Blog: password

Password vaults offer a lot of benefits by allowing you to set long, complex passwords, and only requiring you to remember a single master password. However, the biggest drawback with using password vaults is that if the vault is breached (as we've seen happen recently), then all of your passwords are at risk of compromise.  

What if there was a way to use a password vault and protect your passwords from these breaches? Well, there is! Let's take a look. 

Mitigating the Biggest Risk of Password Vaults 

The way to mitigate the risk of password vault compromise is to have a piece of each password that is not stored inside your vault. You can do this by adding a word (or even a single letter) to the end of your stored passwords. By doing this, you would have a long, complex password stored in your vault and the extra word or letter to the end, that is not stored in the vault, makes it that much more secure.  

Example 

So, let's say you are using the password "Spring2024!" (I know – not a very strong password) and you have it stored in your password vault. What you can do is change your password and add something extra to the end. For example, let's use the word "safe". When you update the password, you change it to "Spring2024!safe".  

Make sure you do not save this updated password in your vault. So, your new password is "Spring2024!safe", but your password vault still just has "Spring2024!" stored. That way, even if your entire password vault is compromised, the bad guys would not get your actual password. 

For each of your passwords, you can use this same keyword added to all of them. Each of your passwords are still unique and are saved in your password vault, but using the same keyword added on to each password is much easier to remember. Think of it like a password for your password! 

Implementing an extra keyword to your passwords does add an extra step for each login, so it is less convenient. But it provides a simple mitigating step against the biggest risk with using a password vault. Think about the trade-off between security and convenience to decide if this suggestion will work for you. 

Additional Security Tips for Password Vaults 

Set an extremely long and complex master password 

Since your passwords are in a centralized place, it is vital to secure it from unauthorized access. Some password vaults base their encryption on the master password, so creating a stronger one strengthens the security of the vault. 

Enable multi-factor authentication to access your password vault 

This further protects your vault from unauthorized access. Even if someone had your master password and tried to login to the vault, it would be much more difficult for them to get in if you had an additional factor setup.  

Use the password generator functionality to set strong, unique passwords 

This function uses random generated characters to create your password, which makes each individual password much harder to crack. Having unique passwords means that if one site is compromised, then an attacker couldn't use the same password to login to any of your other accounts.  

Use the strongest encryption option available 

Many password vaults have multiple settings for the vault's encryption level. Double-check these settings and update them to the highest option, if it is not already selected. 

Conclusion 

Password vaults are not perfect, but they can be more secure when you take a few simple steps. Use these tips and techniques to make sure your password vaults (and more importantly, the passwords they store) are protected. 

If you'd like to take your systems' security to the next level, check out CoNetrix Security. With audits, penetration tests, and vulnerability assessments, CoNetrix Security can help you make sure your systems are secure. Learn more at CoNetrix.com/Security


 

I was helping out with a customer’s Active Directory migration and a different IT support group used a profile migration tool to help “ease” the transition between domains. But soon after the users started complaining that IE was not allowing them to save passwords. They would get prompted to store the credentials for a website and click yes, but as soon as they closed and reopened IE their stored credentials would disappear. Our suspicion was that the profile migration tool had corrupted the credential store in the registry.

I started a remote session with one of the users, checked the IE password store in the registry (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2), and saw several of the user’s old entries. In order to allow the user to store passwords again, I had to delete this registry key, reopen IE, and save credentials for a website. Once I clicked “yes” to the prompt to save credentials, the registry key was automatically recreated and the credentials got stored.


 

A review of more than 200,000 4-digit PINs used on mobile phones revealed the following as the most common (in order):

  1. 1234 (used by more than 4% of the sample group)<
  2. 0000
  3. 2580 (straight down the middle of the keypad)<
  4. 1111
  5. 5555
  6. 5683 (spells LOVE)
  7. 0852 (straight up the middle of the keypad)
  8. 2222
  9. 1212
  10. 1998

The 10 most frequently used PINs represent more than 14% of the total sampled.  Thus, with this distribution of PINs, you have a 1 in 7 chance of guessing the correct one in 10 tries. [more]

Years are always popular when coming up with a 4-digit PIN (see number 10 above).  So, birth year, graduation year, etc. would also be a good guess if these are known

Regardless, it's a very good idea to recommend people NOT use these particular PINs (at least the first 9 plus predictable years).


 

We probably all have many accounts set up on many web sites.  Since it is a very bad practice to use the same password on more that one site,  I have used Password Safe for years for keeping up with accounts and passwords.  I have recently switched to using Lastpass.  Lastpass has a very long list of features.  Here are a few of the features:

  • Automatic form filling, like Roboform
  • One click login - click on the site, it brings it up and logs on for you
  • Synchronizes everywhere - Windows, Mac, Linux, IE, Firefox, Chrome, Safari, iPhone, iPad, Android, Blackberry, Windows Mobile, even Symbian and Palm
  • Generates strong, secure passwords
  • Stores miscellaneous notes

Another great feature is a program called pocket.  This stand alone program will download your entire database and save it locally.  It will also decrypt it and export it to a CSV file.  This means if Lastpass ever goes away, you still have all your data which can be accessed or imported into another password manager.

The best feature is how it stores your data.  Everything is encrypted and decrypted locally and the Lastpass servers never have your key or unencrypted data.  The encryption part of the software is very simple.  It just uses a SHA256 hash of your email address (account) and master password for the encryption key. [more]

This is all free, except the mobile versions require a premium account which costs $12 per year.  There is a 14 day free trial of the mobile versions.

In an attempt to be fair, here are some other password managers.  You may prefer one of these over LastPass, which is what I use and recommend.  I used Password Safe for many years, but it is not multi-platform and there is no synchronization between machines.  KeePass is another nice one, but I have never used it.  Both of these are open source on sourceforge.

Here is a list of some online password managers, with some brief comments about why I did not choose each one (except for the AGPL license).  My "online only" comment means you must access the web site in order to use the passwords stored there.

  • www.agatra.com (no longer supported)
  • www.needmypassword.com (web site out of date, misspellings and grammatical errors, online only)
  • www.passlet.com (cert expired, beta software, online only)
  • www.passpack.com (designed for sharing passwords, subscription priced on number of passwords and shared users, online only)
  • www.spyshakers.com (mainly designed for privacy, requires more setup, online only)
  • www.shibbo.com (either online only or purchase a portable app, does not seem to be maintained - web site from May 2007 said software on usb pendrive "soon available!" and it still says that today, based in Spain, web site not tls encrypted)
  • www.clipperz.com (online only, seems to beta, main web site not tls encrypted, most of the source is AGPL v3)

 

We've had issues with cached credentials not updating when a user’s password expires while he or she is away from the office. The only connection into the network is through terminal services (non-VPN) and the password is changed on the terminal server.  The problem is that the cached credentials on the user’s laptop are not updated, even after the user connects via VPN for a while.  Here is the easiest way I've found to force cached credentials to update to the new password.  While connected via VPN, have the user lock their laptop (Win+L) and then unlock the laptop using the new password. This procedure forces the laptop to check in with the domain controller and authenticate using the new password.


 

Thousands of Windows Live accounts have been compromised with their passwords posted online.  This information was posted on the Windows Live blog at http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry.  This is unfortunate, but is another example of why one should not use the same password in more than one place.

The blog post states that these were compromised by phishing attempts.  Microsoft has taken measures to block access to all of the accounts that were exposed. However, if you have an account, I would suggest you change the password and secret answer right away just to be safe.


 

Cisco devices will ignore leading spaces when entering passwords, but spaces after the first text character are considered valid.  This includes trailing spaces, so if you have a device that will no longer accept your login after changing the password, try adding a space at the end.