Open Source Friday Focus: Password Safe
Forget zero day attacks, the most common vector for security incidents are weak passwords or poor password management. Don't be the next headline, secure your passwords now!
By Alan Shimel on Fri, 02/26/10 - 12:23pm.
How many different passwords do you manage? The correct answer is too many. The problem is, how can you possibly remember all of those different passwords? You don't have to. One option is using a password manager like Password Safe, this weeks Open Source Friday Focus pick.
Of course you could not use a password manager. Instead you could just pick one or two passwords and use them over and over again. You could pick one that is really easy like 123456, you could write your passwords on a yellow sticky on the side of your monitor (with CRT monitors going out of style, you don't see that as much with flat screens) or keep it in your top drawer. But doing any of those things is a recipe for disaster! Believe me, it happened to me.
Since my ashimmy.com blog was hacked a few years back and much of my personal information stolen, I have been a huge advocate of password managers. At this point I never use the same password twice, I don't even know my passwords without looking them up, they get filled in automatically for me on web sites without any keystrokes (in case of keystroke loggers) and all of my passwords are randomly generated with special characters, letters, numerals and capitals. In the security business we call that a strong password.
How can you achieve such password nirvana? Simple get a password manager. I have tried several over the past few years. I use several today still. This week I wanted to talk about one called Password Safe.
Password safe is an open source solution under an OSI approved artistic license. The bad news is that it runs on Windows only. However, there have been ports of it to Linux and there is a mobile version from another related project.
The good news is that if you are a Windows user, it is a snap to use. You download and install the application. It installs and asks you to set up a database file which it calls "the safe". This file is encrypted and all of your passwords go in there. You only have to remember the one master password to enter. Don't write the master password on the sticky or use 123456 for that, it kind of defeats the purpose.
You can then enter in the URL and username and password for the sites you go to. After that all you have to do is cut and paste them in the next time you have to log in. There is also an Auto Type feature which will automatically fill the information in on web sites and forms.
If you are a windows user, there is no excuse not to use a password manager like Password Safe. There are plenty of options of Mac too. 1password and Roboform are two. Roboform also works on windows and mobile devices. I have also started using LastPass for Google Chrome and other browsers too. While all of these are not open source, most are not expensive and even free.
Some may even be easier to use than Password Safe. Another good thing on Password Safe though is the databae of passwords is encrypted. Keeping your password list in a .txt file is not very secure either.
One consideration is do you want to store just web passwords or other passwords that you use? If storing other passwords, make sure the product has that capability.
Password Safe will cover all of the basics and is a great choice. You could use others, but no matter what - START USING A PASSWORD MANAGER!
Here is a video tutorial of Password Safe. I could not get the audio to work, but that could have been my fault.
Open Source Friday Focus is a weekly post as part of Alan's Open Source Fact and Fiction Blog. You can subscribe to a feed just for Friday Focus by clicking the key word "open source Friday Focus"
Please visit the Google Subnet home page for more news, blogs and podcasts. Sign up for the weekly Google newsletter.
More blog posts from Alan Shimel:
- Bang, Zoom, Is Open Source The Right Way To The Moon?
- Are You Ready For An Open Source Car?
- Open Source: Why You Care
- Open Source Friday Focus: Pidgin
- Apple and Microsoft As Underdog? I Don't Think So
- Welcome to the Personal Cloud, Thanks to Open Source and Pogoplug
- Smartphones, the Next Great Open Source Battleground
Subscribe to all Google Subnet bloggers or Follow Google Subnet on Twitter
Check out Alan Shimel's Podcast and other blogs, too.
- About Open Source Fact and Fiction
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.
Most Discussed Posts
- Blog Roll
-
Network World, Inc
The Connected Enterprise