Tuesday, January 12, 2010

One Password to rule them all

I am notoriously bad at memorizing. If not, I might have gone to medical school and chosen a more lucrative career than Engineering... But as the number of online services I uses increases, so does the number of account username and password combinations. I try to standardize as much as I can on the same usernames(s) but some sites make this really hard by requiring strange and unusual conventions (name must be at least 8 characters long and include at least special character and number??? Whose name looks like that?) or by dictating that the username be whatever 10 digit number their database uses as the unique key for the account record. Same drama for the passwords, except that using a standard password everywhere has the added disadvantage that once the password is compromised, the attacker would have access to all my various online service accounts - if sHe could guess those bloody convoluted usernames... ;-)

Things got particularly bad for accounts, which I use very rarely and which have complicated account recovery procedures - typically hours spent in AVS and call-center limbo. I admit that I even committed the exemplary no-no of IT security 101: writing my username/passwd combinations on post-it notes! [Which is not as bad as it sounds, since our apartment is not a highly public place and if broken into, I would likely have bigger problems and hassles than changing a few account passwords.]

Before our recent move, I finally adopted a more reasonable strategy for password management and storage. I consolidated my post-it notes into Password Gorilla, which is a multi-platform application which uses the same secure storage file format as the Password Safe application. The original Password Safe application was designed by cryptographer and computer security expert Bruce Schneier - which hopefully should ensure that there are no obvious design-flaws in the encrypted storage format.

Since Password Gorilla has a built-in feature to easily auto generate a different random password for each entry it is really easy to choose unique and very strong passwords for each service. However then having reliably access to the database anywhere and at any time becomes crucial.

Using a format which is a quasi open-source standard, supported by many different applications on different platform, should increase the chance, that I would always be able to find an application somewhere to read and decode the password database, even if something really bad happened to my computer

A convenient way to keep both a backup copy of the database is to store it in the memory of my mobile phone and even better, to have access to passwords anytime on the road is to use an application which can open and decode the password file directly on the phone.

For a while, I have been using Android Password Safe - or rather a not yet released experimental version which allows to import/export an existing password database, which is absolutely essential for sharing the database between the phone and my main computer. However this has been the state for over a year now and it seems as if the author has abandoned the project.

I am glad to see that very recently a new version of a Password Safe compatible application has been released: PasswdSafe. It is a viewer only, which is perfectly fine for my use-case, where the master database is always on the computer at home and the phone is a read-only backup copy. Because it is read-only, the records are displayed nicely in a compact way, even with a quick way to show & hide the password itself.

Some additional features I would like to see is a timeout based auto-lock, which locks the database again after some time, if it is left open and a way to import/export databases into the phone's internal memory instead of reading them from the removable SD-card. Granted, all android phones can be "rooted", after which the user has unlimited access to the phone's internal memory as well through the USB serial-port, but put putting some additional effort before a potential attacker gets their hands on the password database can't hurt... Besides, half the battle is knowing when the database has been stolen - swapping an SD-card and/or quickly copying a file could be done in a few seconds, when the phone is left unattended.

Once a potential attacker has gained access to the password database, the weakest link to crack the database open is by guessing the master password. Since I need to be able to remember it, quite likely it has significantly less entropy than could be contained in a randomly chosen 128 or 256bit twofish key, used to encrypt the database.

But then, my accounts might not be worth the effort of even a systematic password cracking attack, in case somebody technically sophisticated enough manages to steal my phone - but if I were an anesthesiologist, this might be a different picture...