Cisco Blogs


Cisco Blog > Security

NCSAM TIP #14: Password Management

October 20, 2011
at 9:13 am PST

The problem

Passwords for computer authentication are as old as multiuser computers, and are not the best form of authentication we have. Certificates are better, but harder to manage. So, for most purposes we are stuck with passwords.

Many people deal with the proliferation of passwords either by using very weak passwords or using the same password in multiple places. The obvious downfall is that if one site gets compromised, you may lose many accounts.

Another problem is using computers you don’t trust. Sometimes you are traveling and need to access your bank from an Internet cafe or hotel computer, which may have keystroke loggers.

The root of the problem is reliance on human memory. Luckily, every time we need a computer password, we have a great memory tool at our fingertips.

Solutions

There are several software solutions that allow you to have strong passwords accessible on all your devices, while only having to remember one password. These store all your passwords in an encrypted form, either on one computer, a memory stick, or online in a cloud. Advantages include:

  • A different password for every site.
  • Need to memorize only one password
  • Many allow automatic form-filling, which facilitates longer, better passwords.
  • Passwords can be generated or evaluated for strength
  • Many will automatically capture your passwords using browser plugins
  • Passwords are stored encrypted.
  • If you are willing to store your passwords online, then they are available on mobile devices, multiple computers.
  • If you are worried about keystroke loggers on computers, some programs let you enter your master password on a virtual onscreen keyboard rather than a physical keyboard
  • Some allow one time master passwords for use in untrusted environments.

All of this convenience comes with some caveats:

You need a strong master password, and need to keep it secure, because a compromise could be disastrous.

For mobile support, you usually have to entrust your encrypted passwords to a third party.

Resources

Here is a sampling of the many password managers available:

Tags: ,

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

6 Comments.


  1. LastPass is excellent. Paired with Chrome and Dolphin Browser HD on my HTC Desire it has simplified my password management and made my logins more secure

       0 likes

    • Andy Balinsky

      Thanks for the endorsement. There are a number of password managers out there. I avoided promoting any particular one publicly, but the one I use works great on MacOS, iOS, Windows, and all synchronized automatically, so rarely have to type a password.

         0 likes

  2. well, i recommend http://keepass.sf.net
    client based, open source and strong encryptions, with mono (2.x) or wine (1.x) even running on linux. i use it since ~4-5 years.

       0 likes

  3. Well i am confronted with the same threat of password theft. I have been using different passwords for different accounts but for this reason I have to remember multiple passwords. Well personally i think the software programs that allow entry of the password on a virtual keyboard through mouse clicks are more reliable for protection against keystroke loggers but i think its not a wise idea to store passwords in a cloud based storage service.

       0 likes

    • Andy Balinsky

      Those virtual keyboards are certainly a good defense against keystroke loggers. For completely compromised machines, other things can be recorded, too, such as mouse clicks, screen captures, etc. So they are a step up, but never a 100% safety guarantee.
      Cloud-based storage is purely a personal choice between convenience and security. There is always additional risk, no matter how mitigated, to trusting your passwords to a cloud service. These risks can be reduced if the cloud provider doesn’t have the encryption key, and has strong security practices and technical controls. Of course, your local password store could also be lost in the event of theft or computer compromise. In either case, it then comes down to the strength of your master secrets, and the willingness of the adversary to apply computing resources against them. On a humorous note, this comic points out that the secrets themselves aren’t always the weakest link: http://xkcd.com/538

         0 likes

  4. I am using last pass since a year and it is very good
    For password management and keeping password stored in
    Exel sheet along with automatic password filling option.. Which is quite good

       0 likes