Interest in a Lockbox
-Type Utility"> Enterprise and consumer interest in a lockbox-type utility for encrypted password storage have risen in recent years as the surge in e-commerce and online banking means that computer users have to keep track of dozens of passwords. According to Schneiers PasswordSafe documentation, users normally write their passwords on pieces of paper, leaving accounts vulnerable to thieves or internal snoops.PasswordSafe uses the popular Blowfish encryption algorithm and appeals to users with a simple, user-friendly interface. As an open-source utility, Shapiro said the tool can be trusted to provide a high level of security, but he warned against users expecting more than just a small, simple program "designed to do one thing, and one thing only." "Im really loath to add features unless the feature benefits a wide audience [or] the additional user interface is minimal, preferably none," he said. "Its a stable, mature product that uses proven, published encryption algorithms." Read more here about the potential costs and lost productivity tied to password-management tasks. For years, security experts have warned against writing down passwords or storing them in computer files that can be easily discovered. However, just recently, that guidance was tossed aside by a senior Microsoft Corp. executive, who recommended that writing down passwords was the best way to manage and remember multiple account information. Matt Luallen, president of security consulting firm Sph3r3 LLC, criticized the Microsoft executives position, arguing that more than 50 percent of all password theft incidents came from internal snoops. "Its a big problem, and I always tell my clients to use a tool like PasswordSafe to encrypt and store passwords," he said in an interview. To read more about open-source security tools, click here. Luallen, who recommends the use of open-source security tools for businesses, said his audits have shown a widespread weakness in the way passwords are protected, particularly among employees. "You have people storing passwords in cell phone contact lists or in an Outlook file. Ive seen instances of passwords saved in a file on the desktop and named passwords.txt If you lose that cell phone or leave your computer unattended, you are basically giving away your passwords," he added. He warned that usernames and passwords stuck to computer monitors also presented risks because thats the "likeliest place for an internal snoop to look." The U.S. CERT (Computer Emergency Readiness Team) has published guidance for choosing and protecting passwords and also warns against scribbling passwords on pieces of paper. "Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Dont tell anyone your passwords, and watch for attackers trying to trick you through phone calls or e-mail messages requesting that you reveal your passwords," reads a U.S. CERT cyber-security tip. When choosing a password, the center offers the following advice:
Dont use passwords that are based on personal information that can be easily accessed or guessed.
Dont use words that can be found in any dictionary of any language.
Develop a mnemonic for remembering complex passwords and use both lowercase and capital letters.
Use a combination of letters, numbers, and special characters, and use different passwords on different systems.
Separate tips are also available for supplementing passwords with additional layers of protection, including two-factor authentication tools and personal Web certificates.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
In some cases, users work around the confusion by choosing the same password for different applications, which presents a bigger risk if that password gets hijacked.