Password Managers

7 February 2017

Lastpass Screenshot

I am constantly surprised that ordinary people don’t use password managers. I would expect most security professionals to use them, but even there I find many do not use a password manager.

So what is a Password manager? Basically a database that stores usernames and passwords for you. The data is encrypted with a master password so you do have to remember that one password. When you visit a site or start an application that needs a password the password manager fills in the credentials for you.

Why is this better than what I do at the moment? If you don’t use a password manager then you must be doing one of the following:

1. Use the same password, or a small set of passwords on many sites.

This is a bad idea, mostly because if one of those sites is compromised then you will need to change your password on all the sites you have used that password on. Can you remember all of those sites? How long will it take you to do that?

2. Write passwords down.

Actually this is not too bad, as long as you look after the password book. You can do some things to make sure that if the book is stolen then it doesn’t immediately compromise all your passwords. But if you lose that book how do you go about changing your passwords?

3. Use an algorithm to generate the password for each site.

It could be paper based or something you can remember and do in your head or a combination. Usually you use the domain name of the site to work out your password. The problem here is if that site is compromised then you have to change your password, lots of these and you have a long list of exceptions, or alternative methods for passwords. It will soon become unmanageable.

Software to the rescue.

So the answer is to use a password safe software. There are a number of systems available. I recommend both lastpass and keepass. Lastpass is internet based, and implemented through a browser plugin whereas keepass is an application you run locally on your machine.

Both allow you to store usernames, passwords and the URL of the login page. Both have a master password to encrypt the password store, and only decrypt the password in memory on the local machine.

Keepass has a local database, but this can be synced with other machines with a Dropbox, GDrive, OneDrive, or even sftp. Because the database is only decrypted in memory this is safe. Keepass is open source and there are clients for all desktop operating systems, and some mobile as well. There is a huge range of extensions to extend the basic functionality.

I personally use lastpass, but I also regularly export my keystore and import it into keepass so I have a backup.

So why is this good.

1. you have a different password on every site. OK if you don’t have this when you start you can progress towards this. Because you only have to remember one password, there is no effort in having a different password for every site.

2. You use long, randomly generated passwords. These systems will generate a new password for you, so you may as well make it long and complex as you don’t have to remember it. And that makes you much more secure. So when you set up a new account or change an existing password, generate it randomly and a make it 16 characters long (if the site accepts this).

3. Your password manager checks the domain you are visiting and will only enter the amazon password into the page at not

4. Use your password manager as your bookmarks, if you need to visit your bank, select it in the password manager and it will go there and log you on.

5. Use you password manager to store password recovery information. Because you are using a password manager you don’t need to be able to recover a forgotten password, but some sites insist on this. Never answer the security questions with the correct information, if they want your mothers maiden name put something random in there, otherwise it may be possible to have your account taken over using the password recovery process.

6. You can use this to store and auto fill other sensitive information like Name, address, credit card numbers etc. This avoids storing cards on a website, from where it may be compromised. And because it is automated just as fast as having the website store the data.

So if you have read this far you should be totally convinced and ready to start using a password manager now. Well done.

Cracking the Hacking Team

6 July 2015

The somewhat notorious Hacking Team seem to have been subject to an attack of using their own tools. This points to the use of poor passwords, and reusing password on multiple systems.

The other lesson here is to have tools looking for ex-filtration of data, at least to detect when something has gone wrong.

We should be able to learn something here…

“Hacking Team appears to have committed two of the classic mistakes in security: Never use simple passwords and never reuse passwords. For a security company that’s this high profile, there’s no excuse for these sins. We don’t know yet how the attackers got into HT’s systems, but given the poor passwords that have been revealed in the documents, it could have been as simple as brute-forcing the passwords on a few system,” Martin McKeay, Akamai senior security advocate, commented for Help Net Security.

“The other major mistake made by HT was not noticing that 400Gb of data was leaving their systems. Extrusion detection for an organization that specializes in malware and monitoring should be one of the defenses they concentrate on, because it’s what other people would use to detect their tools. Expect your tools to be used against you is a basic warfare tenet.”

And I have now fallen into the trap of the miss use of the word “Hacking” in a negative context.

Article on IMSI Catchers and Stingrays

24 April 2015

I have been helping a proper journalist, Brady Dale, write a article on the use and abuse of Stingrays and other IMSI catchers. It turned out quite well. It is up on Motherboard.

Internet Survey

27 March 2013

You may have heard of this elsewhere. This is a Grey Hat report from a anonymous individual, that has used a botnet to survey the entire IPV4 address space and perform a port scan on every one of those IP addresses.

In summary he delivered his scanning software to 30 thousand machines that provided a telnet port (23) that accepted a logon of either root/root root/(blank) admin/admin admin/(blank) or even (blank)/(blank). There were many more of these devices, but this was sufficient to his requirement to scan the entire IPv4 range in about 3 hours.

The main implication from this is the availability of these hosts could be used for DDoS and other botnet activities. One would speculate that they may be an increase in this type of activity going forward.

iPM Interview

10 July 2008

I’ve just had an interesting conversation with Chris Vallance of the BBC iPM program. We were talking about my blog post on the changes to the interception of communications. He was very thorough in going through all the aspects of the proposals. I had to make lots of “no comment” on his questions, but hopefully there is enough that he can use to make an item for the show. I’ll keep you posted.

Surveillance Society

22 June 2008

We are steadily moving towards the surveillance society. Where our every action is recorded, and analysed and may be used against us. Just as George Orwell predicted.

In the UK level of surveillance is about to vastly increase by the removal of small but key parts of the processes. The Home Office is proposing having a central database, fed by probes located in the comms networks to replace the current system of requesting Communications Data from the ISP / Telco.

At the moment this informations is available to the police and a long list of other agencies but they need to request it from the operators. The operators in turn have a responsibility to ensure that the requests are fair and reasonable, and that the information provided is accurate. At the moment a request has to be for the communications activity of an individually identified person. That can be identified by a name, an IP address, a Phone number etc.

They cannot make non targeted requests. Of course they can make multiple requests in a single investigation. Who did this person call, then in turn the traffic of all of those in turn etc. Then there is the requirement under RIPA that the communications providers make sure that the requests are properly authorised and reasonable. So there is someone looking at these requests who is not employed by the government who can refer to the Interception Commissioner if they feel the requests are unreasonable.

Despite huge deployments of CCTV there is little evidence that they help deter crime. The Home Office’s own reports say the street lighting is more effective in reducing crime that CCTV.

Bill Thompson commented on this in his blog on the BBC technology pages.

The spaces within which we can live unobserved are constantly diminishing, as both public and private sector agencies link their databases together or co-operate to ensure that nothing we do goes unremarked.

We need a space for experimentation, where we can test the limits of old laws and explore how they might be altered in future, but once ISPs decide that they are no longer neutral carriers of bits and choose to ally themselves with the content industry then we lose another sliver of freedom.

I am concerned with the society we are building, where parents monitor their children’s, internet activity, track them to and from school. Where employers do the same to their staff, and where the government monitors its citizens in the name of preventing terrorism, but in fact use the systems to detect benefit fraud.