Presentation is loading. Please wait.

Presentation is loading. Please wait.

Adam Bolte abolte@systemsaviour.com Password Managers Adam Bolte abolte@systemsaviour.com.

Published byHope Hudson Modified over 7 years ago

Similar presentations

Presentation on theme: "Adam Bolte abolte@systemsaviour.com Password Managers Adam Bolte abolte@systemsaviour.com."— Presentation transcript:

1 Adam Bolte abolte@systemsaviour.com
Password Managers Adam Bolte

2 The problem: Too many passwords!
Each website account requires a password. Users have to think something up! Strong memorable passwords take time, so what to do? Choose simple passwords that are easier to remember! Reuse passwords wherever possible! Save them in plain text files on the computer, a nearby notebook, or even just sticky notes stuck to the monitor bezel.

3 Pitfalls to be aware of Passwords for one account compromised mean all accounts are compromised where accounts are shared. You must assume passwords are not salted and rainbow tables are available, as it's impossible to know how secure your credentials are on any given server you do not have privileges for. You cannot expect to always know when one of your accounts has been compromised (the service provider's machines may have been compromised without their knowledge), and there is often strong incentive to not tell. You would have to remember all accounts using the same password, if you ever hope to reset all passwords in the event of a reported breach. Compromising one account may provide an attacker details to compromise other accounts (eg. Accounts that show security questions in the clear that may be used elsewhere, e- mail accounts which can reset passwords). Mention the Spotify incident with the DOB security question.

4 Oh hold up, there is actually a solution!
The End Thanks, and good luck! :) Oh hold up, there is actually a solution!

5 The solution: Password managers!
Generates passwords for you. Specify how complex you want them to be. Only need to remember a single passphrase – it is now practical and easy to have a unique password for every account. All passwords are encrypted (and ideally restricted to personal hardware). No need to set security questions.

6 Password Managers Programs I have personally used extensively include:
Revelation KeepassX 0.4.X KeepassX 2.0-alphaX pass Firefox Sync Gpgsea However, I have also tested many other programs.

7 Revelation http://oss.codepoet.no/revelation/wiki/Home GPL2
Easy to use Release tag line examples include “You drive, I think there's something wrong with me” and “Too weird to live, and too rare to die” No longer maintained History of concerning security vulnerabilities manager-considered.html Max 36 character master password! Implemented in Python, but slow with many passwords

8 KeePass http://keepass.info/
GPL2+ (mostly, some MIT and LGPL code also) 1.x written in C++ But the current 2.x is written in c# (so requires Mono on GNU/Linux)! Includes an interesting “Trigger” system, a password strength meter, basic security policy options, various interface customisation options, and support for key files. Provides the option to store files, and add custom fields. File dialog boxes are not well suited for GNU/Linux. Supports plug-ins, but many do not appear GNU/Linux compatible, and there are questions concerning licensing.

9 KeePassX https://www.keepassx.org/ GPL2 or (at your option) GPL3
Unlike KeePass 1.x, KeePassX has always been cross- platform compatible. Version 2.0 almost ready – a rewrite from scratch due to 0.4.x being difficult to maintain, wanting KeePass 2 .kbdx file- compatibility, wanting a GUI compatible with smaller displays such as that on the N900 (doing away with pop-up windows), etc. Not as feature-full as KeePass 2.x, but it's based on Qt instead of Mono so runs better.

10 Pass http://www.passwordstore.org/ GPL2+ Written in Bash
Unix philosophy Import scripts from many different password managers. CLI-only Essentially just a wrapper around xclip, gpg, pwgen, git and tree commands. Very active community (3rd-party support for GUIs, Android, Firefox extensions, etc.)

11 Password Gorilla https://github.com/zdia/gorilla GPL2+
Written in Tcl/Tk And looks it too. :) Yet has all the essential functionality you would expect, so is actually not bad. Last commit to master was last year.

12 Others (no longer maintained)
fpm2 (GTK2 port of the ancient and very dead Figaro's Password Manager) GPL2+ (and compatible) Supports a key file option Buggy (easy to segfault, long delays to collect entropy) Ked Password Manager GPL2+ Quite primitive GUI Interesting CLI interface (but no ability to auto-clear passwords after a timeout period) Last updated 2005

13 Others (no longer maintained)
Gpass GPL2+ Interesting “password expiration” field GPassword Manager Apache License V2.0 Not very professional – difficult to build, source provided by zip file (and doesn't extract to a sub-folder), some program directories have spaces... too scared to try it! :) ...and many many more

14 gpgsea https://gitweb.systemsaviour.com/?p=gpgsea.git
GPG Sign Encrypt Armor wrapper/tool for $EDITOR. Great for notes, certificates or passwords you don't want in your password manager, but want safe. 32 lines of bash. :)

15 Browser Built-in Password Managers
Firefox Optionally encrypts locally Firefox Sync Can sync to ownCloud Chrome/Chromium Local passwords stored in the clear (no encryption option) Syncing requires a Google Account Privacy? Probably not!

16 Browser Password Manager limitations
No password generator. Doesn't work well with passwords for things other than websites. Difficult to sort (no categorisation, etc.) No password change history. Greater security risks present.

17 Group password sharing
Proprietary LastPass: PassPack: Free software Mortimer: Pass

18 Other security considerations
Two factor authentication. Password manager browser integration via extensions?

19 Summary Always use a password manager. The end (serious this time!)
Thank-you!

Download ppt "Adam Bolte abolte@systemsaviour.com Password Managers Adam Bolte abolte@systemsaviour.com."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Chapter Five Users, Groups, Profiles, and Policies.

Chapter Five Users, Groups, Profiles, and Policies.
PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,

PASSWORD MANAGER Why you need one 1. WHAT IS A PASSWORD MANAGER? A modern Password Manager is a browser extension (Chrome, Internet Explorer, Firefox,
Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18, 2013 1.

Password Management Programs By SIR Phil Goff, Branch 116 Area 2 Computers and Technology April 18,
Ch 26 & 27 User Interfaces.

Ch 26 & 27 User Interfaces.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.

Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.
Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.

Section 1: Introducing Group Policy What Is Group Policy? Group Policy Scenarios New Group Policy Features Introduced with Windows Server 2008 and Windows.
Step By Step Windows Server 2003 Installation Guide Step By Step Windows Server 2003 Installation Guide.

Step By Step Windows Server 2003 Installation Guide Step By Step Windows Server 2003 Installation Guide.
Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper

Cloud Use Cases, Required Standards, and Roadmaps Excerpts From Cloud Computing Use Cases White Paper
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
NT4 SP4 Security Jack Schmidt - Fermilab

NT4 SP4 Security Jack Schmidt - Fermilab
240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.

240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.
INTERNET SAFETY FOR KIDS

INTERNET SAFETY FOR KIDS
Using LastPass. Great password management is impossible w/o a great tool Auto-fill (hands-free login) will save you approximately one hour per month You.

Using LastPass. Great password management is impossible w/o a great tool Auto-fill (hands-free login) will save you approximately one hour per month You.
Form Processing Week Four. Form Processing Concepts The principal tool used to process Web forms stored on UNIX servers is a CGI (Common Gateway Interface)

Form Processing Week Four. Form Processing Concepts The principal tool used to process Web forms stored on UNIX servers is a CGI (Common Gateway Interface)
Fix: Windows 10 Error Code 0x80070032 in Mail App u/6/b/111825066496552219944 /alexwaston14/reimage-system-repair/ /pages/Reimage-Repair-Tool/1460676797566490.

Fix: Windows 10 Error Code 0x in Mail App u/6/b/ /alexwaston14/reimage-system-repair/ /pages/Reimage-Repair-Tool/
Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.

Effective Password Management Neil Kownacki. Passwords we use today PINs, smartphone unlock codes, computer accounts, websites Passwords are used to protect.
Environment & Education & More Dan Bothell. Overview Data Teaching Materials Environment Other ACT-R 5.0 and RPM issues.

Environment & Education & More Dan Bothell. Overview Data Teaching Materials Environment Other ACT-R 5.0 and RPM issues.
How to Enable Account Key Sign Instead Of Password In Yahoo? For more details: http://www.pcpatchers.net/yahoo-support.html

How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:

Similar presentations

Ads by Google