Do Not Use Browsers to Store and Deliver Passwords

Since their inception in the 1990s, web browsers have been packed full of useful features like bookmarks, tabs, granular cookie control, and so much more. It’s no surprise, then, that most browsers now include the ability to store your passwords and to manually or automatically insert them into website login pages. Talk about convenience.

Don’t do it.

The browser makers mean well. However, when a single program accepts untrusted input from the Internet and that same program has access to sensitive login credentials, one can imagine that it would be possible to craft malware that can reach across and pluck out those credentials at will, possibly without the user’s knowledge.

A browser that stores passwords is vulnerable to attack. First, passwords are often stored in plaintext (see this article and also this article, and here is a useful article from the University of Minnesota that instructs users on how to retrieve stored passwords). Malware that has access to your computer’s file system may be designed to look for, and retrieve, these stored passwords.

Also, you should be aware of autofill attacks that trick browsers into pasting in sensitive information on hidden variables in otherwise-innocent looking forms. One day, such an attack may be able to trick a browser into auto-filling login credentials into hidden fields without your awareness or consent.

As long as we use login-and-password to log in to websites, you need to be the air gap between your stored credentials and your browser.

New Christmas computer, part 1: password security

There it is – a shiny new laptop, desktop, or tablet running Windows. You can’t wait to go to your favorite sites: Netflix, Hulu, Pandora, Flickr, Pinterest, Facebook, and see how fast things download, how crisp and bright the new screen, how precise the touchpad and keys.

But if this new PC does not have anti-virus, a firewall, and other precautions, the glitter will soon be gone, and you’ll soon wonder why the problems you’re having in 2013 are related to that new PC.

New machines are a good time to develop new habits. Sure, there’s a little trouble now, but you’ll save hours of grief later.  Think of this as the moments required to fasten the seat belt in your car and perhaps a bit of discomfort – but compare that to the pain and expense of injuries incurred in even a minor crash if you weren’t wearing it. Minor decisions now can have major consequences later.

Habit #1: Use unique passwords on every site

Many people pick what they feel is a “good” password (long and complex, not easily guessed), but they use that password on many or all of their favorite Internet sites. There is a serious problem with this: if any of those Internet sites suffers the type of security breach like we saw many times in 2012, your password may become known to an adversary. Since most peoples’ userids are their email addresses, and because many people use the same password everywhere, an adversary who has discovered your password on one site will try your email address and password on all popular Internet sites and see which of those sites they can also log in to.

How to use unique passwords

It can be difficult remembering a lot of different passwords, especially good passwords. I strongly suggest you begin using a password vault. The best ones are Password Safe and KeePass, both of which run on Windows and Mac. The password generator feature creates strong, random passwords. The best feature of these password vaults is that they make it easier to use passwords: select the site you wish to log in to, push a button to copy your password, and paste the password into the password field.

The reason that unique passwords are powerful is this: if one site’s password database is compromised, none of the other sites you log in to are at risk, since the one site’s password is not used for any other site you use.

Let’s consider an example: you use Facebook, e-mail, and on your online banking site. Your Facebook password is compromised – the attacker uses your e-mail address (in your Facebook profile) and your password, and tries to log in to your e-mail. Since your passwords were the same, your e-mail account is now compromised. Next, the attacker tries to log in to several online banking sites, and finds yours – again, because you used the same password.

E-Mail Password Importance

The password to your e-mail account is especially important, because your e-mail is the key to establishing / recovering the ability to log in to many of your other sites. When you click “forgot password” or “forgot userid” on many sites, getting into those sites is often as easy as clicking Forgot Password or Forgot Userid, and then reading your e-mail to get your password or a link to reset it. An attacker who controls your e-mail controls nearly everything.

If you are not sure how to use Password Safe or KeePass, the sites (links above) have installation and user instructions. If you are still not sure how to proceed, write down good, unique passwords on paper and find a computer expert friend who can help you install Password Safe or KeePass, after which you can transfer your passwords into those programs.

Part 2: anti-virus

Include safe computing in your list of New Years Resolutions

The New Year is a time of reflection, and traditionally a time to consider changing one’s habits.

Our reliance upon computers and networks has exceeded our means to safely use and control them. Every computer user has some responsibility to make sure that their computer and use of the Internet does not introduce unknown and unwanted risks. By following these recommendations you will greatly reduce your risk to fraud, identity theft, and other risks related to Internet usage.

1. Change your passwords. Use strong passwords, which cannot be easily guessed by others, even those who know you. Do not share your password with any other person. If needed, store your passwords in a protected vault such as Password Safe or KeePass. I recommend you not use an online vault for password storage: if their security is compromised, so are your passwords.

2. Scan for Viruses and other malware. Configure your anti-virus software to scan your entire computer at least weekly. Make sure that your anti-virus software is checking for updates at least once per day. Also scan your computer with one of several online virus scanners at least once per month.

Panda: http://www.pandasoftware.com (look for the ActiveScan link on the home page)

Symantec: http://security.symantec.com/default.asp?productid=symhome&langid=ie&venid=sym

Trend Micro: http://housecall.trendmicro.com/

Kaspersky: http://www.kaspersky.com/virusscanner

CA: http://www3.ca.com/securityadvisor/virusinfo/scan.aspx

3. Block spam, and don’t open spam messages. The majority of spam (unwanted junk email) is related to fraud. Spam messages advertise fraudulent or misleading products, or lure you to websites that contain malware that will attempt to take over your computer (without your knowing it) and steal valuable information from you.

4. Get a firewall. If you use Windows, turn on the Windows Firewall. Ask your broadband service provider to upgrade your modem/router to one that contains a firewall (most newer modems / routers do have firewalls or other similar protection).

5. Remove spyware. Obtain a good anti-spyware program and use it to find and remove spyware from your computer.

6. Update your software. Obtain up-to-date copies of browsers and tools on your computer, as many older versions are no longer secure. This includes Firefox, Internet Explorer, Opera, Microsoft Office, OpenOffice, Java, and other programs.

7. Install security patches. If you are using Windows, turn on Automatic Updates, and configure it to automatically download and install security patches and updates.

8. Use separate accounts on shared computers. If more than one person uses your computer, set up separate accounts for each user. Make each user an ordinary user or power user, but never an administrator. Making each user an administrator makes the entire computer more vulnerable to malware (viruses, etc.).

9. Browse Safely. Change to Firefox and use the NoScript add-on. This is the only combination designed to block the new “clickjacking” vulnerability present in all other browsers. Also consider using Flashblock (works only with Firefox) if you want to control the use of Flash content in your browser.

10. Protect your wireless WiFi network. The old an still-common “WEP” protocol designed to encrypt your wireless traffic has been broken, and is no longer safe. Upgrade to WPA, even if it means buying a new wireless access point.

11. Back up your data. All kinds of bad things can happen, from mistakes to hardware failures. If you cannot afford to lose your data, then you need to copy it to a separate storage device. External hard drives and high capacity USB thumb drives cost well below US$100. You’ll be glad you did, sooner or later.

12. Encrypt your hard drive. Mostly important for laptop computers, but also important for desktop computers. The TrueCrypt tool is by far the most popular one available, and it’s free. If you don’t encrypt your data, then anyone who steals your computer can (and will) read all of your private data.

13. Check your credit reports. Fraud and identity theft can result in thieves opening new credit card and loan accounts in your name. They run up a balance and then never pay the bill, making that your problem instead. Consider a credit reporting service as well, which will alert you to inquiries and changes to your credit accounts, limits, and balances.

Annualcreditreport.com

Federal Trade Commission information on free credit reports

Equifax

Experian

Transunion

Recommended Tools:

Secunia Personal Software Inspector – free tool that examines your computer and alerts you to all of the unpatched and older versions of programs that need to be upgraded.

Password Safe – safe and secure storage of all of your Internet passwords. Also remembers userids and URLs.

NoScript – the only way to control third-party javascript and clickjacking. Works only with Firefox.

TrueCrypt – safe and free encryption of your PC’s hard drive.

WordPress improves password security

Submit:

I’m a big WordPress fan – it’s no secret. This week they implemented a great feature: a password strength meter for WordPress blog users.

Here’s how it works: when a WordPress.com blog owner sets or changes their password, WordPress shows a meter that indicates how strong the password is. Here’s what it looks like:

Another reason to avoid default passwords

Submit:

Avoid using a “standard” password for your web sites and applications.

Yes, I admit it. I’ve used a few ‘easy’ (still complex but easily remembered) passwords for many of my non-financial web site logons.

Today, I went to a photo sharing site to view a friend’s wedding photos. It’s one of those sites that requires that you register before viewing anyone’s photos. I clicked the ‘create new account’ link and put in my e-mail address; the site told me that I already had an account. I clicked the ‘forget your password?’ link, since I didn’t have a record of this site in my password vault.

A few minutes later, the web site e-mailed my password to me. I saw that they e-mailed my password to me in the clear, but more disturbing was that the password they e-mailed to me was the password that I use for several web sites.

See these other tips about password management:

Use Password Safe to manage passwords

Store passwords in your browser? I don’t think so

Passwords: size really does matter

Store passwords in your browser? I don’t think so

IE and Firefox both permit you to store web site credentials for automatic re-use. Such a feature makes it more convenient for users to sign on to frequently-used web sites without having to type in a password every time.

I recommend you NOT do this.

In my opinion, use of a browser for storing and managing web site credentials is risky business. A browser is a virtual terminal that is used to access web applications, some of which contain malicious code. Such malicious code has little distance to travel between a browser and its stash of stored passwords.

In fact, already such exploits have been written in what are called “Reverse Cross Site Request” attacks, in which a fake login site fools the browser’s password manager into automatically providing login credentials.

And here is an article that explains these vulnerabilities further:

http://www.technewsworld.com/story/54413.html

Instead of using browser-based password managers, I suggest you use a separate encrypted password vault such as Password Safe.

Passwords: size really does matter

Submit:

I’ve found a good article that rationalizes (and, in my opinion, proves) that long passwords are stronger than complex passwords. Here is an excerpt:

The conventional thinking is that the additional complexity presents such an increased workload for the hacker that complexity is the holy grail of password hacking prevention. After all, conventional wisdom says that all the good Web sites require complexity. Heck, a Microsoft Windows log-on password requires complexity. Every new password policy I read requires complexity — but gives scant consideration to the equal (or better) importance of longer password length.

They’re all wrong! Character-for-character, password length is more important for security than complexity. Requiring complexity but allowing passwords to remain short makes passwords more vulnerable to attack than simply requiring easier-to-remember, longer passwords.

Link to article here:

http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html

Use Password Safe to manage passwords

If you have several online services accounts (e-mail, banking, etc.), then you are probably challenged with the task of remembering all of your different userids and passwords.

• Surely you are NOT using the SAME password on all of these sites, God forbid!)
• I hope that you are NOT storing them in an Excel worksheet (even if it’s password protected)
• Maybe you have them written down, but NOT somewhere that is easily found by others

I recommend you use the Password Safe tool to store and manage your passwords. Password Safe, originally developed at Counterpane, is now open source at Sourceforge.

Some of the features and advantages of Password Safe are:

• Password vault encrypted with AES, making it impervious to attack, even by determined individuals.
• Comes with a good password generator that you can use when starting a new account or changing a password on an existing one.
• Once in place, you need not ever see your password, which is handy if you are logging in when others are watching (“shoulder surfing” will no longer be a useful attack).
• Password safe also remembers your URL, so you can also go to the site with a single click.
• It copies your userid and password into your clipboard for easy pasting into your login screen (whether for a web browser or client application). You can also clear your clipboard easily if you’re concerned about that.
• Permits you to arrange your accounts by category, making them easier to find if you have a lot of them (like me).

Here are some screen shots (click to enlarge):

…..

Download Password Safe here:

http://sourceforge.net/projects/passwordsafe