Earthweb
Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
 SUBJECTS:
 FEATURES:
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts


Search EarthWeb Network

internet.commerce
Be a Commerce Partner
Online Education
Promote Your Website
Condos For Sale
Promotional Golf
Remote Online Backup
Corporate Gifts
Web Design
Auto Insurance Quote
Online Shopping
Promotional Pens
KVM Switch over IP
Dental Insurance
Home Improvement
Baby Photo Contest

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Protect Your Passwords -- Part 1

WHITEPAPER:
The New Information Agenda. Do You Have One?

WHITEPAPER:
The Outsourcing Decision for a Globally Integrated Enterprise--from Commodity Outsourcing to Value Creation

GLOBAL CIO LEADERSHIP SURVEY:
How are other CIOs driving growth?

WHITEPAPER:
How CIOs Can Drive Growth, Business Flexibility and Innovation in a Flex-Pon-Sive* Company

Hyper-V: The Killer Feature in Windows Server 2008
It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »

 
Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

 
Reduce Complexity and Costs with Microsoft Identity and Access Solutions
Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »

 
Virtualization from the Data Center to the Desktop
Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

Related Articles
Hello 'Certified Server,' Goodbye Spam
Getting the Most Out of Firefox
Should You Disable Windows Scripting Host?
Can Patch-Management Companies Survive?
Vote and Get A Free CoffeeCup
Why Can't Microsoft Catch Its Own Bugs?
- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
e-SoftEasy Business Analytics - Create Reports/Charts From Databases
Mazu Profiler - Network Behavioral Analysis Engine Provides System Baselining and Alerting
GridVision Enterprise - Enables the Deployment and Management of InfiniBand-Based Grids
ReadyNAS - NAS Boxes And Rack Units for SMBs
Acronis Recovery - Wizard Driven Backup and Recovery for Databases

more products >>

Datamation Definitions
data mining
ERP
extranet
grid computing
intranet
network appliance
outsourcing
storage
VPN
virus
FREE Tech Newsletters

Demo: WebSphere Portal Web 2.0. This demonstration shows Web 2.0 features available today within WebSphere Portal, as well as several features planned for the future.

Protect Your Passwords -- Part 1
December 14, 2004
By Brian Livingston

Brian Livingston Quick! Can you remember all the user names and passwords that you've used at every Web site where you've ever registered?

I'll bet you can't. But it's no shame not to remember all these things off the top of your head. No one can.

That's why people write their passwords on Post-It notes and stick them on their monitors. And it's why Web browsers such as Internet Explorer and Firefox offer to "help you" remember your passwords — which means that anyone who borrows or steals your computer can log on and impersonate you at any of the "memorized" sites.

Fortunately, the plunging cost of memory has given rise to a possible solution to the password-recall problem: store your user names and passwords on a removable USB Flash drive. You protect the device with a single, "master" password. All you have to do is remember that one code to access all the passwords you've stored.

Is this solution good enough for serious use? Let's look at the problem and see.

Your Oh-So-Helpful Browsers

The rise of the Internet and corporate intranets was the impetus behind the "browser paternalism" of passwords:

Internet Explorer. Microsoft's browser, known affectionately as IE, years ago began offering an "AutoComplete" function. This feature offers to remember IDs and passwords that you type on your keyboard. IE stores them in an encrypted file. In theory, those passwords are made available only when the person who stored them is logged on to Windows under his or her own account name (such as Brian123 or whatever).

The problem with this is not just that anyone can walk up to your PC in your absence, look through IE's history, and then log on as you at any password-protected site. Much worse is the fact that, even if you've logged off your Windows account, anyone can run a simple utility and read IE's "encryption-protected" file to discover your passwords.

One of the best-known makers of password-reading software is ElcomSoft Co. Ltd. This programming firm, located in Moscow, Russia, was acquitted of criminal liability in December 2002 for cracking the password protection of Adobe PDF files.

The company's Advanced Internet Explorer Password Recovery utility, according to Computer Associates' Spyware Information Center, coughs up the passwords saved by every version of IE from 3.0 to 6.0 (the current level). The software sells for around $30 USD.

Oh, so you think, "We'll just ban this utility"? Good luck. The info center says there are some 720 different versions of password-revealing utilities currently available.

I don't mean to pick on IE. Crackers are also widely available to divulge the passwords stored by Microsoft Outlook, VBA (Visual Basic for Applications), Intuit Quicken, and many other apps.

Mozilla Firefox. The new, free Firefox browser, developed by the not-for-profit Mozilla Foundation, also offers to store user names and passwords that you enter at Web sites you visit. To its credit, Firefox 1.0 can store this sensitive data in an encrypted form that I don't believe has been compromised.

Unfortunately, Firefox doesn't encrypt your saved passwords by default but leaves them wide open. You can only have your passwords encrypted if you take steps to set a "master" password. (To do this in Firefox 1.0, click Tools, Options, Privacy, Set Master Password.) Before Firefox will then provide your passwords to a Web site or anyone else, the master password must be entered.

If you use a USB drive to store your passwords in a secure manner, as described below, you can make your browser stop storing passwords on your hard disk. To do this in Firefox, click Tools, Options, Privacy and turn off "Remember Passwords." In IE, it's Tools, Internet Options, Content, AutoComplete and turn off "Use AutoComplete for user names and passwords on forms."

In a corporate environment, you can use Group Policy to prevent browsers from storing login passwords. To do this for IE, set Active Directory to "Disable AutoComplete for forms" and "Do not allow AutoComplete to save passwords."

The USB Flash Drive Alternative

Siber Systems Inc. released last month a software program designed to eliminate the need (and the temptation) to store your user names and passwords via your browser.

The company, which has published RoboForm password-management software for desktop PCs for many years, is now shipping Pass2Go. The new program is a "portable RoboForm" that can execute within a USB Flash drive or any other removable medium, such as Iomega Zip drives and even rewritable CDs.

The new product has the following interesting features:

Lack of Tracks. If you store user names and passwords via Pass2Go on a USB Flash drive, the computer you were using at the time loses access to those passwords completely when you remove the Flash drive from its USB port.

Transportability. You can then insert the same Flash drive into the USB port of a different PC. As long as you remember the master password you set, you can automatically log in to your favorite Web sites on the second PC. Removing the drive, as before, deprives the second PC of the passwords as well.

Flexibility. In addition to user names and passwords, you can use the Flash drive to store e-mail contact information from Microsoft Outlook, bookmarks from your browser, and other data that's handy when you're traveling.

Pass2Go can be licensed for $39.95 for a quantity of one, or $9.95 for users who already own a $29.95 license for the desktop product, RoboForm. Pass2Go, however, can be used for 30 days for free, after which (if you don't pay for it) it can still securely hold 10 passwords for up to two different users.

At this writing, Pass2Go works only with Internet Explorer. That's a problem for users of Firefox and other alternate browsers, such as Opera, that are free from IE's well-known security problems. Integration with those applications is expected to be available in future versions of the password utility, according to Andy Finkle, Siber Systems' vice president of marketing.

The Real Deal For Login Security

Is software on a USB Flash drive really secure enough to use to access your sensitive passwords on a computer at, say, an Internet café?

A Siber Systems press release says, "Pass2Go can confidently be used at Internet cafés, libraries, convention halls, airports, universities, or even at work — anywhere people on-the-go have a computer with a USB port."

In reality, just because your passwords are stored on a USB drive doesn't make it any safer for you to access a Web site from an Internet café or other public location. Once you type the USB drive's "master password," a Trojan horse program that's running on the unfamiliar PC could capture every screen that appears while you're using a supposedly "secure site."

"I would never recommend any product, even two-factor authentication, to be used in an Internet café," Siber Systems' Finkle said in a telephone interview.

Two-factor authentication is a stronger form of identification than a mere password. The first factor is a physical device, such as a USB Flash drive. This is combined with a second factor, typially a PIN (personal identication number) or some other code that's easy for a user to remember.

This dual approach may, in fact, be the key to using insecure PCs (such as the ones at Internet cafés) to communicate securely with distant servers.

A Meeting Of The Minds

USB Flash drives are now available with a riot of identification methods.

There are tiny "stick" drives with fingerprint recognition, reliably providing access to authorized users only.

Other Flash drives display a random number that's derived from an internal timer. The number can be used to log on to a server, which is synchronized to the same time, only once. If an eavesdropper snatches the number, it's useless as a way to read the rest of the session, which is safely encrypted.

I'll examine ways that specialized Flash drives can be combined with helpful password-storage software in this space next week.

Brian Livingston is the editor of WindowsSecrets.com and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Tools:
Add itmanagement.earthweb.com to your favorites
Add itmanagement.earthweb.com to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Solutions
Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES