In association with heise online

Safe in the safe

If you ask password crackers for their opinion, they usually advise you to use a password safe such as Keypass, LastPass or 1Password. These allow users to create truly random passwords of any length and for any purpose that are guaranteed to be uncrackable and, therefore, offer the best defence against any attacks with which crackers may be familiar.

However, the problem is that the crackers fail to take into account another – potentially even more important – attack vector: a single trojan on your PC can instantly and effortlessly steal all your passwords from it. All 1Password's password generator
Zoom 1Password's customisable password generator
that's required to do so is to intercept the password safe's master password, for example with a key logger. Only recently, security expert Thomas Roth from Leveldown Security analysed an item of malware that retrieves the plain text passwords of 1Password users from RAM.

Also, convenience does have its drawbacks. By design, password safes make users handle passwords that they don't memorise and can't quickly retrieve and type in correctly without much effort. And who only uses the internet on one single PC these days? In addition to their notebook, home PC and work computer, users also want to access Facebook, Google, Dropbox and many other services on their tablet or smartphone.

This means that passwords are almost certainly bound to turn up in the cloud, which is probably not to everybody's liking. After all, it involves entrusting one's crown jewels to some company whose respectability KeePass password safe
Zoom KeePass open source password safe
and reliability is very hard to gauge. Furthermore, an appropriate app is required for every platform. Those who use 1Password, for example, and buy one of the new Windows Mobile 8 smartphones or are given a company Blackberry will have a problem.

Another thing is that while programs such as the PC version of Lastpass are available free of charge, the pro version that synchronises smartphones requires users to take out a subscription that will cost them $12 a year. 1Password charges $50 for the Windows version and extra fees for further platforms. While KeePass is available free of charge (and is even open source), users must manually synchronise – for example via Dropbox – with smartphone apps, such as MiniKeePass for iOS, about whose quality little is known.

Next: Systematic safety

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit