Protect Your Passwords A Solution for the Password Security Problem Brian Livingston
Quick! Can you remember all the user names and passwords that you've used at every Web site where you've ever registered?
I'll bet you can't. But it's no shame not to remember all these things off the top of your head. No one can.
That's why people write their passwords on Post-It notes and stick them on their monitors. And it's why Web browsers such as Internet Explorer and Firefox offer to "help you" remember your passwords — which of course means that anyone who borrows or steals your computer can log on and impersonate you at any of the "memorized" sites.
Fortunately, the plunging cost of memory has given rise to a possible solution to the password-recall problem: storing your user names and passwords on a
removable USB Flash drive. You protect the device with a single, "master" password, so all you have to do is remember that one code to access all the
passwords you've stored.
Is this solution good enough for serious use? Let's look at the problem and some of the other potential solutions available.
Your Oh-So-Helpful Browsers
The rise of the Internet and corporate intranets was the impetus behind the "browser paternalism" of passwords.
• Internet Explorer – Microsoft's browser years ago began offering an "AutoComplete" function. This feature offers to remember IDs and passwords that you type on your keyboard. IE stores them in an encrypted file. In theory, those passwords are made available only when the person who stored them is logged on to Windows under his or her own account name (such as Brian123 or whatever).
The problem with this is not just that anyone can walk up to your PC in your absence, look through IE's history, and then log on as you at any password-protected site. Much worse is the fact that, even if you've logged off your Windows account, anyone can run a simple utility and read IE's "encryption-protected" file to discover your passwords.
One of the best-known makers of password-reading software is ElcomSoft Co. Ltd. This programming firm, located in Moscow, Russia, was acquitted of criminal liability in December 2002 for cracking the password protection of Adobe PDF files.
The company's Advanced Internet Explorer Password Recovery utility, according to Computer Associates' Spyware Information Center, coughs up the passwords saved
by every version of IE from 3.0 to 6.0 (the current level). The software sells for around $30 USD.
Oh, so you think, "We'll just ban this utility and our problems will be solved," right? Good luck. The info center says there are over 720 different versions of password-revealing utilities
currently available.
I don't mean to pick on IE. Crackers are also widely available to divulge the passwords stored by Microsoft Outlook, VBA (Visual Basic for Applications),
Intuit Quicken, and many other apps.
• Mozilla Firefox – The new, free Firefox browser, developed by the not-for-profit Mozilla Foundation, also offers to store user names and passwords that you enter at Web sites you visit. To its credit, Firefox 1.0 can store this sensitive data in an encrypted form that I don't believe has been compromised ... yet.
Unfortunately, Firefox doesn't encrypt your saved passwords by default but instead leaves them wide open. You can only have your passwords encrypted if you take steps to set a "master" password. (To do this in Firefox 1.0, click Tools, Options, Privacy, and Set Master Password.) With this password set, before Firefox will provide your Web site passwords or anything else, the master password must be entered.
If you use a USB drive to store your passwords in a secure manner, as described below, you can make your browser stop storing passwords on your hard disk.
To do this in Firefox, click Tools, Options, Privacy, and then turn off the "Remember Passwords" option. In IE, it's Tools, Internet Options, Content, AutoComplete, and then turn off the "Use AutoComplete for user names and passwords on forms" option.
In a corporate environment, you can use Group Policy to prevent browsers from storing login passwords. To do this for IE, set Active Directory to "Disable AutoComplete for forms" and "Do not allow AutoComplete to save passwords."
So with the password security problem identified, what practical solutions are available now or in the works, and how well do they work?
