Taken from my blog here: was the first password manager I could find that supported the U2F hardware keys that we use and this was a non-negotiable requirement at the time and still is. However it turns out to be a pretty difficult task.A 12min video demonstration on how to setup a popular password manager. Each website asks you a new password that should be hard-to-guess and easy to remember. All of these services offer fantastic features, so if you want to find out more about any of the services below, click the links to the provider's website or scroll below this list for a summary of what makes each service great.Nowadays web users have registered themselves in many websites. Below, we have a list of the best free password managers out there.Passwords must be unique for every account you have Passwords must be complex, i.e., be hard-to-guess Never forget another password.Well, let's discuss how to securely deal with passwords comparing the following approaches:Security Principles for Managing PasswordsFirst of all, to securely handle passwords I've listed 5 ideal and main principles that we should keep in mind no matter what option you choose: It's the only way to create unique passwords for all your accounts, remember them, and have them typed for you online. Not to mention that you'd probably store them in a spreadsheet file in your home folder.A password manager securely keeps track of all your passwords.
![]() Best Managers 2014 How To Setup AThe problem will be to access it, but keep reading :)3. Passwords must be unique for every account you have: just repeat the generation process for each account, thus you'll have different complex passwords for every account. In this topic you can just randomly press the keys of your keyboard using SHIFT in some keys and not in others plus adding numbers to it until you reach a desirable size, e.g., 20 characters.2. Passwords must be complex: to generate strong passwords without password managers is a challenging task because we're biased in our generation pattern, but it still should not be hard to generate a strong password that you won't need to remember. The more you know about attacks and encryption, the more you starting loving paper.1. The process of managing passwords must be easy to use, otherwise it won't stickThis approach includes managing your passwords using either paper or digital formats. Your email provider will have access to all your passwords, but seriously, Google has much more valuable data than your passwords to begin with. Make sure to enable 2 step verification on your provider for an enhanced security.But what's the problem of this approach? Drafts may be cached on your browser thus being possible to backup your HD again or if you have synchronized your mobile phone to access your email (99% of people do this I bet), you'll have another copy of your passwords cached in your mobile phone. Why? Because when you forgot a password, if you still have access to your email you can reset it, thus your password is as strong as your email provider account access. For example if your use Gmail, storing them in a draft is better. A better option is to store all your passwords in your email provider. If you're using paper there is the risk of being robbed or someone sneaking into your room and photographing all your passwords, just like a credit card.If you're using a digital method you can choose to store it in a file like a spreadsheet, but chances are that you don't have full disk encryption, thus a backup of your notebook will be enough to dump all your passwords. Ideally even before submitting the login form. You need to make sure to empty your clipboard after pasting the password. Or a malware infection may dump your memory or log your keystrokes, thus defeating all this password management process. It turns out that you'll probably copy and paste them, but beware that other programs may access your clipboard. Passwords must be transmitted securely: you don't need to remember to your passwords, but you have to move them from your vault (be it encrypted or not) to the login page. You can't log in to any service when sharing your screen or when someone is behind you, otherwise they'd be able to see your passwords.4. The URL starts with chrome-extension:// where I'm asked to sign up. To sign up, I went to LastPass website and was prompted to install their browser extension:Then every action afterwards happen within this extension. An online password manager is actually a mix of offline password manager with online capabilities to share passwords and synchronize across multiple devices. Online Password ManagerI'm using LastPass, a free service, for this category of online password managers. But it requires you to have continuous access to your email account and it's really a problem when logging in using an untrusted machine. The process of managing passwords must be easy to use: in general it's just switching tabs and copying/pasting passwords. Whenever you try to sign up, LastPass can generate a new password using default rules:Or let you customize them by clicking on "More options":2. Let alone use special characters. We tend to stick to keyboard patterns instead of truly randomizing characters. Passwords must be complex: doing it automated is better than manually. ![]() It means that hacking LastPass should leak your vault and your vault key. Is that a good thing? It depends! At least until November 17th it wasn't.But there is one worrisome thing: vault synchronization across devices.It can only be done if the vault is stored in the server. This concept is called dual custody.Ok, now in this scenario the security of your vault lies on LastPass's servers. Actually they don't need to store the whole key, but part of it. That said, instead of relying in the user's master password to decrypt the vault, wouldn't it be better to store the decrypt password in LastPass's servers and send it back to the device only when the user email/password matches? Yes, it's better. But users may forgot their master password, thus losing the master password means losing all other passwords as well. Passwords must be transmitted securely: in LastPass case, by default the username and the password are auto-filled thanks to the browser extension. I didn't research it, but I have doubts about their implementation given the presented information in the previously linked article.4. That's not necessarily how LastPass is designed. It's actually occurred recently and in the past using a XSS of any page in a domain and iframing the login page to leverage the Same Origin Policy (SOP) to access the value of the password field.5. On the other hand if the autofill extension is not secure, an attacker could craft a malicious URL to spoof a valid website and make the extension toss all credentials. In my case I have only one, thus the "1" value near those icons.But is it a safe password transmission from the vault to the website?In this case there is no need to copy/paste, unless you disable autofill, thus preventing attacks on clipboard. If you click on it you'll be offered an option to choose "Log in as another user", in case you more users for that website. Google duo for mac bookWhat sads me is that it uses Wine instead of having a version designed specifically for Ubuntu, which makes the interface looks like Windows 95. Offline Password ManagerFor this topic I'll use Keepass, a free and open source password manager. After signing up to a website, you can manage every stored credential:And then launch the website to authenticate directly:They even offer a feature named "Security Challenge" that tests all your passwords against 'already leaked passwords', 'weak passwords' and much more:As it was my first account on LastPass and at least at first I don't want to use, I put a ridiculous master password hehe. It's been made for layman after all. Note that it's possible to use a KEY to unlock our vault instead of a master password. Here's the first thing you'll see:Let's proceed to create our vault. Let's start by installing KeePass.I tried to install the latest version (2.x), but only the classical version worked using Wine (1.x). Actually they name "composite master key" the combination of factors to unlock your vault.
0 Comments
Leave a Reply. |
AuthorLingeswaran ArchivesCategories |