Password Managers Software that can create and remember different passwords for different sites
Today’s Agenda: • Do your passwords measure up? • What makes for a good password? • Reconciling security and complexity with usability. • Comparison of popular password manager applications
Are you…. • Using a single password for everything? • Using your pet’s name for a password? • Using your grandchild’s name for your p/w? • Using ‘password’ for your password? • Using ‘123456’ for your password? • Using your birthday for your password? If so, you are at risk!
Hacked! • Article in Nov. 2011 issue of The Atlantic by James Fallow • http://www.theatlantic.com/magazine/archive/2011/11/hacked/8673/ • Brought to the attention of NBCUG by member Susan Philibert • Tells the story of a real life password theft and the difficulties that ensued.
Hacked! – Lessons Learned: • Any site that matters needs it own password • If you use an important password in two places, it is no longer a valid password • Any step up from ‘password’, ‘123456’ or your birthday or pet’s name is worthwhile • Problem – stronger passwords tend to be complex, hence harder to remember.
Microsoft’s Password ‘Do’s • Length – eight or more characters • Complexity – letters, numbers, punctuation, symbols • Variation – change passwords often • Variety – different passwords for different sites • Hackers steal passwords from poorly secured sites and then try using them in more secure environments (e.g. banks)
Microsoft’s Password ‘Don’ts’ • No dictionary words – ANY language • No common abbreviations or misspellings or words spelled backwords • No sequences or repeated characters, e.g. 12345678, 22222222, abcdefg, qwerty • No personal information – name, birthday, phone, driver’s license
Examples • Bad Password: Banana • Good Password: 5.ytT#0_xn0ATzQVN|_yeGk2+0vFC2]ndZ • Great, but who’s going to remember that, especially if you use a different p/w for every site????
Password managers…A little help remembering • Password managers ‘remember’ your passwords • Password managers allow you to use different passwords for each site • Password managers can generate strong passwords. • Password managers can link the site to the password and call it up automatically
Comparing five Applications • PassWordSafe – Elliott Alterman • LastPass – Ellis Miller • KeePass – Michael Sagaser • Ascendo DataVault – Jim Cason • Roboform – Wayne Maruna
Siber Systems is a privately-held company, incorporated in 1995 in the Commonwealth of Virginia, with offices in Germany, Japan, and Russia.
Roboform • Five versions: • Free trial – limit 10 passcards • Roboform Desktop for Windows – one-time buy, free minor updates • Roboform Desktop for Mac • Roboform Everywhere - use on multiple computers – free major updates - syncs to each PC you’ve installed. • Roboform2Go – extends Roboform Desktop or Roboform Everywhere to a portable USB drive
Cloud Storage Security • From Fred Langa’s column in the 3/22/12 issue of Windows Secrets: • “In the case of RoboForm (and most other well-known, Cloud-based, password-storage services), your data is stored on their servers in well-encrypted form. This means that even if someone hacks into RoboForm's servers, he'll see only strings of nonsensical characters — nothing plaintext.”
Cloud Storage Security • From Fred Langa’s column in the 3/22/12 issue of Windows Secrets: • “RoboForm and similar services don't store decrypted passwords anywhere on their Cloud-based servers. When data is transmitted between your device and their servers, it's sent and received in fully encrypted form. Someone successfully eavesdropping on your communication link will, again, see only a stream of gibberish — nothing plaintext. Encryption and decryption take place only when you command it, and only inside your local device.”
Cloud Storage Security • From Fred Langa’s column in the 3/22/12 issue of Windows Secrets: • “The final concern is the communication channel itself. Better services — including RoboForm — employ SSL encryption (just like most bank sites) to further protect all interactions with their password-storage servers.”