Tag Archives: TrueCrypt

How I keep my Passwords Safe.

Hi all. Apologies for the gap, apparently remembering to post every day is a bit ambitious!

Today I’ll write a quick entry about a few things everyone should know about p@s5w0rds.

Web 2.0 brought us a mass of online applications (as opposed to pages); sites we don’t just visit but use, participate in, modify and so on. Whether this be commenting on a Blog, upvoting a link on Reddit or correcting a typo on Wikipedia, we will be asked to register, providing an email address, username and password.

It is very very very bad practise to use the same password everywhere, which is some people’s response to this situation. I was once working as an IT admin at a school and a student, upon logging in, asked me “so how to I change my password?”. “You can’t, that way we can tell you again if you forget,” I said. She looked aghast at me and exclaimed “What? But I have to use the same password for everything! That’s how I remember it!” The practise is bad for one simple reason; it gives an opportunist “hacker” access to all your websites. Grabbing a password from a passing HTTP request is not that hard, since most of these sites don’t bother with an SSL certificate (don’t bother to encrypt the request, like your bank, and most payment systems, will be very careful to do).

So, you should use different, not guess-able passwords for your website logins. But how to remember them all!? You can’t be expected to memorise lots of non-word-like passwords for all 25 of your regular websites, plus the 80 or so you use occasionally, can you? And saving them all to a text file on your hard disk is so insecure; anyone else using your computer could copy/steal them all onto a USB stick, and you wouldn’t even have them with you at work.

This is where a wonderful piece of open source software comes to the rescue: TrueCrypt. This allows you to create a dummy partition on a USB stick that looks like an ordinary file (you could call it “Health and Safety Assessment June 2006.doc” or something), but when you point TC at it, and enter one single master password, you can access a completely safe disk space on which to drop a small text file containing all your logins and passwords. This software is available for basically every operating system (I think Gentoo has banned it on the basis that they have quite a defensive version of an open source license: entirely irrelevant to end users), so you can get at your passwords on Linux or Mac OS X at home, on Windows at work, or anything, it also runs a tutorial when you first install it which shows you how to create a properly secure hidden drive. You can take it with you in your wallet or on your key-ring, even backing it up to your home computers hard drive is safe. You will need to memorise one difficult password; the master one to this encrypted volume. You should make sure you know it off by heart before you use it; you will lose the data if you forget it! I recommend either using multiple old passwords chained together, or practising typing it out 50 or so times in notepad/textedit/gedit (without saving, obviously) to get it into your fingers’ muscle memory. (You could also keep it on a piece of paper at home “just in case” until you are confident you know it off by heart completely, at which point you should burn it, but this is a last resort!)

Also keep in mind that if the data is valuable to other people, you shouldn’t advertise it’s presence!

In order to generate properly random passwords I recommend the strong password generator. This application generates the passwords in JavaScript, which means it actually works on your computer locally and the site itself doesn’t know what password it has given you. You should include non alphanumeric characters if possible (some systems choke on these, e.g. mysql; not strictly a website though!) in order to fully take advantage of the number of available combinations. As mentioned, bashing out one of these per website login is highly advisable. It also makes it easy to regularly change your passwords, which is also very good practise.

This really does take less than a couple of hours to set up, allowing for logging in to all your sites and changing the passwords (you can always add more as you remember them if you forget some initially…) and it will vastly reduce the chances of problems with people taking over your online identity.

I also recommend using this system for “proper” websites like PayPal, Gmail, and others that do use SSL; as someone guessing your Gmail password shouldn’t be able to send funds to whomever they want from your PayPal!