Essential Skills: Using Password Vaults
December 12, 2014
Editor's note: HP 3000 managers do many jobs, work that often extends outside the MPE realm. In Essential Skills, we cover the non-3000 skillset for these multi-talented MPE experts.
By Steve Hardwick, CISSP
Passwords are always a challenge for security professionals. Why is creating a secure password so difficult? More importantly, how can a user tell if their password has been stolen? Typically, when all the damage has been done and the password has been used by someone else. At this point in time it is too late. One way to resolve this is to have a password vault such as KeepPass or 1Password.
A vault is a good investment of your time. A security breach that might result from having no vault might be difficult to even detect. It might be that the time the breach is discovered may not be the first time the hacked credentials were used. This might be how many times a stolen credit card is used before the owner gets the bill. Second, the hacker could have hacked the password and is just keeping it for later use or sale. One of the preventative measures for this is to require users to periodically change passwords.
This changing strategy can stem the use of stolen passwords and also prevent the future use of any that have not yet been exploited. From a user's perspective, though, generating multiple passwords every 60-90 days just compounds the passwords nightmare.
As a security professional I have seen several solutions that users concoct to try and get around this issue. One common one is to write them all down and hide the resulting list. It turns out there are not that many good hiding places. Under keyboards, behind pictures, inside speakers, taped to the underside of a drawer or chair, back of a bookcase do not qualify as good locations. Also, many users forget to update the sheet with new passwords. Another approach is to create a text file, e.g. shopping_list.txt, and put everything in there. A quick search of the most frequently used files normally finds those. Plus if the hard drive crashes, and the file is not backed up, new ones have to be set up all over again.
A variation of the last theme is to use a password vault. This is a method where the password information is stored on a file, but the file is encrypted. In this case only one password is needed, to decrypt the vault, and access is granted to all of the other passwords. The most ubiquitous form of encryption is AES - Advance Encryption Standard. AES256 encryption is adequate for most users.
However, one word of caution. If the password used to encrypt the vault is easy to guess, then the contents are at risk.
Vaults can also help protect you from key-loggers, a program that runs in background and simply copies all of the keystrokes onto a hidden file. A new variation of the Citadel Trojan virus is specifically targeting password vault applications with a key-logger. A password vault solution has some protection against password loggers. The vault can be built on a different machine and placed in the cloud. Once opened from the cloud on the user's system, the password is cut and pasted into the login screen.
Finally, there is a problem that a key-logger will be targeted at the master vault password. This can be mitigated by using two-factor authentication. In addition to the password, the user is required to provide a digital certificate. This specialized encrypted file can be stored on a removable storage device, USB, and accessed at vault login time. Without the password and the digital certificate file, the person trying to access the vault is thwarted.
A quick search on the Internet for Password Vault or Password Manager will result in a lot of options. Here are some criteria to be considered when choosing a password vault applications.
1) Strong encryption - e.g. AES 256.
2) Can store the vault file in the cloud
3) Runs on multiple platforms. Allows users to get access on desktop or mobile devices
4) Protection elements against keyloggers
5) Allows 2 factor authentication
6) Password generator (Optional -- caution, these normally provides secure but hard to remember passwords)
7) Browser import capability (Optional -- provides a way to import store browser passwords)
8) Password strength indicator (Optional --give a measure of the ease to which the password can be guessed)
Using a password vault will solve a lot of security problems associated with today's Internet world. Taking the storage of passwords to a secure level results in a solution that is easy to use, secure, and readily available. Plus it gets around that common problem, “Honey, what is the password for the banking site again?”