Secure password storage. How to create strong passwords and store them wisely
The most important points that are neglected by many users who store passwords in their heads or on paper are the use of separate passwords for each service, and the refusal of simple, easy-to-remember passwords. To make this possible, there is a considerable amount of software of varying quality:
KeepPass, eWallet, LastPass, 1Password, RoboForm.
KeepPass Password Safe
The first contender is the open-source password manager KeePass. It is free and freely distributed under the GPL v2 license. It exists in two main versions: the “old” 1.x, which works only under Windows, and the “new” 2.x, written over .NET and also works under Mono on OS X and Linux. Both versions exist in a Portable version. There are also third-party programs that work with KeePass databases - for Linux and Mac OS X, for example, KeePassX.
The password database is encrypted with AES-256 and stored in a file that can be synchronized in any convenient way, be it Dropbox, flash drive, or something else. It is possible to use multi-pass key conversion, due to which the time required to decrypt the database increases; this increases resistance to brute-force attacks. Some clients on other platforms can work with databases in Dropbox directly (for example, KyPass on iOS). Version 2.x databases are not backwards compatible with 1.x, which creates problems with a lot of third-party software that works with older version databases (although you can export an old format database from the new version).
KeePass has a built-in AutoType feature that allows you to automatically enter passwords in browsers and other programs. KeePass also has many plugins, which, among other things, provide tighter integration with all major browsers (IE, Firefox, Chrome), and provide many additional functions.
As mentioned above, due to the openness of KeePass, a lot of software has been written for various platforms. On mobile devices there are KeePass clients on the following platforms: iOS, Android, WM Classic, Windows Phone 7, Blackberry, and J2ME. More detailed lists of plugins and third-party software are available on the KeePass website.
eWallet is a paid password and personal information manager from Ilium Software. eWallet comes in versions for Windows and Mac OS X ($9.99), and also has clients for iOS, Android (viewer only), BlackBerry and Windows Mobile Classic.
The database file, like KeePass, is encrypted using AES-256. Data is stored locally; eWallet does not provide cloud storage.
Database synchronization between desktop computers is only possible through manual transfer. Synchronization of the Windows version with mobile clients on WM Classic and Blackberry occurs using built-in platform synchronization (ActiveSync and BlackBerry Desktop, respectively). Synchronization of the Mac version with the iOS version is possible via iTunes and Wi-Fi.
The Windows version of eWallet integrates with Internet Explorer, Firefox and Chrome browsers. The OS X version only offers Safari integration.
1Password
1Password is a popular Mac OS X solution for storing passwords, software licenses and other personal information from AgileBits. A version for Windows was also recently released, and a native client for iOS is also offered. The program is quite expensive - versions for Windows and Mac OS X cost $39.99, or $59.99 for both together; the iOS version is available in the AppStore for $14.99. The Read-only application for Android is distributed free of charge.
All versions of 1Password have a built-in database synchronization function using the Dropbox service. This functionality is optional; the default database is stored locally. The database is encrypted with AES-128. Built-in integration with browsers and operating systems prevents passwords from being leaked through keyloggers.
1Password for Mac integrates with Safari, Firefox, Chrome, and Camino out of the box. The Windows version integrates with Firefox, Chrome and IE. Also, both versions of 1Password offer a convenient interface for using stored information in any other applications (including the AutoType function, similar to KeePass).
In addition to integration with different platforms, 1Password provides another original way to access its database. A password storage (agile keychain) is a set of files, one of which is an HTML file with a full-fledged interface for working with the database, which can be opened by any browser on almost any device.
RoboForm
RoboForm is one of the oldest programs on this market, the only one that still has a working version for Palm OS and Windows Mobile 2003. The free version of RoboForm Free is available for Windows and Mac OS X, but is quite limited. The paid version of RoboForm Desktop ($29.95) removes many restrictions. But the most interesting is the RoboForm Everywhere package ($19.95 per year), which offers full use of the desktop versions for Windows and Mac OS X, plugins for full integration with Firefox and Chrome, as well as automatic cloud synchronization of databases between all versions.
The RoboForm database is encrypted using the AES-256 standard, and in all versions of the program it is stored on the local computer. When using RoboForm Everywhere, the database is also located on RoboForm servers.
In addition to the main versions, RoboForm offers applications for a variety of mobile platforms. These include iOS, Android, BlackBerry, Windows Mobile (6.x, 5, 2003, and even Pocket PC 2000 and 2002), Palm OS and Symbian. Versions for iOS and Android support cloud synchronization and require a subscription to RoboForm Everywhere. All other mobile versions are synchronized with desktop versions using additional software.
Also, RoboForm is only one program out of two in the review with a separate plugin (or rather, even two) for the Opera browser on Windows, Mac OS X and Linux.
LastPass
LastPass is a fairly well-known cloud password storage service. The basic version of LastPass is free; the premium package costs $1 per month.
LastPass has perhaps the widest range of features in this review. The service is available on Windows, OS X and Linux on all major browsers (IE, Firefox, Chrome, Opera, Safari). A version of LastPass for Apps is also available on Windows, allowing you to automatically store passwords for any application. Password database management is also possible through the web interface on the LastPass website. For Windows there is a Portable client with the ability to download the database for backup storage and offline use.
Since LastPass is a cloud service, the database is permanently stored on LastPass servers. Synchronization as such is not required. Along with convenience, storing a database on servers also poses a risk: LastPass was recently hacked (according to rumors), and the owners of the service suggested that many clients change their master passwords. The LastPass database, like most other programs in this review, is encrypted with AES-256.
LastPass offers a wide range of clients for mobile devices: iOS, Android (with additional applications for Dolphin HD and Firefox Mobile browsers), WM Classic, Windows Phone 7, BlackBerry and HP/Palm WebOS. All mobile versions of LastPass (except iPad) require a LastPass Premium subscription.
Today we will talk about passwords. More precisely, we will consider where to store passwords for their maximum security and how to store passwords so that they do not fall into the hands of fraudsters.
Lost passwords or even worse, theft is a huge loss. If certain rules are not followed, this can happen not only if you are connected to the Internet, it can even affect those who are not connected to the Internet. To avoid theft of passwords, you need to be able to store them correctly and not enter them anywhere. Let's look at a few rules for successfully storing passwords.
1. Delete letters that come to your mail and contain any personal data: logins, passwords, etc. Naturally, before this you need to write them down somewhere. You can create a special notebook for these purposes and write down all your logins and passwords from various sites there.
2. Delete SMS messages from your phone, which also contain passwords, activation codes, and various keys from the sites where you registered. Of course, this data also needs to be written down in some safe place first.
3. Change all your passwords. This is good protection against hackers. It is best to make different passwords everywhere; you can come up with one password for mail, another for a social network page, etc. Use both letters and numbers in passwords; a password like pass777my91102 will be almost impossible for an attacker to guess. Do not use numbers taken from your life as a password: phone number, car number, date of birth, and so on. Such passwords are very unreliable, time-tested.
4. After you leave any site where you were logged in, click the “Exit” button.
5. It is not recommended to check the box when logging in "remember password", "stay on site" and so on. By leaving a checkmark there, we are telling the browser to remember the password. And if our passwords are stored in the browser, then it’s not a fact that tomorrow someone else won’t recognize them, there’s a virus for every program. To avoid this, it is better to immediately go to your browser settings and disable the function of remembering passwords and storing them in your database.
6. Don't use special programs, which store passwords. There are no guarantees that one day they will not be transferred to third parties.
7. Now a little about where to store passwords where on the computer or is it better to keep a notebook for such purposes. Of course, the second option is much better, or rather more reliable. We get a special notebook or notepad and write everything there.
You can write this in notepad:
Website: vkontakte.ru
Login: sergey2012
Password: pro999pass911
Another option is to print out passwords. Save them in Word and print them onto sheets. And to store these sheets, create a special folder.
If you still want to store passwords on your computer for some reason, for example, if you constantly need quick access to them. In this case, it is necessary to properly disguise and hide on the computer the file where you store passwords. You can create a text notepad and paste all your passwords into it. This notebook needs to be given some NOT interesting name so that it does not attract attention, and hidden away on the computer. But the best option is still the option of storing personal data offline.
I hope the above tips will definitely be useful to you, and you will now store your passwords as correctly as possible and they will never run away from you! Happy password saving!
The Internet has firmly entered our lives. All of us, even people who are not at all close to IT, use a large number of different services, from mail to social networks. Almost all services require registration. But to ensure security, you need to use different passwords consisting of many characters. Well, most people who use the Internet are aware of the requirements for secure passwords. But here one small problem arises: how to remember all these many passwords?
Recently I asked myself this question. Losing, for example, an email account would be very tragic for me. Write passwords to a file? There is a risk of donating all your accounts at once. Write it down on paper? There is a risk of losing a piece of paper and, as a result, all passwords at once. Plus, I thought about the availability of my passwords anywhere in the world. And then I remembered my favorite emacs editor. And in particular about Org-mode and EasyPG in emacs. I won’t describe how to work in org-mode, it was done before me (links: ; Org-mode Guide).
So what's the trick? And everything is elementary. Instead of the filename.org file, you need to create a filename.org.gpg file. Emacs will automatically open the file in Org-mode. Then write the password into this file, it is better to use a password generator (for example, I use a one-liner in bash: $cat /dev/urandom | head -1 | tr -d -c "a-zA-Z0-9!@#$% ^&*()"|fold -w 25| head -1), and, of course, do not forget to write what the password and login are for. And then just save the file. Emacs will offer you options: use the key for asymmetric encryption or click OK for symmetric encryption with a password. Here it’s up to the user to choose, but I prefer to use symmetric, because one of the requirements was access to the file not only from my home computer, and I don’t really like carrying a private key with me.
But here a new problem appears: you need to remember the password for the encrypted file. And again, we simply do not have the right to use a simple password for this file. There is too high a chance of losing it, especially if you constantly carry a copy of this file with you on a flash drive. And again we are faced with the problem of remembering this password. But there is a way out. If we cannot remember the password, then we need to make sure that we can recover this password. And this is done simply: we take an excerpt from any book, for example, one paragraph. We place this excerpt in a text file. file.txt. And we calculate the MD5 or SHA1 of this file. $ echo "any passage of text from any book" > file.txt $ md5sum file.txt | fold -10 | head -1 95584f1920 $ rm file.txt
As a result, we receive a securely encrypted text file with strong passwords. You can copy this file to a flash drive and carry it with you, or copy it to a remote machine that can be accessed from the network, which will ensure the availability of passwords anywhere in the world. And if we forget, we can always recover the password for this file with little effort. Another plus is that Emax is cross-platform. And even in the absence of it, .org files are plaintext, thanks to which we can decrypt the file with gpg utilities and open the file with any text editor. And finally, in this way you can store any private information.
Of course, I am not saying that this method is the only and correct one. But for me this method turned out to be very convenient. I hope it will be useful not only to me. Take care of your passwords. ;^)
According to the book Rock Breaks Scissors, every hundredth password in the world is a combination of qwerty, password, 123456 or 12345678. With this in mind, Dashlane's statistics that more than 2.5 billion accounts were hacked last year no longer seem so exaggerated.
Perhaps it’s time to stop neglecting basic information security rules and finally set strong passwords? Now Lifehacker will teach you how to create combinations that would take thousands of years to crack, and how to store them safely.
What should be a strong password?
Once upon a time, a password like Pa55w0rd was considered acceptable. Now such combinations are selected instantly. Later, the inclusion of special characters was added to the recommendations for creating strong passwords, but this has not helped for a long time. The combination P@$5w0rd is selected in a few hours.
You can check the strength of your passwords on a site like How Secure is My Password. If you are afraid that this service will take away your accounts, simply enter similar combinations instead of real ones.
The main thing in such a service is the ability to understand what exactly affects the strength of a password. Start lengthening your combinations by adding additional symbols to them and watch your expected match time change.
It turns out that the longer the password, the more reliable it is. Finding a simple but long combination of 12 random numbers and letters will take 24 years. Add just one character to it, and it will take an attacker a thousand years. 14 characters - 42 thousand years. 15 characters - 2 million years. A password of 16 letters and numbers takes 74 million years to figure out. It remains to wish the burglars good luck and patience.
How to create strong passwords
Obviously, even a very long combination consisting of ones is opened in one or two. The hardest thing is to guess mathematically random sets of symbols, but the human brain is not good at this. Trying to come up with something complex, but at the same time easy to remember, we inevitably turn to some dates, events and similar well-known combinations.
Simply put, humans think predictably, but special machine algorithms can generate truly random combinations.
Password Generator from Random.org is great for creating long, strong passwords.
Pay attention to the facts and tips posted on the service page:
- Generated passwords are transmitted to your browser via a secure protocol.
- Generated passwords are not saved on the service servers.
- Using online services is suitable for generating passwords for something not too important.
- Never use online services to generate passwords for critical accounts.
It turns out that you still need to come up with the most important passwords yourself.
How to store passwords
The problem with long passwords is that they are difficult to remember. It is unlikely that you can keep in mind a couple of dozen combinations consisting of 14 or more characters and including special characters.
The solution may be to use a special storage application. Roughly speaking, this is a digital secure safe in which all your passwords are stored. To open the safe, you need a master password. Accordingly, instead of dozens of combinations, you will need to keep in mind only one, which opens access to all the others.
With this approach, it is important to remember the chain rule, according to which the reliability of the entire system is equal to the reliability of its weakest link. Simply put, the master password should be really complex and long, and it should be protected with special care.
If you don’t trust applications at all, then try “Password Card”.
This is a card with a set of characters that you need to print, and then independently develop an algorithm for creating passwords that you understand.
