Security

Strong password management for the mobile user

Truly strong passwords are necessary to protect our information, but they can be a pain to generate, manage, and access globally. There are free online tools that can help meet these challenges.

Regardless of what we think of passwords, they are still necessary to access the vast majority of applications, sites, and services. And as password cracking has become an art form, increasing in efficiency because of developments like rainbow tables, password strength, and length requirements are making password management… well… unmanageable. However, there are free online tools to help.

In this post, I look at two online applications that enable easy-to-use strong password management and anytime-anywhere access to important account information: Perfect Passwords and Xecrets.

Perfect Passwords

Perfect Passwords is a free online random password generator provided by Steve Gibson at his Web site, grc.com.  According to the site,

Every [password] is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again.

Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this page which was custom generated just now for you will not be cached or visible to anyone else.

Therefore, these password strings are just for you. No one else can ever see them or get them. You may safely take these strings as they are, or use chunks from several to build your own if you prefer, or do whatever you want with them. Each set displayed are totally, uniquely yours — forever.

Figure 1 shows the three password formats available. My favorite is the middle set, ASCII characters. When the application or service for which I need a password doesn't accept anything but alpha-numeric strings, I settle for the bottom set.

Figure 1: Perfect Passwords

Figure 1: Perfect Passwords

Although the generator displays 63 characters, I use 8 to 20 contiguous characters via copy-paste. If for some reason I don't like the character sets displayed, I just refresh the page. This causes the site to generate new character strings. For more information on how the strings are generated, refer to the site's Application Notes.

Xecrets

Using strong passwords is only a first step in securing my information. I also have to have a way to remember these strings, strings that aren't easily kept in my aging brain. I originally used Password Manager XP, a client-based application. It's a great app, and it worked as advertised. But I found myself needing access to my passwords when I wasn't on my laptop. I needed a password vault that provided secure anytime-anywhere access to my account information.  Xecrets met the challenge.

Xecrets is an online password vault provided by Axantum Software AB. These are the same people that publish Axcypt, a file encryption product I use regularly. Xecrets stores my account information in 256 bit AES encrypted XML files. This eliminates password compromise caused by common database attacks and provides flexibility in how I manage the information both online and on your local machine.

The strength of this solution relies heavily on the password I choose. Xecrets requires at least a 10-character password. It then uses a standardized key-wrap algorithm and an "iterated key-derivation" algorithm to protect it. The password I supply is not used to access the encrypted XML files; it's used to decrypt the randomly generated 256 bit encryption key created by Xecrets.

What all this means is a secure way of storing and accessing my account information in a globally accessible location, delivered over an SSL connection. One downside is: If I lose my Xecrets password, my password data is lost. Since the Xecrets staff doesn't know my password, they can't send it to me.

In the rest of this post, I step through entering my first password into Xecrets.

Figure 2 displays what I saw before I entered any password information. It provides some guidance about what I can expect and how to get started. Note that the Search and Show All buttons are inactive.

Figure 2: New Xecrets Account

 Figure 2: New Xecrets Account
Clicking on the New button, I received the Xecrets account information entry window as shown in Figure 3. The first time this appears, instructions are included. The Full Description field supports free-form text entry, and it's searchable when looking for accounts.

Figure 3: Account Information Entry

 Figure 3: Account Information Entry
I entered and saved information for one of my bank accounts. This returned me to the list view, displayed in Figure 4. Now, however, my entered account is listed and the Search button is active. The Title information is a hyperlink to the password. The rest of the displayed information I entered into the text box.

Figure 4: List View

Figure 4: List View

Figure 5 depicts the results of my free-form text search test. I wanted to see if Xecrets would find strings anywhere in the non-password fields. It passed by finding and highlighting the letters “id”.

Figure 5: Text Search Results

 Figure 5: Text Search Results

Finally, I clicked on the hyperlink to view my password. Figure 6 is the result.

Figure 6: Password View

Figure 6: Password View

Overall, I found Xecrets to be an easy-to-use, secure solution for my mobile password problems.

Perfect Passwords and Xecrets provide a powerful answer to the continued use of password-only authentication methods.

About

Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

15 comments
shardeth-15902278
shardeth-15902278

Runs on a thumbdrive, versions for most popular OS... Just seems a much safer option to me.

JCitizen
JCitizen

establish a reputation? Just curious. I've been thinking of using Comodo's iVault, but I haven't looked to see if it has portable web-based capability like this one.

KBT882
KBT882

So all you have to do is completely trust a third party, its systems, processes and employees with all your passwords. And we all know how good companies and governments are at keeping our personal data secure?? I'll stick with remembering a few strong passwords, thanks.

techrepublic@
techrepublic@

There are so many good ways to generate secure passwords why would anyone even think of getting is passwords from someone else (e.g. web site)?! For the GUI inclined the "SecurePassword Generator" extension for Firefox is very good. From the CLI: Generate a 256 bit random password: dd if=/dev/random bs=256 count=1 | sha256sum Generate a 512 bit random password: dd if=/dev/random bs=512 count=1 | sha512sum

Craig.Goodspeed
Craig.Goodspeed

Check Out a Wikipedia page on him http://en.wikipedia.org/wiki/Steve_Gibson_(computer_programmer) But take it with a grain of salt, because Steve has been making waves in the security world for a while. But because he is committed to security and informing people as fast as possible he has made claims about vulnerabilities that he has later recanted, but it seems his wikipedia article doesn't reference those.

Craig.Goodspeed
Craig.Goodspeed

So you didn't read the article or the page it referenced. GRC.com is not storing the passwords, or attempting to. It is generating a random password on the page every time it is refreshed. He even recommends if you are worried about someone sniffing this password you generated on the secure page or that the page maybe storing the generated passwords he recommends that you take random pieces of the password and refresh the page, rinse and repeat as much as you want.

Cynyster
Cynyster

For me personally there is no reason to house your passwords on the Internet. I use Roboform on an encrypted SanDisk Cruzer. Manages all my on-line passwords and information and keeps them encrypted (Just have to remember a master password) and the chip itself is passworded (with arguably much less encryption protection) but the point is the chip comes with me and if its lost it is of no use to anyone. The downside is it only works with M$ OS's

JCitizen
JCitizen

and Spinrite. Sorry to bother you, I obviously had one of my increasingly frequent brain farts!

techrepublic@
techrepublic@

All my passwords are long random strings, unique for each usage, and stored in a encrypted filesystem (encfs) in plain text files. I have no need for any password management program. I only have to remember a strong password to unlock the encrypted filesystem. Anyway, the subject of the article was strong password generation (on the move) and a web service is a poor solution to that "problem".

Craig.Goodspeed
Craig.Goodspeed

GRC.com is not storing password it is a password generator. All of the information on how he built this tool is available on the website https://www.grc.com/passwords.htm, as well as in a weekly podcast he does called SecurityNow

techrepublic@
techrepublic@

Yes, it is a general answer describing general and basic security concerns. So should I ignore basic security concerns and policy just because "The author has gone through great lengths to describe the tool and document every little aspect to this tool..."?! That's a big negative! Lets not forget what tool we are talking about. Passwords are to be kept secret at ALL times, creation time included. Even if I completely trusted the author, I would not use it when I have alternatives that have far smaller security risks and unknowns. I don't use closed source security related tool for many reasons, one being the obvious lack of source code to examine and compile. Regards

Craig.Goodspeed
Craig.Goodspeed

You have not taken the time to read the site and the information the author went through to make this utility. Hell he has even made it into a podcast that you can listen to him discuss all of the details going into making the utility. The author has gone through great lengths to describe the tool and document every little aspect to this tool and has tried to take a security focus mind to build the tool. You have just dismissed it with generalities and vague statements. Yes I understand those things you have posted can be a concern with any web utility, and should be a concern for any utility that you put onto your machine. Unless you wrote it or have gone through the source code and know that everything in the program is doing what it claims.

techrepublic@
techrepublic@

Is the site's: - host admins trust worthy? - host secure? - admins trust worthy? - generator secure? - generator any good? - communication channel to the mobile thingy secure? Do you know the answers to these question? Even if the answer is a big YES. Is the communication channel to the site: - free? - fast? - available everywhere and always? - more energy efficient than other alternative (this is a mobile thingy after all)? Even if the answer is a big YES. Is there an alternative that does not raise so many question? You can answer this one. :) Regards.

Craig.Goodspeed
Craig.Goodspeed

As to the first part of your post, that is a good way yo keep your passwords safe, as long as nobody ever figures out your main password. Personally I have an IronKey which is encrypted and basically destroys all the data on the devices after 10 wrong password guesses (I have a second one in a safe at home just in case someone blows up the first one). "Anyway, the subject of the article was strong password generation (on the move) and a web service is a poor solution to that "problem"." Can you explain to me why this Web service would be a "poor" solution to creating strong RANDOM passwords on the go? Because reading about it it looks like the author put a lot of thought into making it a suitable solution.