An iron vault for passwords

How do your users handle so many passwords? Badly, I’m sure.

I recall one poor, overworked system administrator whom I met on a security assessment of a large corporation some years ago; he sheepishly admitted that he had 15 administrator passwords – and kept them written in plaintext on a piece of cardboard in his wallet. One of the oldest social engineering tricks around is for a criminal hacker to make a sys admin drunk or sleepy and rifle through his or her belongings in a search for such a list. It’s known as a bingo card because finding it makes the hacker say, “Bingo!”

Some users store their passwords in files. Putting passwords in an unencrypted, unprotected file is little better than writing them on cardboard, and so people have been turning to a more sophisticated approach: using special password storage programs that provide encryption and access controls. When a user visits a Web site, the password utility fills in the right user ID and password; some products go further and fill in names, addresses and even credit-card numbers.

Examples include:

* Advanced Password Manager

https://www.rayslab.com/password_manager/password_manager.html

* Internet Explorer’s own AutoComplete and Profile Assistant functions

To manager these functions in IE v6, use Tools | Internet Options | Content

* KeyPass from Dobysoft

https://www.dobysoft.com/products/keypass/

* LoginWallet for Macintosh

https://www.public.asu.edu/~cjfoste/LoginWallet/

* My Password Manager 0.1 for Mac and Unix

https://freshmeat.net/projects/mpm/?branch_id=52458&release_id=169763

* Norton Password Manager (part of the Norton SystemWorks suite)

https://www.symantec.com/passwordmanager/

* Opera browser’s own Wand function

To manage this function in Opera v7, use Tools | Preferences | Security | Manager Wand passwords

* PasswordLock

https://www.internetpeace.com/pwlman/password_wallet.htm

* Password Manager XP

https://www.cp-lab.com/

* Password Wallet from InfoCard

https://www.winsite.com/bin/Info?4000000037217

* Password Wallet from TigerSoft

https://www.inet.hr/tigersoft/pwallet.htm

* PasswordWallet for PalmOS and for Macintosh

https://www.selznick.com/products/passwordwallet/

* RoboForm

https://www.roboform.com/

Naturally, with all this ultra-sensitive information in a single location, the password file is a tempting target for attackers.

Lark Allen is executive vice president of Wave Systems. He recently wrote to me about protecting centralized password files using hardware controls. The following is an edited version of Allen’s comments:

* * *

Although existing systems use software security to protect logon information, we know that security breaches involving software vulnerabilities are a constant worry. To respond to this class of vulnerabilities, the Trusted Computing Group (TCG) has developed new security hardware specifications. 

A Trusted Platform Module (TPM) is a hardware security chip based on open industry specifications developed by the TCG. The TPM provides important new security functions such as:

* Secure storage – A place to protect secrets in hardware, including encryption keys for data and credentials for users and platforms.

* Authentication – The ability to determine that a user or a platform really is who they claim to be.

* Binding data to a platform – Assuring that sensitive information cannot be moved to other platforms without permission.

* Platform trustworthiness measurement – Determining whether a PC can be trusted or has been compromised.

A TPM is currently being shipped in some PCs from Fujitsu, HP, IBM and Intel. Many companies are working on applications that take advantage of the hardware security of the TPM. Wave Systems’ Private Information Manager (PIM) is the first TPM-protected wallet for managing personal information, including identities and passwords. The PIM wallet uses the TPM hardware to protect the keys for encrypting the sensitive information held in the wallet. In addition, the TPM is used to authenticate the user as part of the wallet’s access controls. Strong multifactor authentication, including the use of a biometric fingerprint, with or without an associated password, can be specified and applied to individual wallets for different people.

Some attacks install a keystroke logger on the user’s PC to collect passwords, PINs, and other personal information as users enter their account and password data. Wave’s PIM wallet does not allow the login information being automatically filled in for the user to be captured by keystroke-loggers.

The TCG is continuing its work to improve security on cell phones, personal digital assistants, peripherals, and other devices.

Trusted computing should not only increase protection of user information but also simplify the user’s life in dealing with the new electronic world.

* * *

As a matter of record, I have no financial interest whatever in any of the products or companies mentioned in this article. Inclusion of a product does not imply endorsement or recommendation; exclusion does not imply criticism. – Mich