Encrypted Lockbox Aims to Clean Up Password Clutter

By Ryan Naraine  |  Posted 2005-06-16

Encrypted Lockbox Aims to Clean Up Password Clutter

Bruce Schneiers PasswordSafe lockbox, which provides a free utility for users to encrypt and manage multiple passwords on a computer, is ready for a new phase of open-source development.

The celebrated cryptographer, who is credited with designing or co-designing several widely used encryption algorithms, announced the release of Version 2.1 of the database utility as a full-fledged open-source project at SourceForge.

In a blog entry, Schneier said the project is now being managed by Rony Shapiro, a British programmer specializing in network security.

Schneier, who is founder and chief technology officer of Counterpane Internet Security Inc., said the tool is perfect for Web users who struggle to remember all their usernames and passwords.

"I have long advocated writing them all down on a piece of paper and putting it in your wallet, [but] I designed PasswordSafe as another solution," he explained.

He said the tool offers "security through simplicity" by encrypting all of a users passwords using a single passphrase.

Click here to read more insight from columnist Larry Seltzer about biometrics and password management.

"The program is easy to use, and isnt bogged down by lots of unnecessary features," Schneier said.

In an e-mail interview with Ziff Davis Internet News, PasswordSafe administrator Shapiro said the new version has been fitted with several new features and bug fixes, adding that work has started to port Password Safe 2.x to the Pocket PC platform.

"I took over the project because I wanted to make changes to PasswordSafe for my own use, basically to introduce the [new] tree view and to allow users to organize entries by categories," Shapiro said of his interest in the project.

"I was curious about the open-source development process, and wanted to see how it actually worked. My expectations for both these goals have been more that met," he added.

Shapiro said he is actively trying to recruit a programmer to maintain the Pocket PC version, which has languished for a while.

"More than one programmer has offered to revive the work on the PPC version, but Ive yet to see any tangible results," he said.

Next Page: Interest in a lockbox-type utility.

Interest in a Lockbox

-Type Utility">

Enterprise and consumer interest in a lockbox-type utility for encrypted password storage have risen in recent years as the surge in e-commerce and online banking means that computer users have to keep track of dozens of passwords.

According to Schneiers PasswordSafe documentation, users normally write their passwords on pieces of paper, leaving accounts vulnerable to thieves or internal snoops.

In some cases, users work around the confusion by choosing the same password for different applications, which presents a bigger risk if that password gets hijacked.

PasswordSafe uses the popular Blowfish encryption algorithm and appeals to users with a simple, user-friendly interface.

As an open-source utility, Shapiro said the tool can be trusted to provide a high level of security, but he warned against users expecting more than just a small, simple program "designed to do one thing, and one thing only."

"Im really loath to add features unless the feature benefits a wide audience [or] the additional user interface is minimal, preferably none," he said. "Its a stable, mature product that uses proven, published encryption algorithms."

Read more here about the potential costs and lost productivity tied to password-management tasks.

For years, security experts have warned against writing down passwords or storing them in computer files that can be easily discovered.

However, just recently, that guidance was tossed aside by a senior Microsoft Corp. executive, who recommended that writing down passwords was the best way to manage and remember multiple account information.

Matt Luallen, president of security consulting firm Sph3r3 LLC, criticized the Microsoft executives position, arguing that more than 50 percent of all password theft incidents came from internal snoops.

"Its a big problem, and I always tell my clients to use a tool like PasswordSafe to encrypt and store passwords," he said in an interview.

To read more about open-source security tools, click here.

Luallen, who recommends the use of open-source security tools for businesses, said his audits have shown a widespread weakness in the way passwords are protected, particularly among employees.

"You have people storing passwords in cell phone contact lists or in an Outlook file. Ive seen instances of passwords saved in a file on the desktop and named passwords.txt…If you lose that cell phone or leave your computer unattended, you are basically giving away your passwords," he added.

He warned that usernames and passwords stuck to computer monitors also presented risks because thats the "likeliest place for an internal snoop to look."

The U.S. CERT (Computer Emergency Readiness Team) has published guidance for choosing and protecting passwords and also warns against scribbling passwords on pieces of paper.

"Writing it down and leaving it in your desk, next to your computer, or, worse, taped to your computer, is just making it easy for someone who has physical access to your office. Dont tell anyone your passwords, and watch for attackers trying to trick you through phone calls or e-mail messages requesting that you reveal your passwords," reads a U.S. CERT cyber-security tip.

When choosing a password, the center offers the following advice:

  • Dont use passwords that are based on personal information that can be easily accessed or guessed.
  • Dont use words that can be found in any dictionary of any language.
  • Develop a mnemonic for remembering complex passwords and use both lowercase and capital letters.
  • Use a combination of letters, numbers, and special characters, and use different passwords on different systems.
  • Separate tips are also available for supplementing passwords with additional layers of protection, including two-factor authentication tools and personal Web certificates.

    Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

    Rocket Fuel