With so many devices, and needing to access our passwords no matter where we are, finding a secure way of saving and accessing login details is important to many Internet users – myself included.
Having done a little bit of research (I must emphasise I am not an expert in security and this is not a detailed study of safe password storage), I am extremely alarmed at how insecure most of those really are when entering usernames and passwords anywhere online.
For every published method of tricking key loggers (which seems to be one of the biggest concerns), there is substantial and believable argument against those methods.
So what can we do?
First let me explain (in brief and simple terms) what key loggers do.
In simple terms, key logging is done by spyware, virus type software that lives on your computer and records whatever you type on your keyboard. Typically it will observe when you enter text into forms and will be able to tell the difference between typing into a Word document and typing into a username or password field in your Internet browser.
How do you know it exists on your computer? In all likelihood, you don’t.
If you run extensive spyware protection on your computer then chances are you’re safer than most other people. If you keep all of your anti-virus software up to date and let it run all of its scans, then you are ahead of most people.
But key logging can be lingering, undetected, as a script attached to your browser, that the antivirus and spyware software may not find because it doesn’t appear to be malicious.
While trawling the bowels of the Internet, I learnt more and more about the many ways we can try to be a little bit safer. But, as I mentioned above about the arguments against methods of protection against key logging, there was as much information suggesting most methods are not foolproof as there was suggesting that certain methods of online security are rock solid.
So who can we believe? Can we completely believe anybody and does any system work 100% of the time?
Just this morning I thought I’d stumbled upon a really good article that would answer my questions about how to protect ourselves against key logging but, within the comments of this article there are countless arguments suggesting that this suggested method does not add a great deal of protection.
The arguments raised in this article would suggest that the authors know what they’re talking about and, as one of the readers points out, have even developed key logging systems so they have a fairly good knowledge of how key loggers work and what protection we could take and what is a complete waste of time.
One thing that seems to be the favoured way of entering login details undetected is automatic form filling software. A popular choice is called Roboform, which not only secures your login details in an encrypted database it can automatically enter your details on to a form in your Internet browser without any keystrokes or mouse movement that could be recorded through key loggers.
A perfect solution? Some say yes but others remind us that no system is completely immune from malicious attack. Ultimately, even using the best automatic form filling software that encrypts your usernames and passwords there is always the slight risk and, therefore, it is always advisable to complement something like Roboform with anti-virus and anti-spyware software.
So automatically filling in your forms with data that is saved in an encrypted database may be an answer. But what if somebody is able to gain entry to your computer either from sitting at your desk and logging into your computer or hacking into your computer through the firewall while you’re connected to the Internet?
Hackers are very resourceful and very clever people. Also, anybody who wants to get into your computer that you’ve left sitting on your desk, if they want it bad enough they will get in.
If you then have all of your important login details saved in an automatic form filling application what is to stop that person who has hacked into your computer from using all of those logging details?
As you can see, every solution has its risks. Even the strongest solutions are only as strong as the security around your computer and other devices.
I’m not a fan of the automated form filling software. I do use an encrypted database but don’t have that connected to my browser. I know it may be a little bit inconvenient to have to go and find the password and manually enter it through various convoluted keystrokes to prevent key logging but, so far, it works for me.
It would be handy to synchronise that encrypted database across multiple devices and be able to easily login to my favourite online services without having to go and hunt down my username and password every time but, as my research has revealed and reminded me several times, making this encrypted database available to all of my device has significant risk attached.
For example, one way that a password database can be synchronised is using cloud storage (like DropBox) and, as far as we are led to believe, cloud storage is extremely secure and private. But is it?
As a test, to see how easy and convenient it would be to have one synchronised encrypted password database, I saved my password database into the “cloud” and access it from my mobile phone (master password required, of course) and instantly felt very uneasy about it. After all, a database full of my usernames and passwords was now online, essentially. And no matter how much I read about cloud storage being safe or military grade encryption systems, nothing was going to make me feel comfortable about so much confidential information being out there.
At the end of the day, hackers love hacking. It’s what they do for fun. It’s what they do to prove to a potential employer just how incredibly skilled they are. And even the most secure systems have, at some point, been hacked into. It doesn’t take much scouring of the news channels to discover numerous reports of top-secret data being accessed by hackers.
Just yesterday I was reading about how Dropbox had been compromised in the past and is not as secure as most users think it is. Dropbox claim (or certainly did when I signed up) that nobody can access our files without our login details, not even their employees, nobody!
Several people have since reported that is clearly not the case. And that is true of many cloud-based storage services. At the end of the day, if the authorities needed to access somebody’s files as part of an investigation, they could. Which confirms that all of our files can and could be open, and that includes our password files!
However we look at, and no matter how strong the system we choose to use appears to be, everything can be hacked into one way or another. You don’t have to be a leader of industry, a politician, a celebrity or anybody of any fame or fortune to become a target of hackers. That has been proven time and time again when hackers have obtained bucketloads of users details from one source or another.
We are always vulnerable. And while many (the rose-coloured-glasses-brigade) say we just have to accept that as a consequence of using the Internet and all of the online systems. But I suggest that we should always have security in mind no matter what we do.
The only thing that would most likely work for everybody is some kind of subdermal microchip implant that would activate only when the carrier of the microchip (that’s you) was within 37.2 inches of the microchip detection system (your computer) otherwise your computer would explode if anybody tried to use something that required one of your passwords!
Maybe I’m onto something there?
I certainly didn’t write this post with the anticipation of coming up with an answer, because I don’t have an answer. Sorry if you were expecting to find one down here the bottom.
My only suggestion is to forget about using ‘passwords’ and think more about using ‘pass phrases‘.
- Never ever use a word that can be found in the dictionary.
- Never use anything that relates to your name or a family member.
- Never use anything related to or part of a date of birth.
- Never use a keyboard combination that looks easy to remember.
PinkFrillyKnickersWithBellsOn, for example is far better than bob124598.
BellyWobbles843 is a much better pass-phrase than 16october1975.
Most systems that are trying to access or work out passwords will look for the easiest combinations and will give up if a password can’t be decrypted quickly. From what I’ve read, most systems will try all the standard stuff (dates, names, place names, dictionary words and most common keyboard combinations) first so, the more complex you make your pass-phrase, the more likely your master password would not be decrypted (easily).
And change your master password (pass-phrases) every now and then – along with frequently changing passwords for any accounts you have on hacker’s favourite targets like Facebook!
That’s the only little bit of advice I can offer, other than buying yourself a trusty notepad.
Paranoid? Somewhat of a cynic? Perhaps.
Perceptive? Cautious? Un-trusting? Yes.
I’d go for the notepad with usernames and passwords scribbled in it and hidden under the bed any day rather than storing all of my usernames and passwords in a system that can (and has been proved it can be) compromised.
Inconvenient? Yes. Secure? As near as dammit!