Texting is a form of the spoken word, not writing. If you look at it in terms of how it is used, etc. The spoken word is generally ephemeral, for comm...
August 3, 2014
Childhood Memories, Coincidences and a Dog named for a Monkee
May 6, 2012
The twitterverse erupted today when a popular talk show host expressed his disdain at the prospect of Idris Elba, a black actor of modest following, w...
Black James Bond?
December 24, 2014
More on Passwords
August 25, 2012
In earlier posts I discussed how to make and remember good passwords to keep your online presence secure. These essays, as all of my “Safe Computing” series, was written to help the non-technical, even technophobic user cope intelligently with computer technology. The focus is on simplicity, and ease of use, not technical depth.
In the previous articles I discussed creating long, secure passwords, and a methodology to make them memorable, so you won't have to write them down. I also discussed password hints, security questions, and so on, how they can be risky and ways to reduce that risk. In this article, I will discuss a specialized software password tool called a “Password Manager”. A password manager is simply a tool for keeping passwords in an electronic, encrypted form, to keep them accessible to the user without needing to remember them.
I have always rejected using a password manager, as a general rule, for a variety of reasons. Although I had not really investigated them in great length, I inherently distrusted them. Recently, Apple released their newest Mac Operating System called “Mavericks”, a key feature of which is an integrated password manager called “Keychain”. Looking at Keychain, I decided the time had come to learn more about this tool.
In general, a Password Manager is simply an encrypted file in which you store your passwords. Then the password to this encrypted file is the only one you need to remember. Before we get to real password managers, and “Keychain” in specific, let us use a simplified, manual example to illustrate how they work.
Manual Password Manager
Most word processors, such as Word, Open Office and LibreOffice have an option to encrypt a text file and put a password on it. For the same of discussion, let us assume you create a simple text file containing your passwords. For each entry, you list the service name, i.e. the name of your bank, Your account ID, and the password. Perhaps over time you have grown this text file to as many as 25 or 30 or more entries, all the passwords you use. You save this file and lock it using the word processor's password protection, using a simple, easy to remember password. Perhaps you keep the file on a USB Flash drive, or mini SD card that you keep in your wallet.
When you need to recall a password you have forgotten, you remove the micro-SD card from your wallet, insert it in the computer, and open the word processor file, entering your simple, easy to remember password. Then, file open and displayed on the desktop, you copy the forgotten password from the document to the web login screen. Once you have accessed the online service, you close the file and put the Mini-SD card back in your wallet.
A simple process, if a bit cumbersome. This is pretty much the same thing a password manager does, except it automates it a bit, and makes it more convenient. With that convenience comes a price, the compromise in security.
A password manager keeps your passwords in encrypted form. You only need remember the “key” password to access any service. This can make web access much more convenient. However, as wonderful as they are, they do have a dark side. If you opt to use a password manager, it is important to be aware of the weaknesses.
The first concern I have of any password manager is that it removes the incentive to actually remember the passwords. In Safe Computing #1 I described a methodology that makes even long and complex, very secure passwords easy to remember. If you follow my guidelines, you should have no need whatever to actually write them down. No tool will ever be as convenient or secure as a password safely stored in your brain.
Second, if you lose the key, or the file becomes corrupted, your passwords are lost. This means you need an alternative method to track and recover passwords. Because it is conventional wisdom that people will forget passwords, most web sites offer an easy way to recover a lost password, usually involving a series of “Secret questions”. The problems is, most of these rely on simple, easily discoverable facts about yourself. Your mother's maiden name, your first pet's name, and so on. In the 2012 election cycle, a leading candidate had his email illegally accessed by the competition based on this mechanism. The “secret question” was the name of his dog, which had been much in the news!
Even if your passwords are secure themselves, this alternative recovery method is probably not. You may, for example, chose to write your passwords down somewhere secret, such as a card in your wallet. Or the answers to your “secret questions” are easily guessed. Either way, any alternative method of recovering lost passwords is a risk of itself, so it is better to invest the effort up front creating passwords you can't forget, and accepting the risk of losing access if you were to forget. Fewer points of vulnerability.
Third, in an era of heightened awareness of government surveillance we must wonder whether some secretive organization has, wants or can easily gain access to our secret information. Perhaps you feel you are doing nothing illegal, so you feel no concern about such things. I would argue that it is not about protecting your “illegal activities”. It is about having an expectation of privacy. Just as you are probably doing nothing illegal in your bedroom, nothing that you are in any way ashamed of, you still draw the curtains, perhaps even lock the door, because you do not wish to be observed. Your perfectly ordinary, innocent bedroom activities should not be subject to observation or scrutiny by others, no matter how benign their motives might be. That is what is meant by “Expectation of Privacy”.
If you entrust your secret passwords to an encrypted system, you want to ensure that it is truly secure. This is, arguably, the prime weakness of password managers, and is especially of concern with entities such as Apple. Many companies have openly admitted that the government has forced them to compromise their systems by inserting back-doors and intentionally weakening encryption.
Fourthly, 5th amendment protections against self-incrimination have recently been held as protective against being forced to reveal passwords to your services and systems. However, if you are under scrutiny by some secretive agency and they can break the encryption to your password manager, there is no such protection. That is, simply put, they cannot legally compel you to reveal your passwords, but if they can find them some other way, they can use them. If those passwords reside somewhere in an accessible form, they are effectively available to anyone who wants them, if they have the resources, and the 5th amendment means nothing. Perhaps you have nothing so secret that you care whether the NSA reads them or not. Then again, perhaps you simply want to have a reasonable “Expectation of Privacy”.
AES is the government sanctioned encryption standard. AES using a 256 bit key is considered the most secure. According to it's proponents, a file encrypted with AES 256 could not be broken using a powerful supercomputer in any reasonable timeframe. Hyperbolic claims exist that it would require more time than the expected lifespan of the universe. Maybe.
The NSA does not break powerful encryption by brute force using supercomputers. It breaks encryption by “cheating”, by forcing vendors to compromise the software by inserting back doors and holes in the encryption. The AES Encryption algorithm may well be as secure as claimed. In fact I am confident it is. However any vendor-specific implementation of AES may be more suspect.
There are other encryption standards. Since most of the efforts spent on breaking encryptions are obviously spent on AES, other encryptions might offer slightly less risk. Whatever encryption used, an open source implementation is essential to ensure it has not been compromised with a back-door or other inappropriate access mechanism.
On examining Apple's Keychain password manager, I was immediately horrified to learn that it defaults to a simple 4 digit PIN to secure the access. Obviously this is completely unacceptable. I find myself stunned, wondering what Apple was thinking! Fortunately, Apple does allow you to use other passwords. Even though it defaults to a 4 digit PIN, you can over-ride that. My concern is that this is such a bad decision, and many people will simply use the default instead of taking the trouble to define a better password. If you want a “real password” on your keychain, simply click on the “Advanced” button and enter your secure password. Make sure you are using a password you won't forget, as I have often advised, since Apple says they cannot recover a lost password.
The second concern I had with Apple's Keychain password manager is that the system synchronizes stored passwords via the cloud, specifically Apple's iCloud service. Apple claims that the passwords are not stored in the “cloud” but only locally. Since Mavericks rolled out, various security researchers are saying that Apple's claim of storing passwords only locally is proving false. I consider the claims and counter-claims undecided at the moment, nonetheless trusting the security of syncing across the cloud is a somewhat questionable tactic in my mind. Perhaps there are ways to do it securely, but I remain a bit wary.
Keychain automates filling in passwords on web pages. This is convenient, as long as you use Apple's Safari browser. How extensively they will support other browsers is uncertain, but neither Firefox nor Chrome at the moment seem to be supported. Admittedly it is new and may only need an update to these alternative platforms, but at this moment the system appears limited. Further, if Keychain automates this trivial task, you have no real incentive to remember the passwords, or to take the effort to create passwords that can be remembered.
Keychain uses AES 256 encryption for stored passwords. That should be secure, but as I mentioned above, there might be reasons to be cautious. Given the recent press about how government agencies have compromised encryption used by many Internet businesses, I would much rather use a tool that uses an open source implementation of any other strong encryption than AES.
A final concern is that Apple propagates passwords across all your Apple platforms. Your computer, phone and tablet all use the same stored password file. What happens if your portable device is stolen? How to you change passwords, without syncing the new passwords to the lost device? How securely protected is the encrypted passwords file on the lost device?
As password managers go, Apple's Keychain is arguably quite good. I would prefer to see it default to a “real” password instead of a 4 digit PIN, and to offer guidance on creating good passwords. I would prefer that it offered a true open source, secure, verifiable encryption process, that can be shown not to have been compromised with a back door or other designed-in weakness. I would prefer that it offer a choice not to be propagated via the cloud, but instead to use a secure, encrypted flash drive. Oh, wait, Apple's portable devices do not have a port that can accept a flash drive! Ouch!
I still prefer my approach of creating and using passwords via a methodology that can be easily remembered, and not relying on any password managers or other such supports. If I absolutely must record them somewhere, I would do so on a USB Key that is designed for such service. Kingston's DataTraveler Vault Privacy 3.0 is an example of a very secure drive that is inherently encrypted and which will lock itself and reformat, destroying the data therein after 10 failed attempts to access. These are a little pricey, but the cheapest versions are around $35, not an unreasonable price. Another solution is to simply use an ordinary flash drive, and encrypt it using TrueCrypt.