If you allow applications to save your passwords, anyone with physical access to your PC can decode them unless you’re properly encrypting them — and chances are pretty good you’re not. Let’s walk through the right and wrong ways to store your passwords.
For the purpose of this article, we’ll assume that the people you allow into your house are trustworthy enough not to hack your passwords, and your laptop has been stolen instead — but the tips here should apply to either scenario. Regardless of how you choose to save your passwords, you should make sure to use great passwords and even stronger answers for security questions.
Once You Click “Remember Password” It’s All Over
It doesn’t even matter all that much if you’ve got a tough Windows password; anybody with physical access to your PC can use an Ubuntu Live CD to copy all of your data onto an external drive without modifying anything, and crack your files on another machine whenever they please (assuming you don’t have your entire hard drive encrypted). If they had a little more time, they could use Ophcrack to figure out your password, or they could just be mean and use the System Rescue CD to change your Windows password.
Once that person has access to your files, they can recover your passwords with free tools easily — you can recover passwords in a few clicks from Outlook, Instant Messenger, Wi-Fi, Internet Explorer, Firefox, Chrome or any number of other applications. All it takes is a quick Google search to find even more cracking utilities.
Pidgin Stores Passwords In Plain Text
The decision to store the passwords in plain text is a deliberate one that’s been thoughtfully considered, and while you might initially think it’s a terribly insecure way to handle security, keep in mind that you can simply download any number of utilities like Nirsoft’s MessenPass and recover the passwords from AIM, Windows Live Messenger, Trillian, Miranda, Google Talk, Digsby, etc. The Pidgin developers point out that their option is actually the preferred method for security:
Having our passwords in plaintext is more secure than obfuscating them precisely because, when a user is not misled by a false sense of security, he is likely to use the software in a more secure manner.
The best answer, of course, is to not allow your IM client to store your passwords at all — but if you must store them, you should at least use the built-in Windows encryption. This would be better than the pseudo-protection most other applications provide.
Password Managers Are The Only Secure Storage
You’ve got a number of great password managers to choose from, like reader favourite Keepass, a cross-platform tool which has many plugins that help you master your passwords and make using a password manager easier to deal with. And, of course, let’s not forget that Firefox has a full password manager built right into the application.
Use A Firefox Master Password (With More Than 8 Characters)
Once you’ve done this, Firefox will store all of your passwords with nearly unbreakable AES encryption — providing you use a password with more than 8 alpha-numeric characters and at least one capitalised letter. If you used a weak and pathetic password like “secret”, it could be broken in a matter of minutes with a brute force cracking tool, but a decent 8+ random character password will take at least 73 years for a brute force attack.
Each time you start Firefox and go to a site that requires a saved password, you’ll be first prompted for your master password. By default, the master password authentication will be active for the entire session, but you can use the Master Password Timeout extension to lock your master password again after a certain interval, which is handy if you walk away from your desk without remembering to lock it with Win+L.
Use TrueCrypt To Encrypt Everything
Are you already using a password manager or encryption to keep your passwords secure? Share your best password security tips in the comments.