Password Management in the Web 2.0 Age

Challenges and Solutions

Jim Behnke and Jose DeLeon

Accessing Apps in the “Cloud”

…when does too many passwords become a hindrance to instructors?

Key question: How important is your information? Student records? Financial information? Photos of family / friends? Instructional materials? Research / doctoral thesis? Confidential survey data? Given that user names and

passwords are the norm… Why do people use weak passwords,

or no passwords at all, by preference?

Problem Outline

Too many passwords May prevent or discourage use of

technology Difficult to track and organize

efficiently Differing password complexity

requirements

Challenges

Creating quality passwords Password Recall Password uniqueness Multifactor Authentication Secure storage Portability (ability to access on

multiple computers / devices)

Tips for Creating Quality Passwords

Mixed Case Alphanumeric Special Characters

(!@#$%^&*()_+/*-+ Unambiguous characters

Il Password Length

94x possibilities ( Z^U5yCeQ7k )

Hint: its not that easy!

Methods of Password Recall

Memory (unreliable, impractical esp. with decent passwords)

Written Down (insecure) Stored in a plain text file (still

insecure) Store in specialized Password

Management Software

Two Potential Solutions

http://keepass.info

http://lastpass.com

Overview: “ KeyPass” Open-source password management database

James Behnke

What is KeyPass?

Database for secure storage of user accounts and passwords

FREE, “open-source”

Cross-platform

Available on many platforms…

Key Features (DEMO)

DEMO SUMMARY:

Stores data needed to access Web-based applications

Tools for securely generating and evaluating passwords

Makes using passwords convenient Encrypted data files

Dilemma:

What happens if someone steals your database file?

Regarding Encryption

Wikipedia definition: “encryption”

“In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.”

http://en.wikipedia.org/wiki/Encryption

KeyPass encryption options

DO NOT LOOSE YOUR PASSWORD OR KEY FILE!

Regarding portability

Problem: How do I carry my password database from device to device?

Possible Paths to Portability

USB Flash Drives (for data files) MyFilesw/ “Xythos Drive” or OSX “DropBox” (www.dropbox.com) or similar “data synchronization” service

“Portable apps” (DEMO) (http://portableapps.com/) or similar application

A widely used, open-source application…

Final Thoughts…

KeyPass Pros KeyPass Cons•Relatively easy to use•Free•Cross-platform inc. mobile options•Relatively secure•Widespread use, many “plugins”• e.g. synchronize databases

between computers, automatically enter information instead of copying and pasting

•Currently, requires additional effort / knowhow to make it portable

•”Plugins” must be sought out, installed, and toyed with

Last Pass Features

Browser Based IE, Chrome, Safari, Firefox

Portable Iphone, BlackBerry, Windows Phone, Symbian, Android USB Flash Drive Cloud

Security SSL encryption on all traffic to Last Pass servers Database encrypted/decrypted at the client side with

256-bit AES before transmission to servers Master password stored on servers as a hash. Screen Keyboard Phishing Protection

Last Pass Features

Multifactor Authentication OTP – (One Time Passwords) YUBIKEY – token based authentication

Usability One Master Password Automatic Form Filling One Click Login Synchronized Across Browsers Securely Share Login Credentials Automatic Backup Password Generator

Alternative solutions:

Firefox 4 Beta: New Firefox provides service to

synchronize passwords between computers (.MP4 video)

Google Chrome: