Schneier on Security
A blog covering security and security technology.
« Computer-Security Paranoia |
| Security Awareness Posters »
October 21, 2005
Password Safe in the News
Password Safe is my freeware program to help you manage all the passwords you're expected to remember.
There's a nice article in The Washington Post about it.
Posted on October 21, 2005 at 12:07 PM
• 34 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Yay! I'm number one! In the washingtonpost article, it states a "military encryption". You mean unauthorized access will cause a self destruct? I feel this was put in by the reporter to liven it up. I use bugmenot. Pretty sweet. At the present time I still memorize my passwords.
BugMeNot is great for "logging in" to sites that require registration for no real reason.
However, if you have a site that requires registration for a real reason (e.g., paid content, confidential info, etc.), then BugMeNot is obviously not appropriate.
A Mac version of Password Safe would be nice. Operating as a Mac user in a PC-centric world (as you recommend in your "Safe Computing Tips") makes balancing security and accessibility more difficult.
Re a Mac version: I'd like one, too. It's open source, if anyone feels like porting it.
Bruce, since you're accepting suggestions for platform ports (I'm also a Mac fan!), here's another request.
I use a tool called Web Confidential on my Mac, since PWSafe doesn't run there. Web Confidential will synchronize with my Palm Zire, so that I have all my passwords in my pocket, encrypted in the same way as on the desktop.
I know, I know, it's open source. Realistically, though, I'll never get to a project of writing a sync conduit, so I'm posting the idea and hoping someone else will.
I'd like to see a Palm version, too. One that shares the same database format as the Windows version, so it can use a single synchronized database.
Mac OS X has a tool built in called Keychain Access. It can store (encrypted) all of your passwords, and they will be used automatically, if the software is written correctly. Including web passwords (at least if you use Safari).
As far as I can tell it does exactly what Password Safe does, although I'm not sure what algorithm it uses to encrypt everything.
Or is the issue that Keychain Access is not open source?
I switched a while ago to using a USB drive to carry all of my digital authentication tokens. But I have had a terrible time trying to use PasswordSafe moving between Windows and Linux -- something to do with the database formats, I gather, causes trouble.
In an ideal world, I'd love to see some combination of PasswordSafe, ssh-agent/Pageant, a browser plugin, and clever automount logic so that I could move my USB drive around and have machines prompt me for the passphrase when I attached the drive and forget it when I removed it. Of the tools I use, PasswordSafe for Windows is the one that gets the most of these elements right.
Excellent. I recommend Password Safe whereever I go.
Password Safe is brilliant as a quick and simple solution to help Windows users with personal password management. My only feature request would be role-based access control.
I've found Password Gorilla by Frank Pilhofer to be a pretty good port to use on *nix systems (including Macintosh). The interface is not as clean (make sure you save before you quit), but it's close enough:
Oooh, Palm version.
I'm having difficulties with the lack of segregation in the testing process mentioned on the Password Safe page.
Password Safe…designed by Bruce
uses an encryption algorithm created by Bruce
…thoroughly verified … under the supervision of Bruce (by a company founded by Bruce)
Password safe lives on my USB drive and is often one of the first things that gets installed on a new computer. It may not be perfect but it is one of the best things out there.
Of course I thought we were to watch out for products that used snake-oil terms like "military-level" :)
A Palm version would be nice. Maybe a Java version to bridge the different systems?
"I'm having difficulties with the lack of segregation in the testing process mentioned on the Password Safe page."
Oh, I agree. That's one of the reasons I made it open source.
I had nothing to do with the coding of the latest versions. Rory Shapiro oversaw the entire thing.
Hm. A java version would be excellent. It could live on either my computer, Windows Mobile PocketPC, or my Motorola Razr cellphone, all of which are capable of running java applications...
Glad to see it is getting the exposure it deserves. I have been using it for a year and it is a great time saver - as well as giving peace of mind
Actually, Keychain Access works also with Camino !
Therefore, there must be an API somewhere to use it !
The problem isn't that there aren't pieces of Mac software that can do the job well, but that I need to use both kinds of system. For instance, as a social scientist at Oxford, it is essential to be able to access certain terminal servers at the department. The software they run, such a statistical packages, is simply too expensive for any graduate student to go out and buy. Likewise, virtually all college and library computers are running Windows XP.
Your description page is a little out of date. PasswordSafe is actually up to version 2.13 as of September 5, 2005. I contributed a (very little) bit to the coding and design (primarily the password generation rules) and am proud to have helped improve such a useful product. Everyone in my family is required to use PasswordSafe. Thanks for opening it up for Open Source improvement. And note that a Mac/Linux Java-based version of PasswordSafe is in the works. Check out http://passwordsafe.sourceforge.net/#Latest
Thanks for the link, but I was unable to import/access my dat files with the SWT version 0.3. I can pass them seamlessly between Password Safe and Gorilla, though, so I suspect there might be a compatibility issue in SWT.
What a flattering way, for Bruce, to drop the dead donkey.
Doing this kind of thing in Java is very difficult, because you have very little control over when and how objects are destroyed. It's embarrassingly easy to end up with sensitive information being swapped out of RAM to the hard drive and staying there for a long time.
RE: Java. Not only does it potentially leave sensitive information sitting around, it is also VERY easy to hack the java runtime to do evil things... like log every string created, etc.
I've been using SplashID ( http://www.splashdata.com/splashid/ ). It has Windows, Mac, Palm, Symbian, etc. support. Not freeware, but it works well and can track other things beyond passwords. Right now I use the Windows & Palm versions & sync the database between the two.
Yes, Java is really tough language to write security appliacations in.
Password safe is an excellent software for password stashing. The article forgot to mention that Password Safe also gives the option to generate random password. It is also unbreakable, unless you give a very poor key for blow fish encryption.
RE: Mac version and storing passwords on Palm.
As a recent Mac convert, I had to give up PWSafe, so I'm working on a Perl/Tk port that should work under any reasonably modern OS. This might take a while, though...
As for the palm, http://gnukeyring.sf.net is a great PWSafe-alike for the Palm -- it's open-source and uses the GnuPG system for encryption.
I've found that I prefer keeping everything on the Palm and nothing on my local machine. Though I would like a sync option that does more than just back up the database, in case I ever lose my Palm.
What about using something like PasswordMaker located at:
Sorry Bruce, but I had to look around for alternatives when I decided to not use Windows.
I like the idea of not having carry around the password program around, yet still have it wherever I need it via their online version.
And if you have to carry it around, you can download the web based version and just open it up from your pendrive from any browser.
I also like the idea that there isn't a file stored, to worry about if lost or stolen.
But please, if there are problems with this approach, then I'd appreciate hearing about them.
"As noted in 'Password Safe FAQ', 'there is no back door in PasswordSafe to recover your Safe Combination, but there is a password-guessing program that some people have used successfully. The program works by going through a list of possible passwords and checking each one'.
However, there is a design flaw in PasswordSafe, that allows to perform Safe Combination validation a several times faster than it has been conceived by the author, which makes brute-force and dictionary attacks much more effective."
I use pwsafe on my Mac via fink. I synchronize my database with Windows and Linux systems. For UI, I like the Emacs mode pwsafe.el. It would be nice to have some code to synchronize the PasswordSafe database with Keychain (even if it were only uni-directional) - that way we Mac users could use PasswordSafe as our primary repository but get the benefits of having OS X fill in password forms for us.
Is it a security issue to add the password database to a version control repository? i.e. if someone got hold of many versions of the database that each only differ in the password of one of the accounts, would that be exploitable? My gut feel is no, because each version would look as much like garbage as the next in a hex editor, but maybe there's an attack?
A colleague just pointed me to http://mac.softpedia.com/get/Security/... which appears to be a version of the open source password safe for Mac OS by the same author as the windows version. Help menu takes you to the the source forge password safe web page.
It's clearly still under construction with some menu entries and options greyed out but the basic funtionality is there and appears to work fine. I'm wrapped!
In regards to zeds and Bruce's comments regarding the problems of writing secure java apps.... can it be done, though? And have things changed since Oct 05?
The reason that I'm asking is that we have a bit of an odd set-up at my work-place where we use a shared password safe type of application; this has (the obvious security risks apart) a few drawbacks.
Firstly the safe is locked for others (with an option to FORCE it open) which makes for the risk of losing changes. Secondly the thing we're using doesn't allow for a paste of the password to the OSes clipboard, one has to SEE the password in clear text (very bad indeed). My idea was to do something similar to Bruce's password-safe but instead of storing the passwords in a flatfile store the hashes in a database (which would allow for record-locking), and since we're using a mixed environment (equal numbers of Linux and windows machines) something highly portable would be very desirable.
hi..can u give me the high level and lowlevel design for backend part for password safe.
hi can you give me sources for porting on AMD x64 platform
I've been using password safe for a while but stop for a period of time because my life got a little hectic due to personal reason.
I don't remember my password for the "Password Safe" program. Is there a way I can retrieve my password?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.