Regardless of what we think of passwords, they are still necessary to access the vast majority of applications, sites, and services. And as password cracking has become an art form, increasing in efficiency because of developments like rainbow tables, password strength, and length requirements are making password management… well… unmanageable. However, there are free online tools to help.
In this post, I look at two online applications that enable easy-to-use strong password management and anytime-anywhere access to important account information: Perfect Passwords and Xecrets.
Perfect Passwords is a free online random password generator provided by Steve Gibson at his Web site, grc.com. According to the site,
Every [password] is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again.
Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this page which was custom generated just now for you will not be cached or visible to anyone else.
Therefore, these password strings are just for you. No one else can ever see them or get them. You may safely take these strings as they are, or use chunks from several to build your own if you prefer, or do whatever you want with them. Each set displayed are totally, uniquely yours — forever.
Figure 1 shows the three password formats available. My favorite is the middle set, ASCII characters. When the application or service for which I need a password doesn't accept anything but alpha-numeric strings, I settle for the bottom set.
Figure 1: Perfect Passwords
Although the generator displays 63 characters, I use 8 to 20 contiguous characters via copy-paste. If for some reason I don't like the character sets displayed, I just refresh the page. This causes the site to generate new character strings. For more information on how the strings are generated, refer to the site's Application Notes.
Using strong passwords is only a first step in securing my information. I also have to have a way to remember these strings, strings that aren't easily kept in my aging brain. I originally used Password Manager XP, a client-based application. It's a great app, and it worked as advertised. But I found myself needing access to my passwords when I wasn't on my laptop. I needed a password vault that provided secure anytime-anywhere access to my account information. Xecrets met the challenge.
Xecrets is an online password vault provided by Axantum Software AB. These are the same people that publish Axcypt, a file encryption product I use regularly. Xecrets stores my account information in 256 bit AES encrypted XML files. This eliminates password compromise caused by common database attacks and provides flexibility in how I manage the information both online and on your local machine.
The strength of this solution relies heavily on the password I choose. Xecrets requires at least a 10-character password. It then uses a standardized key-wrap algorithm and an "iterated key-derivation" algorithm to protect it. The password I supply is not used to access the encrypted XML files; it's used to decrypt the randomly generated 256 bit encryption key created by Xecrets.
What all this means is a secure way of storing and accessing my account information in a globally accessible location, delivered over an SSL connection. One downside is: If I lose my Xecrets password, my password data is lost. Since the Xecrets staff doesn't know my password, they can't send it to me.
In the rest of this post, I step through entering my first password into Xecrets.
Figure 2 displays what I saw before I entered any password information. It provides some guidance about what I can expect and how to get started. Note that the Search and Show All buttons are inactive.
Figure 2: New Xecrets AccountClicking on the New button, I received the Xecrets account information entry window as shown in Figure 3. The first time this appears, instructions are included. The Full Description field supports free-form text entry, and it's searchable when looking for accounts.
Figure 3: Account Information EntryI entered and saved information for one of my bank accounts. This returned me to the list view, displayed in Figure 4. Now, however, my entered account is listed and the Search button is active. The Title information is a hyperlink to the password. The rest of the displayed information I entered into the text box.
Figure 4: List View
Figure 5 depicts the results of my free-form text search test. I wanted to see if Xecrets would find strings anywhere in the non-password fields. It passed by finding and highlighting the letters "id".
Figure 5: Text Search Results
Finally, I clicked on the hyperlink to view my password. Figure 6 is the result.
Figure 6: Password View
Overall, I found Xecrets to be an easy-to-use, secure solution for my mobile password problems.
Perfect Passwords and Xecrets provide a powerful answer to the continued use of password-only authentication methods.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.