Unfortunately, many people are unaware of the importance of using strong passwords that are unique in each context where a password is needed. Even if they are aware of these measures to protect their private data and login credentials, many of them do not see much value in further protecting such passwords when storing them locally. Finally, even among those who are aware of all the above considerations, many people do not consciously think through all the implications of the design and feature set of a given password manager when they select it, beyond the basics of ensuring that it encrypts stored passwords.
A number of key characteristics of a password manager are very important for securely managing passwords:
- Encryption: Stored login credentials should always be stored in an encrypted form, using peer reviewed, heavily tested, strong encryption, so that even if the device used to store the passwords is stolen the thief is unlikely to be able to recover passwords.
- Secure resource usage: A number of possible vulnerabilities involving unsecured resource usage are possible. For instance, using secure memory that will not be written to a page file or swap partition on disk guards against the danger of a decrypted password being dumped onto the disk where it can be recovered later by a malicious security cracker.
- Self-contained functionality: A lot of software is not written with absolute data security in mind, and it often should not be written that way if the intended functionality of the application presents no need for such security. This does mean, however, that any password management software should not trust the security of outside applications. What good is using secure memory if the decrypted passwords will just be passed directly through another application that stores everything in temp files that may never be explicitly deleted?
- Usability: Quick, simple and easy use of the day-to-day functionality of the password manager is important for ensuring that the password manager actually gets used regularly. If it is not at least nearly as easy to use for all of a user’s common password needs, it may get neglected in favor of less secure options.
- Verifiable design: Just as encryption that does not trust the user is not trustworthy; the same is true of software that handles any part of one’s secure data management needs. This is especially true of something like a password manager, which manages the data used to access other applications that also need to manage data securely. To ensure that the software is trustworthy, it should be verifiable — which means that the source code is not only available for scrutiny, but verifiably the same as the source code used to produce the actual executable program itself. Security through visibility requires open source software. Ideally, security software should use copy free licensing policy.
These five criteria are of fairly universal value for a general purpose password manager, and should probably be considered by everyone designing a password manager or selecting one for personal use. Other features may also be desirable, many of which involve suitability for a particular user’s workflow, and the specific uses to which a password manager may be put, as contrasted with the specific uses to which another person might put a password manager. For your particular needs, this short list of considerations will surely not be the only things worth considering, but it should offer a good start.
The article on password is good rajesh. Can you tell us how to crack password ;-)
ReplyDelete