sarathmenon (sarathmenon) wrote,

  • Mood:

The art of password management

If you're anything like me, once upon a time you've religiously kept using strong passwords. A different one for each email provider, mixing alphanumerics with symbols. Every password you've created was immune to dictionary attacks and virtually unguessable. Even if someone got hold of one of your passwords, the vulnerability was limited to just that account. The problem? I have 34 accounts (no kidding!) that I regularly use, and no frikking clue on how to manage them. It never used to be this way. I've tried password managers, from the windows versions to kwallet, java versions etc.. Kwallet stuck with me the longest, mainly because at that time, my only desktop was a linux machine. Since then, I've been using a very mixed environment regularly switching between a mac, a gentoo box, and the company's windows laptop. Recently, I've thrown an N810 to the mix, and now I've got a huge problem with my lack of a good password manager.

My solution for this distributed system has been very crude. I've stored my password in a plain text file on my webserver, added an .htaccess to prevent anyone else from accessing it and download the file via ftp whenever I need an obscure password. Yeah, truly a hack job. But it worked because there were no good alternatives at that time. Now when I look back, that was the point where it started doing downhill. Opening the password file became very complicated that I started using it less and less. To counteract it, I'd started keeping categories of passwords. One common password for all my bank accounts, another one for all my email accounts, another one for social networks etc... On most places my id has been sarathmenon, so it's still a simple enough strategy. It went on fine for a while, until I've noticed more complications. Some places started adding complicated restrictions in the name of security. My classic example is They demand that the userid have numbers to prevent dictionary attacks. The number can't be at the beginning or the end and has to be in the middle somewhere. Great, now I have a new userid to remember. The problem doesn't stop there. They require me to avoid symbols in the password. For yet some explained reason, it improves security, or prevents babies from being murdered somewhere. That was a complication because now I have deviated from my self imposed standard. Soon paypal joined that list, along with a lot of other sites.

My password generation has been a very simple one. I take two series say, one is a list of car manufactures and the other would be the model numbers of motherboards I've owned. Now, I mix both and generate a password. eg. ferrari82i810 or porscheM2NMX. Swap a few characters for their equivalents in symbols and there you go. Now I end up with a f3rr@ri82i810. That's good enough for those sites that demand that I change my password recurrently (hint: office), with a series that's good enough to go for an entire year. Its mostly invulnerable to brute force attacks (well not as much as fully random passwords), and convenient enough for me. But I've noticed more and more that with more and more sites demanding me sign up, I've had to start different series for each one. Nothing short of a full blown password manager will cut it for me. I've been spending time searching for a good enough solution to this mess, something that's secure and still convenient.

My main criteria has been (in the order of my needs):
  • Open source only. If you don't trust me with your source, I am not going to trust you with my passwords. I don't mean to fully audit the source, but having the source available is always good if I want to check how they do security. Plus some bright mind somewhere would have written something good about their algorithms.
  • Actively developed. I am not clamouring for a new feature every week. Every program has some bugs, vulnerabilities get discovered every now and then. The program should have a good development team, that's receptive to constructive criticism and a competent enough team to fix bugs as soon as they appear.
  • Cross platform. This is absolutely a must. I use 3 different OSes. I also use 3 distros of linux across three different processor types, it should work on every single one of them without much mucking around.
  • Popular. It should be widely used, so that there has been enough guinea pigs before me ;) I don't want to be the person who tries out their arcane features for the first time, and sees that it bombs out horribly.
  • Good track record of security. I don't want something laden with enough holes to let a Hummer pass through. It does only password management, and should do it well. The lesser security holes ever discovered in the program, the better.
  • Distributed Architecture. I could be out on shared computers, I could be on thin clients, I could be on the moon using an Eniac to check my mail. I want password management for my online accounts, so I want the manager to be available online also. Having the database available online also works for me, but whatever it is should be secure enough.
  • Easy to use. Yeah, ease of use. I am not looking for an experience similar to opening konqueror's settings. There should be no monkeying around with thousands of checkboxes to save a password. If it can seamlessly integrate with my online life, more power to it.
That's a long list there, but having one ready made my search a lot easier. The list of good enough candidates quickly narrowed down to a few: KeePassX, Firefox's password manager with a master password and google browser sync, PassPack, Clipperz, Password Gorilla. Kwallet, Gnome's password managers like revelation were struck out because they aren't cross platform. Passpack wasn't opensource, Password Gorilla is clunky and made in Tcl/Tk (Why haven't you died yet?), Firefox's password management is well, encrypted in a plain text algorithm... A wrapper around gpg isn't an option, nor is pwsafe.

That left me with KeePass variants, and Clipperz. I am very hesitant of storing something in the cloud, when it comes to sensitive information. I don't want someone else's screwup to affect my life. KeePass on the other hand is easy to use, stores any amount of random data, and has clients available for all platforms (except maemo). Reading up more on Clipperz, I got more hooked. They supply all their javascript in one file, which is checksum verified on the client. Every password that the client stores is hashed locally with the passphrase. They store data on the server with AES. They themselves don't have a way to reverse engineer someone's key and the more I read their blog I liked their thoughts on security. Clipperz can run on the google cloud or my own servers. Their model is such that they don't trust the user and the user doesn't trust the server. Encryption happens on the client side, and the hashed password is sent out the server. They have open sourced their javascript based crypto libraries. Their UI also can store form details for the username and password, so after I login to their site, it's a one click login to all my online hangouts. All said, I am sold on clipperz. The only drawback is that the javascript heavy site is very taxing for maemo. But when I look at KeePass, I won't have an N810 client anyway, so they are pretty much on the same page.
Tags: passwords, security
  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your IP address will be recorded