Lifehacker

  • Lifehacker
  • mac-os-x
  • windows
  • gizmodo
Profile logout login
Top 10 Tips and Tools for Freelancers

Top 10 Tips and Tools for Freelancers #lifehackertop10 #freelancing

Crack a Wi-Fi Network's WEP Password with BackTrack, the Fancy Video Version

Crack a Wi-Fi Network's WEP Password with BackTrack, the Fancy Video Version #wifi #security

Build a Pizza Oven Out of a Weber Grill

Build a Pizza Oven Out of a Weber Grill #diy #pizza

Sikuli Automates Almost Anything with Screenshot Ease

Sikuli Automates Almost Anything with Screenshot Ease #downloads #automation

Get Google Toolbar's Features Without the Toolbar

Get Google Toolbar's Features Without the Toolbar #webbrowsing #googletoolbar

Download Over 150 Free Advanced PowerPoint Slides to Jazz Up Your Presentations

Download Over 150 Free Advanced PowerPoint Slides to Jazz Up Your Presentations #powerpoint #presentations

Weave 1.0 Syncs Nearly Everything About Your Firefox Setup

Weave 1.0 Syncs Nearly Everything About Your Firefox Setup #downloads #weave

Lifehacker

FAQ. Include # before tag:
#openthread, #tips, #howto, #dealhacker, #diy, etc.

Los Angeles, 4:08 PM
Sat Jan 30
11 posts in the last 24 hours

AU | JP

Suggest a post:


LIFEHACKER TEAM

Editor:
Adam Pash
| AIM | Twitter

Senior Editor:
Kevin Purdy
| AIM | Twitter


Weekend Editor:
Jason Fitzpatrick
| Twitter


Contributing Editor:
The How-To Geek
| Twitter
Lisa Hoover
Twitter


Founding Editor:
Gina Trapani | Twitter

Interns:
Dustin Luck

Whitson Gordon
| Twitter


Lifehacker Shop

Upgrade Your Life
Buy our new book!
Upgrade Your Life
The speculation is over. The Apple iPad is here. watch the unveil on Gizmodo at 10AM Pacific, Wednesday, Jan 27th.
Pick the cars in Forza 3 and make car video game history on Jalopnik.

SUBSCRIBE TO LIFEHACKER RSS

New: Breaking news and daily top stories via email
15512 Subscribers


Please confirm your birth date:

Please enter a valid date
Please enter your full birth year
This content is restricted.

Your Passwords Aren't As Secure As You Think; Here's How to Fix That

If you allow applications to save your passwords, anyone with physical access to your PC can decode them unless you're properly encrypting them—and chances are pretty good you're not. Let's walk through the right and wrong ways to store your passwords.

For the purpose of this article, we'll assume that the people you allow into your house are trustworthy enough not to hack your passwords, and your laptop has been stolen instead—but the tips here should apply to either scenario. Regardless of how you choose to save your passwords, you should make sure to use great passwords and even stronger answers for security questions.

Once You Click "Remember Password" It's All Over

Almost any application that requires you to login to something will also provide an option to save your password, and once you've done that, your password may as well be plain text. Behind the scenes, even if the application encrypts the account information, it's doing so with a static key that can be easily deciphered through some reverse engineering, and somebody not only can, but already has created a utility to recover those passwords.

It doesn't even matter all that much if you've got a tough Windows password; anybody with physical access to your PC can use an Ubuntu Live CD to copy all of your data onto an external drive without modifying anything, and crack your files on another machine whenever they please (assuming you don't have your entire hard drive encrypted). If they had a little more time, they could use Ophcrack to figure out your password, or they could just be mean and use the System Rescue CD to change your Windows password.

Once that person has access to your files, they can recover your passwords with free tools easily—you can recover passwords in a few clicks from Outlook, Instant Messenger, Wi-Fi, Internet Explorer, Firefox, Chrome, or any number of other applications. All it takes is a quick Google search to find even more cracking utilities.

Pidgin Stores Passwords in Plain Text

That's right, your favorite open-source, multi-protocol instant messenger client stores your passwords in plain text. If you don't believe me, just open up your %appdata%\.purple\accounts.xml file in your favorite text editor, and you'll see your passwords right there for anybody to read.

The decision to store the passwords in plain text is a deliberate one that's been thoughtfully considered, and while you might initially think it's a terribly insecure way to handle security, keep in mind that you can simply download any number of utilities like Nirsoft's MessenPass and recover the passwords from AIM, Windows Live Messenger, Trillian, Miranda, Google Talk, Digsby, etc. The Pidgin developers point out that their option is actually the preferred method for security:

Having our passwords in plaintext is more secure than obfuscating them precisely because, when a user is not misled by a false sense of security, he is likely to use the software in a more secure manner.

The best answer, of course, is to not allow your IM client to store your passwords at all—but if you must store them, you should at least use the built-in Windows encryption, if not a full-blown TrueCrypt setup. Either option would be better than the pseudo-protection most other applications provide.

Password Managers Are the Only Secure Storage

The only truly secure way to store your passwords is to use a password manager to securely track your passwords, combined with a a great master password to protect the rest of your saved passwords—if you use an easy password for your password manager, it would be easy to crack with a brute force attack. Don't lure yourself into a false sense of security by just using one—your password manager password should be at least 10 alpha-numeric characters if you really want to be secure.

You've got a number of great password managers to choose from, like reader favorite Keepass, a cross-platform tool which has many plugins that help you master your passwords and make using a password manager easier to deal with. And, of course, let's not forget that Firefox has a full password manager built right into the application.

Use a Firefox Master Password (With More Than 8 Characters)

If you want to use Firefox to save the passwords for all your web accounts, you should make sure to enable a Firefox Master Password by heading into Tools –> Options –> Security and checking the box for Use a master password.

Once you've done this, Firefox will store all of your passwords with nearly unbreakable AES encryption—providing you use a password with more than 8 alpha-numeric characters and at least one capitalized letter. If you used a weak and pathetic password like "secret", it could be broken in a matter of minutes with a brute force cracking tool, but a decent 8+ random character password will take at least 73 years for a brute force attack.

Each time you start Firefox and go to a site that requires a saved password, you'll be first prompted for your master password. By default, the master password authentication will be active for the entire session, but you can use the Master Password Timeout extension to lock your master password again after a certain interval, which is handy if you walk away from your desk without remembering to lock it with Win+L.

Use TrueCrypt to Encrypt Everything

Rather than deal with password managers or whether or not to save your passwords, you could simply create a separate, encrypted TrueCrypt drive, and use portable versions of your applications to keep everything totally secure. If you're even more paranoid, you can use TrueCrypt to encrypt the entire hard drive—you will be prompted for a password every time you boot, but you can relax knowing that anything you do will be encrypted, even if you use scripts with your passwords stored in plain text. If TrueCrypt isn't your thing, you can use the built-in encryption functionality in Windows—just keep in mind that if you change your password your data will be inaccessible, and your Windows password can be cracked, giving them full access to your files.


Are you already using a password manager or encryption to keep your passwords secure? Share your best password security tips in the comments.


The How-To Geek uses Keepass and a tough password scheme to keep his accounts secure. His geeky articles can be found daily here on Lifehacker, How-To Geek, and Twitter.


Send an email to How-To Geek, the author of this post, at lowell@lifehacker.com.


Upload an image | Add an image URL ×
×
×
Choose a file to upload:
×
Dsmvwl  Admin  Promote to frontpage Approve user Ban user ×
Loading comments ... -/|\
Earlier discussions Paging in progress... | Other discussions | Show all discussions | Show featured discussions only | Start a new discussion
By The How-To Geek
Jan 11, 2010 09:00 AM 128,756 207
Edit » Set to Draft » Invite » Syndicate »

Syndicate this post


Site:
Mode:

sending request
cancel
more about #passwords
Weave 1.0 Syncs Nearly Everything About Your Firefox Setup
No Time Like the Present to Choose Strong Passwords
read more: #security, #passwords, #feature, #top, #privacy, #passwordmanagers, #windows, #passwordrecovery, #encryption, #firefox, #gizmodo
 
  • Archives
  • About
  • Advertising
  • Legal
  • Help
  • Report a Bug
  • FAQ
Original material is licensed under a Creative Commons License permitting non-commercial sharing with attribution.

Login

Enter your username and password.

Please enter a username.
Please enter your password.
logging in
Login via Facebook | Sign Up | Forgot Password?

Reset Password

Please enter your email address to have your password reset.

Please enter your email address.
Please enter a valid email address.
requesting password reset

Register

Registering will give you a user profile and the ability to add other users as friends. To become a commenter, however, you need to audition.

Want to know more? Consult the Comment FAQ and legal terms.

Please enter a username.
Please enter a password.
Please confirm your password.
Passwords are not identical.
Please enter a valid email address.
registration sent, waiting for reply

Submit Your Comment

You don't need to login to comment. Just enter your email address below.

See how your address will be displayed in the Comment FAQ.

Please enter a valid email address.
Please enter a valid email address.
logging in

Login with your Facebook or Lifehacker account.

Sign up here.



Send An Invitation

To invite commenters to this page, paste in a list of comma-separated email addresses, and then select send invites.

Please enter at least one email address.
Please use valid email addresses.
Please use unique email addresses.
Please enter fewer addresses.
requesting invites

Send a link

Send a link to this post 'Your Passwords Aren't As Secure As You Think; Here's How to Fix That' via email:

Please enter your name.
Please enter your email address.
Please enter a valid email address.
Please enter your recipient's email address.
Please enter a valid email address.
Please enter your message.
Sending message