easy to guess and if they aren’t, they’re often re-used with only slight variations. That’s not that astounding, seeing as I’m a security expert myself and I didn’t follow my own advice for the longest time. It’s too much effort. Or so I thought.

Funny, but useless. Source: xkcd.com

The most difficult part for me is to remember a complex string of characters that does not make any sense. I am not even going to think about remembering many of them. Even if XKCD is funny, it’s not a practical solution. The average internet user has anywhere between 10 and 50 passwords. Try the XKCD method times fifty. However, rephrasing the question makes «How can I remember ten to fifty random strings of characters?» into «Must I remember ten to fifty random strings of characters?»

We assume that we must know our passwords, but that’s wrong. There’s this thing, uhm, device that makes our lives easier – it’s called computer. So get a program that remembers passwords for you. These programs are called Password Safes. While they don’t solve all the problems related to passwords, they do take care of the remembering of passwords.

A comprehensive guide to picking the right password

Installation of Password Safes KeePass

One such solution is called KeePass. Installing is easy. In Windows, you download the installer of the professional version from the official KeePass Website and you follow the installation menu.

In Debian based Linux distributions such as Ubuntu, use the following line in Terminal.

$ sudo apt-get install keepassx

or go with a graphic installation tool.

For Mac OS X, the software is available here and a double click starts installation.

The First Start

First Start

After the first start of KeePass, you will have to create a database in which the passwords are being stored. This happen by clicking the image under file.

Neue Datenbank

Next, KeePass asks you what the password for the database should be. This is the only password that’s relevant to remember as it will be required at every start. It should be a very secure password.

Master Password

Confirm it:

Confirmation

Save the database now. Click on File —> Save Database

Save Password

Usage

Most of us have many passwords. There are two different ways how to go about changing these. Either you log into everything at least once and change the password and then save that in the database. Or you change it one by one, every time you need a service. The way you go from insecure passwords to secure ones in the database doesn’t matter, though. Start with your e-mail password, as it’s one of your most important ones. For our example here, we’ll use Facebook, though.

Click on Entries —> Add New Entry...

New Entry

A dialog pops up where all the relevant data can be entered.

Fill in Information

The button labeled Gen. opens the password generator.

Password Generator

There are various settings for the password that’s being generated. Length, complexity, characters and so on. After entering the settings, click on generate and that fills out the password field as well as the confirmation.

Password Settings

After a final click on OK you’re back to the main screen.

List of Passwords

If you want to enter the password you generated into a website’s password field, simply doubleclick the asterisks in the list of passwords. Then you can just paste them into the password field. A nice side effect of this is that the password is never displayed on screen and the password is only stored in the clipboard for a short period of time, which eliminates attacking the clipboard as a vector.

In case you want to see the setting up of a KeePass password in a video:

YouTube Video

Addendum

If you’d rather have you passwords stored on a portable device such as a USB stick, you can use the portable version that can also be found on KeePass’ official website. There, you’ll also find a list of unofficial versions running on Android, Windows Phone and Blackberry.

About the Author

Veit Hailperin

Veit Hailperin has been working in information security since 2010. His research focuses on network and application layer security and the protection of privacy. He presents his findings at conferences.

Links

Are you interested in a Penetration Test?

Our experts will get in contact with you!

×
I want a "Red Teaming"

I want a "Red Teaming"

Michael Schneider

Human and AI

Human and AI

Marisa Tschopp

Vehicle forensics

Vehicle forensics

Michèle Trebo

Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here