Protect Your Passwords — Part 1

Quick! Can you remember all the user names and passwords that you’ve used
at every Web site where you’ve ever registered?

I’ll bet you can’t. But it’s no shame not to remember all these things off
the top of your head. No one can.

That’s why people write their passwords on Post-It notes and stick them on
their monitors. And it’s why Web browsers such as Internet Explorer and
Firefox offer to “help you” remember your passwords — which means that
anyone who borrows or steals your computer can log on and impersonate you
at any of the “memorized” sites.

Fortunately, the plunging cost of memory has given rise to a possible solution
to the password-recall problem: store your user names and passwords on a
removable USB Flash drive. You protect the device with a single, “master”
password. All you have to do is remember that one code to access all the
passwords you’ve stored.

Is this solution good enough for serious use? Let’s look at the problem and see.

Your Oh-So-Helpful Browsers

The rise of the Internet and corporate intranets was the impetus behind
the “browser paternalism” of passwords:

• Internet Explorer.
Microsoft’s browser, known affectionately as IE, years ago began offering
an “AutoComplete” function. This feature offers to remember IDs and passwords
that you type on your keyboard. IE stores them in an encrypted file.
In theory, those passwords are made available only when the person who stored
them is logged on to Windows under his or her own account name (such as
Brian123 or whatever).

The problem with this is not just that anyone can walk up to your PC in
your absence, look through IE’s history, and then log on as you at any
password-protected site. Much worse is the fact that, even if you’ve logged
off your Windows account, anyone can run a simple utility and read IE’s
“encryption-protected” file to discover your passwords.

One of the best-known makers of password-reading software is
ElcomSoft Co.
Ltd. This programming firm, located in Moscow, Russia, was
acquitted of criminal liability in December 2002 for
cracking the password protection of Adobe PDF files.

The company’s Advanced Internet Explorer Password Recovery utility,
according to Computer Associates’
Spyware Information Center, coughs up the passwords saved
by every version of IE from 3.0 to 6.0 (the current level). The software
sells for around $30 USD.

Oh, so you think, “We’ll just ban this utility”? Good luck. The info center
says there are some
720 different versions of password-revealing utilities
currently available.

I don’t mean to pick on IE. Crackers are also widely available to divulge
the passwords stored by Microsoft Outlook, VBA (Visual Basic for Applications),
Intuit Quicken, and
many other apps.

• Mozilla Firefox.
The new, free Firefox browser, developed by the not-for-profit Mozilla
Foundation, also offers to store user names and passwords that you enter at
Web sites you visit. To its credit, Firefox 1.0 can store this sensitive data
in an encrypted form that I don’t believe has been compromised.

Unfortunately, Firefox doesn’t encrypt your saved passwords by default but
leaves them wide open. You can only have your passwords encrypted if you take
steps to set a “master” password. (To do this in Firefox 1.0, click Tools,
Options, Privacy, Set Master Password.) Before Firefox will then provide your
passwords to a Web site or anyone else, the master password must be entered.

If you use a USB drive to store your passwords in a secure manner, as described
below, you can make your browser stop storing passwords on your hard disk.
To do this in Firefox, click Tools, Options, Privacy and turn off “Remember
Passwords.” In IE, it’s Tools, Internet Options, Content, AutoComplete and
turn off “Use AutoComplete for user names and passwords on forms.”

In a corporate environment, you can use Group Policy to prevent browsers from
storing login passwords. To do this for IE, set Active Directory to
“Disable AutoComplete for forms” and “Do not allow AutoComplete to save
passwords.”

The USB Flash Drive Alternative

Siber Systems Inc. released last month a software program designed to
eliminate the need (and the temptation) to store your user names and passwords
via your browser.

The company, which has published RoboForm password-management software for
desktop PCs for many years, is now shipping
Pass2Go.
The new program is a “portable RoboForm” that can execute within a USB Flash
drive or any other removable medium, such as Iomega Zip drives and even
rewritable CDs.

The new product has the following interesting features:

• Lack of Tracks.
If you store user names and passwords via Pass2Go on a USB Flash drive, the
computer you were using at the time loses access to those passwords completely
when you remove the Flash drive from its USB port.

• Transportability.
You can then insert the same Flash drive into the USB port of a different PC.
As long as you remember the master password you set, you can automatically
log in to your favorite Web sites on the second PC. Removing the drive, as
before, deprives the second PC of the passwords as well.

• Flexibility.
In addition to user names and passwords, you can use the Flash drive to
store e-mail contact information from Microsoft Outlook, bookmarks from
your browser, and other data that’s handy when you’re traveling.

Pass2Go can be licensed for $39.95 for a quantity of one, or $9.95 for
users who already own a $29.95 license for the desktop product, RoboForm.
Pass2Go, however, can be used for 30 days for free, after which (if you
don’t pay for it) it can still securely hold 10 passwords for up to two
different users.

At this writing, Pass2Go works only with Internet Explorer. That’s a problem
for users of Firefox and other alternate browsers, such as Opera, that are free
from IE’s
well-known security problems. Integration with those
applications is expected to be available in future versions of the password
utility, according to Andy Finkle, Siber Systems’ vice president of marketing.

The Real Deal For Login Security

Is software on a USB Flash drive really secure enough to use to access your
sensitive passwords on a computer at, say, an Internet café?

A Siber Systems
press release says, “Pass2Go can confidently be used at
Internet cafés, libraries, convention halls, airports, universities, or
even at work — anywhere people on-the-go have a computer with a USB port.”

In reality, just because your passwords are stored on a USB drive doesn’t
make it any safer for you to access a Web site from an Internet café or
other public location. Once you type the USB drive’s “master password,” a
Trojan horse program that’s running on the unfamiliar PC could capture every
screen that appears while you’re using a supposedly “secure site.”

“I would never recommend any product, even two-factor authentication, to be
used in an Internet café,” Siber Systems’ Finkle said in a telephone
interview.

Two-factor authentication is a stronger form of identification than a mere
password. The first factor is a physical device, such as a USB Flash drive.
This is combined with a second factor, typially a PIN (personal identication
number) or some other code that’s easy for a user to remember.

This dual approach may, in fact, be the key to using insecure PCs (such as the
ones at Internet cafés) to communicate securely with distant servers.

A Meeting Of The Minds

USB Flash drives are now available with a riot of identification methods.

There are tiny “stick” drives with fingerprint recognition, reliably providing
access to authorized users only.

Other Flash drives display a random number that’s derived from an internal
timer. The number can be used to log on to a server, which is synchronized to
the same time, only once. If an eavesdropper snatches the number, it’s useless
as a way to read the rest of the session, which is safely encrypted.

I’ll examine ways that specialized Flash drives can be combined with helpful
password-storage software in this space next week.