Security, et al

Randy's Blog on Infosec and Other Stuff

Secure, Fast and Efficient Password Management

Mon, 23 May 2016 14:33:37 GMT

All the way back in the late 90’s I realized that passwords, even for myself, were a big vulnerability. With more websites requiring logins I realized that my multiplying “Post-It Note” situation was not going to work. This left me two options:

  1. A password protected word doc full of usernames and passwords.
  2. A unique username with one password used for all accounts.

You can easily see that neither of those two options were secure or viable. At that time especially, document encryption was either easy but way weak or strong but highly inconvenient. Besides who wants to copy and paste all the time? And then worry about your password sitting around in your clipboard? The risks go on and on. So as most InfoSec techies would do – I turned to Google. In those days a google search of “password manager” turned up much less results than the 48,000,000+ results you will get today.

After a bit of research, I decided to test a password manager product by RoboForm. Little did I know that 17 years later; using RoboForm would be a de facto standard at my company. I remember one of our contractors had his web-based email compromised and it took him half a day to login into each of his online accounts and change all his passwords since he was using one password for all accounts. He is now a RoboForm user.

RoboForm allows you to use unique usernames and unique passwords for each web login you have. It will actually help generate unique passwords using the character limits you specify and then save these complex passwords to your system under “lock and key”.

Fig 1. - Password requirement options

You only need to remember one unique master password to gain access to all of your RoboForm complex passwords. When you visit the logon page of a website, RoboForm automatically senses it and allows you to fill in your credentials with a single click. If your device is lost or stolen or malware compromises your computer, the files containing your credentials are encrypted with a key derived from your master password.

Fig 2. - A single click on the login named “Dev” will fill and submit the login

Of course we’ve seen over and over again that encryption is complex and programmers often do it wrong. I trust RoboForm’s encryption. They take a no compromise approach to security. The master password is not stored anywhere except your head; not locally and not on RoboForm’s servers. “RoboForm’s servers?” you ask? Yes, if you choose to use the feature, RoboForm uploads all your usernames and passwords to their server which then allows all your devices with RoboForm to share up-to-date credentials. This is called RoboForm Everywhere and it works awesome. Whether I’m on my desktop, Surface, smartphone or tablet I always have my passwords without sacrificing security.

You are probably asking, and rightly so, “How good is the protection in RoboForm’s ‘cloud’?” Well, first, you have a password on your RoboForm everywhere account – different than your master password which is used for encryption. But even if the RoboForm cloud is compromised (and we’ve already seen this happen to other password managers repeatedly) your credentials are still protected. RoboForm’s no-compromise approach on security means that they simply do not have your master password. Your credentials stored in the cloud are encrypted with the same key derived from your master password just like the files on your local Windows or mobile device. So memorize a good master password and don’t use it for anything else than RoboForm.

If you have a compatible finger-print reader and trust Windows security you can protect your master password with your fingerprint. To unlock RoboForm, you provide your fingerprint and avoid entering even your master password. Are their risks to that? Yes, but it’s up to you. You don’t have to use it.

RoboForm has a few products but everyone at my company uses RoboForm Everywhere which gives you the added benefit of syncing these passwords across multiple systems, mobile devices and tablets. RoboForm also has a built in browser which means no cumbersome copying and pasting of passwords on your mobile devices.

In 1980, password management wouldn’t have been an issue but nowadays, if you’re like me, you have a plethora of online user accounts, not to mention Windows Security popups which RoboForm also manages. Personally I have 500+ unique logins and this is only in my “Personal” folder (I keep my logins organized so I also have a “Work” folder).


Fig 3. – Roboform also manages Windows Security popups

I should also mention that RoboForm can manage identities if you choose to use it as well as financial info like banking details and credit card data which makes every merchant site payment process almost as user friendly and fast as Amazon. The Safenote feature is also very useful allowing you to secure and lockdown your virtual “Post-It Notes”.

I recommend that you give RoboForm a try.  You can get it completely free with a 10 saved login limit. If you are still in college you can actually get RoboForm completely free with unlimited logins. You can get the 1st year of RoboForm Everywhere 50% off by clicking here.

Stay tuned for another blog next month where I go in depth on a unique use case using RoboForm and some isolated servers we use for high security functions in our organization.

email this digg reddit dzone
comments (0)references (0)

Related:
Live with Dell at RSA 2015
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Live with LogRhythm at RSA

previous | next

powered by Bloget™

Search


Categories
Recent Blogs
Archive