Passwords are ubiquitous with the extensive shift towards computerisation. Although a gateway to the Web, it's the Achilles' heel of any service. With the rise of computer viruses, man-in-the-middle attacks and identification of SQL Injection vulnerabilities, a strong secure password is foregone conclusion. It is human tendency to recycle the passwords. If one of the services is compromised, there is enough reason for the attacker to try out the same password across the most popular websites. Password cracking is proving to be a lucrative business for underground crime syndicates.
Most online services store them in cryptographically secured hash form that is covered by salt algorithm but it is not foolproof. Think of it as a wrap around to protect the plain text. It is difficult but not impossible to break these random numbers. Even though a well-designed algorithm can be decrypted the idea is to limit your exposure across internet.
Ideally, the way out would be to have different passwords with a mix of upper and lower cases, symbols and numerals. However, implementing this each time when needed and recall is a logistical nightmare. Browser and desktop-based tools have evolved from this need.
1Password from Agilent is a unique desktop solution that archives your passwords under the secure wraps of a master password. It comes with a handy browser extension that allows you to fill up the passwords automatically. It also acts a repository for your credit cards that can be filled up in banking sites.
There are two main reasons why this author recommends this as part of his work flow. 1Password generates HTML file that is a direct replica of the main application. This small sized file can be saved in Dropbox that syncs automatically and upgraded dynamically. Alternatively, you can keep a copy of the same in your USB drive. The HTML file can be opened up with any standards compliant browser with your master password. The passwords are not revealed in plain text but can be copied to the clipboard that is destroyed after a span of 90 seconds. This scenario works best for the author at his work place because of unique passwords for every website.
The second feature, that this author has come to rely on, is the password generator. Fastmail has an option of alternative log in. A random 6-digit number generated by Authomator, an authentication application on Q10, is appended to the password generated from the application. This represents a method of two-factor authentication used at the author's workplace. Even if the password is captured, it is useless because the 6-digit random number changes every 10 seconds.
Since your password is unique for each website, a limited exposure is foreseen in the event of a website's database being compromised. Last Pass is a comparative product but this author was turned off with slipshod quality of user interface. In addition, Last Pass has to be installed on every browser making it laborious and clunky. Last Pass has also been hacked in the recent past although full extent of damage was never revealed. It is not clear whether they had reported the attack out of compliance for corporate responsibility. Nevertheless, it is a gentle reminder of the grim consequences that reliance on the cloud services is fraught with danger.
In fact, Last Pass is a sitting duck for a major hack with its treasure trove of passwords susceptible to possible internal or external sabotage. This author never relies on his crucial data shipped out his laptop. There are multiple redundant methods to take a local back up.
This approach of 1Password is something that fits in with the author's work flow. The developers, in addition to the security focus, have also worked hard on its visual appeal. Extensive tutorials are available on their secure website (https is on by default).
A trial of 30 days for this paid software is available. Although the initial sticker price of $49 is steep, but this represents a value for money. The customer care is excellent with active representation of the employees on the forums. This author had specifically requested the availability of license keys in order to evaluate the product completely for the purpose of this review that was duly complied with. However, the company, in no manner whatsoever has influenced the manuscript.
Apart from the software tools, this author is also very keen to explore the option of Yubikey from Yubico, as means of physical security. They manufacture unique USB Disks, which function as USB Keyboard (which ensures cross platform applicability). In the password field, the user just sends a unique code, which is authenticated, in encrypted form, with a central server. However, that is the subject of a future exploratory write up.
The writer is a practicing doctor with keen interest in technology.