I think we all appreciate that we all have lots of passwords to remember, especially if your working in the IT industry. Now a lot of us have good methods to mentally store the various passwords, however its still not uncommon to see a Post-It on the monitor, stuck under the keyboard, or even a big white sticker stuck directly on the front of a laptop.
Many years ago when I worked in a small office, I had a phone call from a user explaining how his password had gone. He hadn’t forgotten it, it had gone. This didn’t make any sense, so I went to see him. Turned out his password was the serial number of a near by fire extinguisher, and this has recently been replaced and moved else where in the building. Creative thinking, but a little bit flawed
With many organisations passwords are still the key to gaining access to the system. This may cover one of more of the following, such as encryption password, network log on, mail access, bank information and more. So its clear passwords are important, and its not something with should be sharing and advertising to every passer by. So aside from continuing user awareness on the importance, what other solutions could be considered.
Well one option is a Password Manager. Essentially a password manager is an application, add-on or device that can store all your passwords in a secure encrypted format, that you protect with a single complex passphrase. With this in mind I have had a little look at some of the offerings available, both opensource and commercial to provide a single place to start you on your search for the right solution for you and your company.
Firefox Password Manager
So we could consider this as putting all your eggs in one basket, but its possibly better than using post it notes, and a plain text file to store all your passwords. Granted there is always a possibility of a browser exploit leading to a vulnerability that could gain access, so also keep this in mind. If you do use the Firefox Password Manager, ensure that you set a strong master password. I am not sure specifically how the passwords are stored, but at least it will require you to enter a password to have the stored passwords available, so not just anyone using your machine would have access.
Access Manager is a great free password management tool. Your passwords are safely encrypted with AES and Blowfish, and the tool has a simple and easy to use interface, and like most of these applications you can install it onto a removable media. A nice little function of this tool is the Password Selector, when logging onto some security web sites they require different letters or numbers from your password and the password selector tool makes this easy for you.
The KeePass Password Safe is probably my favorite application (aside from my IronKey) for storing passwords. KeePass secures your password with AES and Twofish encryption, and it has what I think is a simple easy to use interface, oh and its Free to. It doesn’t need to be installed on your system so you can easily run it from a thumb drive or other removable storage, and it also has a neat password generator. There are versions for Windows, Mac and Linux so should be something for everyone.
Keeper Password and Data Vault is not a free tool, but there is a demo available before parting with your precious $15. I have heard good things about this product from others in the InfoSec community but I have not used it myself. One advantage is that it works on the Mac and for those with an iPhone you can sync your passwords, so that could be handy.
I appreciate not everyone has an IronKey (not cheap, but awesome) but if you do you may want to considering using the inbuilt password manager and password generator. The advantage you have with the IronKey is that it uses AES like the other offerings but it has the advantages of all the other IronKey offerings, specifically the hardware encryption.
I am sure there are many more solutions, but I think this gives you a little insight into whats available so you can do your own research on these products as well as digging deeper into other applications and options for securing your precious passwords.
A little tip though, use a strong passphrase you wont forget as if you do, you wont be getting easy access to your passwords. So don’t put it on a sticky on your screen. If you really do need to write it down, secure the paper somewhere safe and secure and totally separate from your IT equipment, and don’t make it obvious as what its for…. perhaps getÂ a safe