View Full Version : 3 Tools for Proper Password Management

13.07.11, 06:33
Three Tools for Proper Password Management | Blogs | ITBusinessEdge.com (http://www.itbusinessedge.com/cm/blogs/mah/three-tools-for-proper-password-management/?cs=47747)


You have probably read recent news reports about how hacking group Lulzsec broke into an online site and posted the stolen email addresses and passwords onto the Internet. (http://www.pcworld.com/article/230523/fraud_starts_after_lulzsec_group_releases_email_pa sswords.html) Accounts of how this resulted in unscrupulous individuals using these passwords to access other online services only served to confirm the sobering fact that users are using the same passwords across various online services. This is a problem made worse given that the majority of users don't change their passwords either. (http://www.itbusinessedge.com/cm/blogs/mah/symantec-majority-of-users-dont-change-their-passwords/?cs=40435)

When you really think about it, is it surprising that users are reusing the same passwords in the absence of an easy way for them to manage multiple passwords? To tackle this particular point, I decided to explore some of the most popular password managers around today. I examined a trio of them and have highlighted some of their key capabilities below.

The good news is that password management tools are no longer in the Stone Age and are actually quite user-friendly and sophisticated. Do take a look and do consider implementing them into your SMB if you have not already done so. And, as always, do feel free to chip in with suggestions of your own.


KeePass (http://keepass.info/download.html) is a popular open-source (GPL) password management software for the Windows operating system; not only is it free, but the security-conscious can also examine the source code for backdoors. KeePass ports are available on a wide variety of popular operating systems such as Mac OS X and Linux, as well as mobile platforms such as iOS, Windows Phone 7, Android and BlackBerry. What I really liked about KeePass is how passwords are stored in a single highly encrypted file that is easily transferred between computers, or synced between multiple devices using an online cloud service such as Dropbox. Moreover, if so desired, the application can be launched from a USB stick without a messy installation. Finally, KeePass for Windows also supports a large number of plug-ins to further extend its ease of use and capabilities.


1Password (http://agilebits.com/products/1Password) is commercial software that touts itself as more than a password manager. 1Password integrates with your Web browser to facilitate logging into websites, filling in of registration forms and entering of credit card information. As you may expect, all popular platforms are supported, such as Windows, Mac OS X, Android and iOS (iPhone and iPad). According to its website, a Windows Phone 7 version is currently in beta. Dropbox sync is supported by default, though the price tag is relatively hefty at $39.99 for the Windows and Mac OS X versions. Various pricing bundles are available at discounted prices though, and a 30-day trial is available for the Windows and Mac OS X versions. You can find more information about the bundles here.


LastPass (https://lastpass.com/support.php?cmd=showfaq&id=1376) adopts a slightly different model and comes with a free version, as well as a paid "Premium" edition priced at a low $1/month. Your passwords are accessed from the LastPass browser extension for your favorite browser (Opera excluded), while LastPass Premium includes access from various mobile apps and multifactor authentication. Regardless of paid or free options, an encrypted backup copy of your password data is stored in a Lastpass.com account. What this means is that users can do away with mundane tasks such as remembering to transfer their password databases when upgrading to a new PC. According to the official FAQ, a locally cached copy of the database as well as the ability to back up to a USB drive means that users need not worry about losing access to their passwords even if LastPass were to close down.


I've also used Roboform and StickyPassword in the past.Both are quite good.

13.07.11, 09:48
stay as far away from lastpass as possible - they've been rooted more than once - something they deny - yet lastpass db's have appeared at least twice on deepnet...

13.07.11, 15:21
I've been using lastpass for a long time.
But I guess I'll have to check out KeePass after reading takomania's post.

13.07.11, 20:00
stay as far away from lastpass as possible - they've been rooted more than once - something they deny - yet lastpass db's have appeared at least twice on deepnet...

Link? Source?

13.07.11, 20:05
just google it - it was big news due to the severity of the attack.


the last breach is even mentioned on their wikipedia page:

Security breach

On Tuesday, May 3, 2011, LastPass discovered an anomaly in their incoming network traffic, and then another, similar anomaly in their outgoing traffic.[10] Administrators found none of the hallmarks of a classic security breach (for example, database logs showed no evidence of a non-administrator user being elevated to administrator privileges), but neither could they determine the root cause of the anomalies. Furthermore, given the size of the anomalies, it is theoretically possible that data such as email addresses, the server salt, and the salted password hashes were copied from the LastPass database. To address the situation, LastPass decomissioned the "breached" servers so they can be rebuilt, and on May 4, 2011, they requested all users to change their master password. However, the resulting user traffic overwhelmed the login servers, and temporarily administrators were asking users to refrain from changing their password until further notice, having judged that the possibility the passwords themselves could be compromised to be trivially small. LastPass also stated that while there was no direct evidence any customer information was directly compromised, they preferred to err on the side of caution.[11]

paste onion on deepnet contained info from more than one person offering to sell db's - you see things like that on a regular basis there.

in general, i don't understand why anyone would want to hand password info over to anyone - especially a private company...