Safe to store passwords online? – PasswordSafe.com

The concept is not unique, but the marketing on the site certainly is. Passwordsafe.com offers to secure memos and passwords over a SSL encryption on your desktop or online. The problem is that the security of the service is questionable, and even the marketing team agrees. So if you want to store your ever growing list of passwords, what should you do?

“PasswordSafe.com has been your secure personal assistant username / password manager since 1998. All connections are encrypted, all data is stored encrypted and backed up every 4 hours,” the website states.

The statement is innocent, and something you would expect to see on a website of this nature, but the aspect of the site that stands out is the non-SSL login area on the main page. In fact trying https://www.passwordsafe.com on the browser forwards you to the non secured portal. Reading the source code for the form, you can see direction to https://www.passwordsafe.com/secure. Some testing with Wireshark confirmed that you are encrypted the moment you submit the form, no clear text was located in any of the capture tests.

Can you trust this site? “As we mentioned, pretty much every function is automated, no-one here ever sees your information as it’s all taken care of by the programs and encrypted into the database. Again, we’ll remind you, we do not recommend you store sensitive information at PasswordSafe. In house, we’ve used this service for many sites, banner programs, affiliate programs, free email services and much more,” the PasswordSafe FAQ reads.

Therefore, if you want to store non-essential passwords, can you use this service? Sure. However, you are left with a need to store essential passwords; this means two options of storage right? So how can you store both online?

[Edit: After this went live, it was discovered there are XSS flaws on www.passwordsafe.com. It is not wise to use this service for anything even throwaway passwords. -Steve (http://seclists.org/fulldisclosure/2008/May/0084.html)]

Most security experts will agree on this, it isn’t wise to store your passwords online. There are just too many risks these days, likewise some will say write them down and keep them safe, but this too is risky. In short, nothing will completely remove the stress of personal password management.

One expert who will endorse writing passwords down is Bruce Schneier. In fact, Mr. Schneier’s blog led to this article centering on PasswordSafe.com. The name stood out because of PasswordSafe is a nifty tool for password management written by Bruce himself. (http://passwordsafe.sourceforge.net)

If you keep a master list of passwords, which you shouldn’t but it happens, then a tool like Schneier’s would help you manage the password list and offer security. His version of the Password Safe offers indexing of passwords by category, location, or ID. You only need to remember one password, and with that, you can unlock the stored list on your computer.

This type of list protection can be obtained with things like SecureZip, PGP, or any other type of document encryption. If you simply must store a list of passwords, then protect it. Each of the programs listed are simple to use and in most cases reliable for even business needs.

There are the password management options included in Firefox and Internet Explorer to consider. While some scoff at the idea, these offerings essentially offer the same functionality that most online storage houses offer (Including for the most part PasswordSafe.com), and are often recommended for “banner programs, affiliate programs, free email services.”

Symantec and other security vendors are building password storage into their security suites. These suites offer the same features if not more than what Schneier’s PasswordSafe offers, but at a much higher cost. (His is free.) Hardware solutions are also an option to manage passwords, such as UPEK’s biometric hardware. Most biometric devices offer the ability to manage passwords, and Tech Herald recently reviewed UPEK’s Eikon.

The catch for password management that most people – even IT administrators – fall victim to is using passwords that are too weak or easy to guess; that or the passwords are recycled, the same one used for all of the company severs, or for all of the websites a person uses online. This habit is hard to break, but for solid password management, this needs to happen.

Here are some tips for passwords:
No less than eight (8) characters including at least three of the following:
A_Z, a_z, 0-9, and special characters such as &, @, ^, or #

Bad Example: Mary101278
Decent Example: Mary^&*iK9oL
Great Example: Lo*&u^yh%t

In the first two examples, Mary was still using her name, and in the final example, a pattern was used, but the pattern is random, and known only to the user.

To offer advice on the recycled password issue, you could use three to four random passwords for sites depending on their type. Then for banking or sensitive information use a completely different pattern. Use this pattern only once, and only in one area. Remember to change your password once every 30-60 days. Use Outlook’s calendar feature (or similar applications
) to set yourself a reminder to change your password. Never use the same password more than three times. (When you rotate passwords every 30-60 days, it does you no good to change back to the original password 90 days later.)

Leave a Comment


3 + nine =


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>