Visual Hashing, a new add-on for the Firefox web browser and extension for Chrome, changes this by adding visual password reminders to password prompts on the Internet.

The idea is simple: Generate a hash code for a password the user enters, and visualize that hash with four colors in the password field.

The user recognizes the colors over time, and gets a confirmation that the right password has been entered right on the screen.

Using the add-on may be somewhat confusing at the beginning, as new colors appear whenever you add or remove a char from the entered password.

Visual Hashing basically helps you in making sure that you do not enter a wrong password in password fields on the Internet.

Visual Hashing integrates well into most sites. It works for instance on Twitter, Facebook and Google properties. The four colors begin to appear after you have entered the first character of the user password. This works both on sign-up forms and on sign-in forms.

The developer is currently thinking about adding new features to the add-on. Among the options could be a password hint that indicates whether the password is correct or not, or options to keep track of passwords that are being reused to inform the user about the dangers of it.

Colors will always appear slightly different to avoid password hash information leaking out through screenshots. The color differences are not recognizable to the human eye.

Firefox users can download Visual Hashing from the official Mozilla Firefox add-on repository, Chrome users from the Chrome Web Store.

Source code and additional information are available on the developer’s blog.

The password manager LastPass had been my password manager of choice before I switched to the Open Source password manager KeePass. LastPass supports multifactor authentication systems for some time now, for instance with the help of Yubikeys. But those usually came with a cost.

LastPass back in November introduced support for Google’s Authenticator app to add another multifactor authentication option to the service.

Google Authenticator is a mobile application for Android, iOS, Blackberry and Symbian devices that generates a temporary verification code that users need to enter when they log into LastPass from untrusted devices.

Google Authenticator needs to be linked to LastPass before the new security feature can be used. Here is how this is done.

• Google Authenticator needs to be installed on a mobile device. Google offers installation instructions for Android, iOS and Blackberry devices. Please note that you need to enable 2-step verification using the phone number as Google Authenticator cannot be setup otherwise.
• Once Google Authenticator is up and running properly, LastPass users need to visit this link to link the authenticator with their LastPass account. This is done by either scanning the displayed barcode with the mobile device, or by entering the Google Authentication key displayed on the website manually.

LastPass will from now on display a Google Authenticator Authentication page for log ins to the service from untrusted devices.

LastPass users then need to open the Google Authenticator app to generate a one-time verification code that they need to enter on the LastPass website. Users who require offline access to their LastPass password database can configure this during configuration. It is also possible to trust devices to avoid having to generate and enter verification codes on every log in.

Additional information about the setup are available on the LastPass Support website.

The new multifactor authentication adds a second layer of protection to the LastPass login process that makes it a lot harder for attackers to access a user’s password database.

Another option if you still can log in with a different user account is the free Advanced Password Recovery software. It can be used for more than just changing or removing user passwords from Windows Accounts, but that is one of its core features.

You can start the program right away without installation. Please note that you need the Server service running. If it does not run, you will get an error message and a program that is only working partially.

When you start the program for the first time you will notice a tabbed interface. The Windows Account Management tab can be used to remove or change passwords of all known users on the system. This way you could either remove a password that you have forgotten or replace it with a new password.

Advanced Password Recovery has other interesting features, some of them log in related. You can for instance enable logon password patching which will display a password change prompt on the next log on of the user on the system.

Another option becomes available under the Password and Serial Recovering tab. Here you can create backups of passwords and serial numbers. The wording is a bit off, considering that you only backup the serials and passwords. Available for selection are Messenger and Related, Windows and Office, Browsers and Wireless passwords and serials. All get saved in text files on the local system.

Advanced Password Recovery is compatible with 32-bit and 64-bit editions of the Windows operating system. The program requires the Microsoft .NET Framework. There is unfortunately no mentioning of the version that is required.

The free software program is handy if you can still log into an administrator account on the system. It is of course then possible to use other means to reset or change passwords of Windows user accounts.

For some time now, I had been thinking about switching to an offline password management solution. Not necessarily because I think that online password managers are inherently less secure, but because it give me more control over my passwords.

I therefor made the decision to migrate all my LastPass account information to KeePass, a free password management software. But simply migrating the data was not enough. If someone did actually manage to steal data from LastPass servers, they might have all my login accounts by now. The chance is slim, especially if you take into account what LastPass has communicated so far, but since I earn my living on the web I wanted to be on the safe side here.

The decision was born to change all my account passwords after the migration. I knew that this would not be easy, with 500+ accounts listed in the LastPass database.

This guide explains how I imported my LastPass login database to KeePass, and how to change all your account passwords in record breaking time. Don’t get me wrong, you will still spend hours and hours doing repetitive boring tasks.

Exporting LastPass database

The first task is to export the LastPass database. The information within act as a reference, so that you know how far you got with changing your account passwords. Open the LastPass website and click Sign In to LastPass to log into your account.

Once you are logged in select Export and enter your account’s master password again.

LastPass outputs all of your account information in one large list. Select all with Ctrl-a, and then Ctrl-c to copy the information to the clipboard. Save them in a text file on the local system. The list contains all urls, usernames, passwords and other information that you have stored in LastPass’s password manager.

Importing Passwords Into KeePass

Download the latest version of KeePass from the developer website. Please note that it is only available for Windows and many mobile devices. I have installed the password manager on an encrypted hard drive for extra protection.

Start KeePass after installation or extraction and select File > Import from the menubar. Select Generic CSV Importer from the options and load the text document with your account information. A click on OK imports the data into KeePass.

Please note that the url is added as the title of each individual password, which is not a big problem. The url field is left blank, which we will utilize soon.

Changing Passwords With KeePass

Now that you have all your LastPass passwords in KeePass it is time to change all of them. Here are a few tips to get you started with that:

• Disable the LastPass add-on in your browser. If you do not do this you will get a “we noticed a password change prompt” all the time.
• A big screen helps you. I had Firefox open in one half, Keepass and the password list in the other, which meant that I did have all information visible on screen all the time.
• Move all Generated Passwords entries to the old group
• Create password groups to sort passwords into. You can create new groups with a click on Edit > Add Group, or a right-click and Add Group.
• Start with your email accounts. Why? Because if they get compromised they may be used to reset passwords that you have just changed. Create a new group emails and change them right away.
• Now think about your most important accounts, e.g. financial, web hosting, shopping. Change those after you have changed the email accounts.
• Open a blank text document and use Tools > Generate Password List to generate a list of secure passwords. I suggest 20+ characters including upper- and lower-case, digits, minus and underline. You may add some special characters to it that are often allowed, for instance !?%&. Copy paste the full list into the text document. You will work through the list when you change accounts.
• Never use the same password for more than one account
• If you are a webmaster, you may have access to multiple accounts from one admin interface. For many WordPress sites, I have an admin account and an author account which both needed changing. To speed things up, you can log in with the admin, change the admin account first, and then change the author account while still logged in as the admin. The same is true for web hosting accounts if you host multiple domains and websites under that account.
• To keep track of things, I always added the url to accounts that I have changed the password for. I also moved those accounts to an appropriate group. This way, it was easier to keep track of the password changing progress.

The biggest drawbacks that you will encounter are sites that limit the number of password characters. I encountered more than one site that only accepted six characters in total. That’s crazy.

My routine looked like the following:

• Double-click the next entry in the KeePass database, copy the url, paste it into the web browser.
• While it is loading copy the username from the KeePass database.
• Paste the username
• Copy the password with a right-click
• Paste the password
• Locate the account settings or password change options on the page.
• Paste the old password in if the site required it.
• Copy the next password from the password list and paste it into the new password form, submit.
• Double-click the entry in the KeePass database, paste the new password in there as well.
• Copy the url and paste it into the url field.
• Move the account to one of the groups
• Repeat

You may be able to speed things up further by installing a plugin like KeeFox which brings KeePass functionality to Firefox. Similar extensions are available for other web browsers. I’m currently managing about 50-60 accounts per hour with this system. You may be even faster if you use a browser plugin.

Instead of sweeping that incident under the table, the developers decided to assume the worst case scenario: That an attacker managed to breach the security and download user data from the database. The traffic amount was large enough to include user emails, server salt and salted password hashes.

This data can be used by the attacker to brute force passwords which would then give access to a user’s Last Pass vault with all stored passwords.

The company as a consequence asks its users to change their master password as a precautionary measure.

Some users may have received notifications to change their master password, or other notifications related to the incident (an error has been encountered while loading your sites lastpass). Only users who try to connect and log in with a new IP address, one that they have not been using in the past weeks, are asked to do that.

I did change my master password and I’m currently seeing an anomaly on all sites. The autofill username and password feature appears to be broken. Even a right-click and the selection of LastPass > Copy Username or Copy Password does not reveal any entries.

I could not find any information about this on the LastPass website or in the user comments. I suppose it is a temporary thing that will resolve automatically.

Last Pass are rebuilding the boxes and have moved services to other servers for now. They also compared the code on the live servers with code from their repositories to make sure it was not tampered with.

If you read through the comments you notice that the majority of users that comment have log in problems. Some because their browser appears to be detected as a mobile device which they cannot log in with.

I for one am happy that LastPass did communicate the issue right away with their users, unlike other companies that we know of (hust, Sony, hust). Yes, it may be inconvenient today to get things sorted out, but I prefer that to doing nothing.

Please note, if you ever get an e-mail requesting your username and password, it is phishing for it. See our phishing protection tips for some tips on how to protect yourself. There is also a phishing flowchart to help you identify phishing. In addition to this, Gmail has a lab that will verify PayPal and eBay e-mails.

Websites Already Have it

While one would hope passwords are encrypted and kept out of harm’s reach, that is not always the case. In many systems security is an after thought. Sometimes security policies and programs are not seen as necessary until after a breach. Important customer information is not always protected the way that it should be.

In a system like this your password my not be encrypted. It may be stored in plain text (sometimes called “clear text”). There may not be proper access controls in place either.

With the usernames and passwords so easily accessed, no one from the company needs to ask you for them. The company, or a number of employees within it, has access to them. This is a part of why it is important to use different passwords on different sites.

Top Level Staff May Have Access

A system with good security will encrypt your passwords. Even if someone who was not supposed to have access to the file containing passwords gained it, it would look like gibberish. There are ways get around this under certain circumstances, but over all the encryption keeps people from being able to read customer information.

That said, there will be people higher up who have access to the key which can decipher passwords. If a legitimate need for the information arose, such as a court order, then a ranking company official would be involved, not you.

While not directly relating to passwords, Dropbox works in a similar fashion. All data that Dropbox stores is encrypted, protected from staff and general misuse. The higher-ups are able to access the data, but only under special circumstances. They can give access to authorities, but it must be by court order. It is an example of how an encrypted system is still controlled by someone in the company.

Your Password May Not Be Stored Verbatim

Some sites and systems may use a cleaver trick to log you in. You would think, when you login, a server compares the username and password that you send with a username and password on record. That is not always the case.

Some systems will use your password and a random number, put them into a formula, and get a crazy looking code of letters, numbers, and symbols. This code is virtually perfectly unique to your password. The site stores this code and the random number.

virtually perfectly unique
http://blogs.msdn.com/b/tomarcher/archive/2006/05/10/are-hash-codes-unique.aspx

Unlike encryption, where the password can be retrieved if a key is used, the created code cannot be unlocked to reveal your password. It is a one-way process designed to make your password unreadable. It is difficult to figure out the password based on the code. The point to a system like this is that they do not want to know your password.

When you login again, you send your username and password. The system takes the password you send, puts it and the random number back in the formula, and forms the crazy code again. It then compares that code to the code on file. If they match, you are allowed in; if they do not match, you get an error. Voila, login without a stored password.

The crazy code has a special name: a hash value. Sony disclosed their use of hash values after the Play Station Network was brought down by hackers.

The System May Force Resets

Some systems will give limited tools to IT personnel (by policy, access, or design). In these cases, the only tool they may have available is a password reset. This is done to remedy the frequent problem of lost passwords. Passwords can be safely encrypted or hashed, yet access can be easily restored.

Facebook uses this system. You have to tell the website something about yourself first, but it will reset your password after you have. This automates the process so you do not have to wait for tech support.

Many Functions Do Not Require Your Password

In most systems, the employee logs in, is verified by the system, and has the appropriate access for the role they play in the company. The software they use may be able to modify your contact information, account balances, length of service, view your history with the company, etc. Heck, sometimes they can outright delete you. Think about how a bank teller can deduct money from your account when you ask for cash. By far, their username and password trumps your username and password. There is nothing legitimate that a bank could need your password for.

In Summary

As it has been stated by every reputable company, there is never a reason to give someone your password. The company will never ask for your username or password. These occurrences prey on ignorance. If you know someone who you think might fall for a ploy like this, educate them. They should be less likely to give the information out if they know why it is never needed.

With that incident in mind, I thought it would be pretty cool if you could run a check on all of your passwords and login information to see which of your accounts may have been affected by the hack. While that’s unfortunately not possible, the next best thing is. The developers of the popular online password manager and synchronizer Last Pass have created an online tool that evaluates the strength and other information about all passwords stored in a user’s vault.

This way, you can assess all of your passwords and logins at once, and make changes to the accounts that receive a weak rating. It begins with an overall score and rank at the top. Detailed results are then displayed when you start scrolling down, and this is where it gets interesting.

The results screen displays various information about your passwords. This includes the average password length, number of duplicate passwords and sites with those passwords, number of weak passwords or number of blank passwords. While those results are nice to know, they are not that helpful as you do not yet know which sites and log ins share the same password or use a weak passwords.

Those information are displayed when you scroll down to the Analyzed Sites listing. Last Pass’ Security Challenge lists all sites with duplicate passwords, unique passwords and no passwords in list form on that page.

You see on first glance which sites share a password. Even better, the password strength is shown on the very same page ranging from 0% (very bad) to 100% (very strong).

A visit site link is provided next to each entry which makes it even more comfortable to visit those sites and change the passwords.

It may take a while to go through all duplicate or weak password sites that are shown, but it is well worth it. Chance is, you find duplicate site listings as well, which is for instance the case if a service uses the same log in on more than one domain, or if you use it to access a site by domain name and IP address.

You can run the test again at anytime, and the score gets automatically updated. Last Pass displays test history information where you can see how the score improves or drops based on your changes.

A low score does not necessarily mean that you do not care about your account security. I for one use the very same username, email, password combination on many sites that force me to register to check out their service. These accounts are in no way linked to me and it would not be problematic if they would get hacked. More or less like a private Bug Me Not password if you like.

Tips on how to improve the overall security score are displayed at the very bottom of the page.

Last Pass users who want to run the test can do it on the Last Pass website. They need to be logged into their Last Pass account for that. (via Caschy)

The following is a short list of simple things you may not think about. In each, an opportunity is created… one you want to avoid. The idea is to tell you what not to do and why. Some advanced methods, like phishing, are a bit more complicated than what is covered here.

1. Recovery E-mail Accounts Can Expire

A recovery e-mail account is method a lot of systems use to help you get back into an account that you have lost the password for. This could be for a site like Facebook or for another e-mail account like Gmail. The idea is simple. You ask the site to send you your password (some will just reset it). The site says: “Sure, it’s been e-mailed to you.” As long as you have access to that other account, you are just fine and dandy.

Check your recovery e-mail account every three months or so. If you do not, the account may be deleted. Someone else can now claim it. If someone claims that account accidentally and you reset your password, then you just lost control of your main account. If it was on purpose, then the next step is to simply go through the password recovery process.

My advice is to check this account before reading any further if you have not done so recently. This is the one tip that I found I had not followed when I heard about it. Fortunately, I grabbed the accounts back before someone else did.

2. Avoid Duplicate Passwords

An easy way to get hacked is to give a site your e-mail address and then use the same password at that site. The same goes if you use the same user name and password at two or more sites. If the site does not encrypt the password, then there is a huge problem. Anyone who works for the site and has access to this information (or gains it) now has everything they need to log-in to your account. While most sites protect passwords, there are still ways for employees to get it. Attacks from within a company are actually the most common. At the least, use a different password for your e-mail account than everything else.

3. Beware Onlookers

Pay attention to your surroundings. A person standing behind you as you sign in to a website may not be as casual as they seem. In age where so many phones and MP3 players can record video, they don’t even need to be facing you. If a person sees you enter your password, there is a good chance they can remember it.

4. Use Public Computers Differently

Watch the settings you use on public computers and always remember to sign out. Be sure to double check this. Most of us have formed habits from using personal computers. We often leave that little box checked “Remember me.” underneath the sign in box. Some may click “Yes” to “Do you want to save this password?” after they log in. Forgetting to click “log off” when a session is finished is common place. This is convenient when it is a personal machine, but disastrous on a public machine. Your account is now as easy for someone else to get into as if it was their own personal machine. There are ways to steal passwords that are saved too.

5. Only Use Trustworthy Computers

Trust the computer you are using as much as you trust the owner. By trust, I refer to both the integrity and the aptitude of the person. For a person who lacks integrity, they may intentionally have software running that records what keys you press (called a “keylogger”). Companies in the U.S. can legally install them on any computer they own. For a person who lacks aptitude, they may unknowingly have spyware on there machine. Spyware can sometimes have the same abilities as a keylogger. In either case, once you use that computer to quick check your FaceBook, your account is compromised. If you used that password for you e-mail or banking, you have a larger problem.

6. Avoid Commonly Used Passwords

Do not use the name of your pet, child, team, favorite color, date, etc. as a password. Never use “password” as a password. Too many people use “123456″ (at least at hotmail and rockyou). All of these are easy to guess. A cracking tool is not required to figure them out.

7. Guard Written Passwords

If you choose to write down a password, protect it like your life savings. Would you leave twenty dollar bills sitting around? Your password is much more valuable than that if it is used for your bank account. Nevertheless, I see passwords siting out in the open. It is not a bad idea to never write down your passwords, but the problems of that are obvious. There is no shame in writing them down, but keep them in a safe place… I’m thinking a safety deposit box at the bank.

Closing

In summary, while most of this stuff is common sense, I hope to help a few people avoid having their accounts compromised. Whether a person is just curious, or they have been a victim of the experience, it is only natural to ask how these things happen.

Lastly, remember the first rule of passwords: don’t ever give them out or share them!

The downside are security implications and potential recovery issues. Most web browsers offer to protect the stored passwords with a master password to avoid unauthorized access to the passwords. The feature is however usually deactivated and needs to be activated first.

WebBrowserPassView is a free portable application for Windows that has been designed as a universal browser password recovery tool. It currently supports Internet Explorer 4 to 8, Mozilla Firefox, Google Chrome and Opera.

The application scans the system for installed versions of supported browsers to retrieve password related information from each and display those information in a searchable index.

All login information are then displayed in the application window. The program displays the url of the password, the user name, password and the web browser the password was stored in.

WebBrowserPassView can export selected login information in formats such as text, HTML or csv. A search is provided to find login information for specific sites, and passwords can be copied to the clipboard for direct pasting into web forms.

The software has several restrictions that prevent the successful recovery of passwords. Among the limitations are passwords that are protected by a master password, browsers that are stored on external hard drives, Internet Explorer passwords if the history file of Internet Explorer has been cleared and passwords that have been imported from Internet Explorer to Google Chrome.

Security software like Panda Global Protection, which I’m currently testing, may identify the program as potentially malicious. It is however safe to assume that the program is not dangerous since it has been developed by Nir Sofer. Panda for instance identifies the file as suspicious. A Virustotal scan resulted in a score of 3/43.

WebBrowserPassview is available for download at the Nirsoft project web page. The application is compatible with all 32-bit and 64-bit editions of Microsoft Windows.

The program has no option to recover passwords from portable installations. It is not clear yet if the feature will be added in future versions of the application.

Most users make use of password managers to create and store passwords and other log in related information for them as it becomes extremely difficulty to remember the passwords otherwise.

Object-based Password is a Firefox add-on that uses a different approach. The password generator can use objects to generate passwords. Objects currently supported are images, links or text. A password can be generated from a local image, an image on the current website, text on the current website that is highlighted or links that point to certain file types such as jpg, pdf or mp3. The generated password is always the same and can be automatically added to the password box if it is right-clicked and the generate password option is selected from the context menu.

The method itself offers some interesting options. Users do not need to remember the passwords, only the object that they have used to create it. They do need to make sure that it is accessible whenever they want to log into the website or service though.

A simple example would be to always use the first four words of the second paragraph on a page for the password. This ensures that the object is always in reach, providing that the website does not change their text. Other options include selecting an image from the local computer or objects on a private website for the password generation.

The concept is definitely interesting. Many users will probably be appalled by the missing option to save passwords so that they do not have to be “generated” every time the service or website is accessed. This however could also be taken care of by saving the passwords and login data in the built-in password manager.

Object-based Password is available for direct installation at the Firefox add-on repository. The extension is compatible with Firefox 3 and 4.

To that end, I offer up five tips that will ensure that Ubuntu Linux desktop is safe and secure. These tips are all such that any level of end user can undertake them without having to take classes in PCs or Linux administration.

Use solid passwords

As of 2010, the most common passwords used are:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

It should be obvious that anyone and everyone must avoid using the above passwords. What is not so obvious is how most users ignore the pleas of software manufacturers, administrators, and everyone in between to use secure, unique passwords. Even though the Linux operating system is a solid environment, you are not exempt from this. Because Linux is a multi-user OS every user should have a very unique password. These passwords should follow the standard requirements:

• Upper and lowercase letters.
• Include a number.
• Include special characters such as #,!,$.

Use more than one username

Linux is a mult-user OS. If you have more than one user on your system, make sure that each and every user has a log in. Unless dictated by need, do not have a general user account that everyone uses. If you use a single account, everyone will have access to each users’ data. To set up new user accounts click on System > Adminster > Users And Groups to take advantage of the user-friendly GUI tool.

Update your software

There is a reason updates occur. In many instances, those updates are often security driven. Because of this, you will not want to make a habit of ignoring updates. You will know, right away, when an update is available as it will appear in your notification area. When this happens, click on the icon, enter your sudo password, and allow the updates to complete.

Install a firewall

Just because you are using the Linux operating system, doesn’t mean you are immune to hacks and attacks. It’s always better to err on the side of safety by adding a firewall on top of your system. To do this, open the Ubuntu Software Center, search for “firewall” (no quotes), and install the firewall tool that best suits your needs (GUFW is a good choice).

Lock your screen/no auto login

This is something I always set. When your screensaver starts up, by default the behavior is to lock the screen. Do not disable this behavior as it opens up your desktop to nefarious behavior when you are away from your desktop. In the same vein, you should also not enable the auto login feature. Yes, it is quicker when starting up your machine and less of a hassle than having to enter a password – but auto-login is nothing more than inviting users other than you to get into your files and view files they shouldn’t view.

Add ‘em up

If you follow those simple tips your Ubuntu (or any Linux desktop) will be much safer than it would be if you ignored them. These tips can also, for the most part, apply to just about any operating system. The key is to use your computer intelligently to help avoid attacks of various types.

The Password Fail extension for Google Chrome tries to aid the user in evaluating a web service. It displays icons in the Chrome statusbar if a website is loaded that is using bad password policies, specifically saving passwords as plain text.

One of two icons may appear in the web browser’s statusbar upon connection. A yellow warning sign that indicates that a website sends out passwords in plain text after user registration and a red sign that a website sends them out upon request.

Both are indicators that the passwords are stored in plain text on the web server which basically means that attackers will also be able to get their hands on the unprotected data if they find a way to either request the data or hack the server.

Password Fail relies on user contributions. Users can submit new websites and services that they suspect to store passwords in plain text. This will be verified by the team by registering. Only after that will a website be added to the service’s database.

A sample list of websites with bad password policies is available on the Password Fail website. It lists among others MySpace.com, Brady Games and Stumbleupon as offenders.

Chrome users can download the extension for their web browser directly from the Chrome extension gallery.

So what do you do when you’re brain reaches critical mass for passwords? Simple, you let a single application store and encrypt them for you so all you need is a single password to access all of those crucial passwords. And what Linux distribution is without a tool (or twelve) to enable such a feature? One of those many tools is Password Gorilla. Password Gorilla manages your logins as well as all of your passwords for web sites, encrypted files, etc. But PG does more than just store those passwords. Password Gorilla makes logging in to various websites easy by copying and pasting your username/password to the clipboard. Those passwords are never revealed on the screen so you’re even safe from prying eyes. But how does it work? Let’s find out.

Installation

Installing Password Gorilla is quite simple as you will most likely find it in your distributions’ default repositories. In Ubuntu just fire up the Software Center enter the string “gorilla” (no quotes) in the search field, and install the resulting entry. That’s it.

To launch Password Gorilla click on KDE’s “K” menu and enter “password” (no quotes) in the search string, select the entry for Password Gorilla, and hit enter.

When you first start the application up you will be asked to select a password database. Well you can’t because you’ve not created one. So just click Cancel and the main window will open. The first step here is to create a new password database. To do this click the File menu and select New which will open up a new window asking for a password and a password confirmation. Make sure you use a strong password here because it will be the database containing your passwords. After you confirm your password click the OK button.

Adding Logins

The first thing you will want to do is to add a login. Now don’t confuse this login with your user account login. A login for PG is, for example, your login to your Slashdot account.

Figure 1

To add a new login click on the Login menu and select Add Login. This will open up a new window (see Figure 1) where you will enter the details for your login.

You will notice, by default, when you enter a password it is visible. If you are a paranoid person, right before you enter the password, click the Hide Password button so your password will be obscured.

Once you have entered all of the details of the login click OK to save the new login details.

Figure 2

Now if you look in the Login menu you will see the entry Add Group. Adding groups allows you to keep your various logins better organized. You can see, in Figure 2, I have created a group called “Work”.

Using Password Gorilla

Now let’s take a look at the real benefits of Password Gorilla. Go back to the main window and right click on one of your login entries. You will see a menu (see Figure 3) that allows you to copy username, password, and even URL to the clipboard.

Figure 3

In order to login to a website you have a login for follow these steps:

1. Right click the login entry and select “Copy URL to clipboard”.
2. Go to your browser and click the middle mouse button (or click <Ctrl>v) to copy the URL to the browser address bar.
3. Go back to the Password Gorilla and right click the entry again and select “Copy username to clipboard”.
4. Go to your browser and click the spot where you would enter your username and either click the middle mouse button or click <Ctrl>v to paste the username.
5. Go back to Password Gorilla, right click the entry, and select “Copy password to clipboard”.
6. Go to your web browser and click the the spot where you would enter the password and either click the middle mouse button or click <Ctrl>v to paste the password.

It sounds like a lot of steps, but it beats trying to remember numerous login credentials.

Final thoughts

When the amount of credentials you have exceeds your brains ability to remember, a handy tool like Password Gorilla comes in handy. But it’s not just about trying to remember, it’s also about keeping those password secure.

An OpenID is an URL. However, using an URL like http://computerjoe.myopenid.com/ to log-in and post comments with just doesn’t look sophisticated. I much prefer to use my own blog’s URL to post comments and log-in; it pumps traffic to my blog and frankly just looks better.

Whilst you could run your own OpenID identity server to do this, this takes quite a bit of expertise to set-up and whilst it is probably more secure, it isn’t needed in my opinion.

It is possible to use a any identity server with your website’s URL. I personally use MyOpenID, but I log in to sites with joeanderson.co.uk/blog; not with computerjoe.myopenid.com.

This can be done by simply adding a few lines of HTML to your website’s <head>.

For example, I put

<link rel=”openid.server” href=”http://www.myopenid.com/server” />
<link rel=”openid.delegate” href=”http://computerjoe.myopenid.com” />

Naturally, these have to be modified depending on your username and server, but the provider should provider the information.

There are several benefits using this type of OpenID identificatin. The main one is that it just looks better but the most practical one is probably that it allows you to change provider whilst keeping the same log on. So, if I suddenly decide not to use MyOpenID, I can change to any other provider but my URL remains the same.

A recent study shows on the other hand that password recovery questions are usually answered honestly. Questions about the birth town, mother’s maiden name or first animal name can sometimes be easily guesses. The study asked acquaintances of 32 webmail users to guess the answer to the secret question. Roughly 20% of these answers were guessed correctly.

Password recovery questions should therefor not be answered honestly. Experienced users fill them out with password like characters which makes the answers more or less impossible to guess. These answers can then be stored in password managers as notes.

How do you handle password recovery questions?

Problems can arise if a user is forgetting the password that he used in the application. This can lead to all kinds of problems like having to reinstall a software program or losing encrypted data.

Asterisk Logger is a portable software program that runs quietly in the background. It monitors and logs windows with password forms. Asterisk Logger basically records passwords and related information giving the user access to those information in case of lost passwords.

It does that for many applications in Windows but not for all. It is up to the user to find out about the limitations. Generally speaking it works with most password text-boxes but not with applications that use additional security including web browsers like Firefox or Internet Explorer.

The application is not only logging the password but also the window title, application where the password has been entered and the time. These information can be exported to html.

To explain the brute force concept in a few words. It basically is a method to try every possible combination until the right password has been discovered. Passwords that use lots of characters and make use of the complete char set including upper case, lower case, numbers and special chars are harder to brute force.

The Brute Force Calculator lets you enter the amount of chars of the password divided into upper case, lower case, numbers and special characters.

According to the script a single computer can brute force a password consisting of seven lower case chars and one number in 29 minutes while a password consisting of 7 upper case, 7 lower case, 1 number and 1 special char would take 3,129,145,610.89 days to crack on a single machine.

All based on a computer that is able to try 137,438,953,472 combinations per hour. The script is basically interesting for users who are still using short passwords who do not make use of the complete character set possible. It shows them that someone could crack their password in a short amount of time not even taking into consideration using distributed computing to brute force the password.

A good password management software should ensure data security, provide password generation and integration into common web browsers to make the life of the user as comfortable as possible.

The password management software Last Pass does all of that and much more. It currently supports Microsoft Internet Explorer and Mozilla Firefox on Windows, Linux and Macintosh. It provides the option to import the existing passwords from Internet Explorer, Firefox and multiple password management software applications like KeePass and RoboForm and makes them available on their secure website and in the browser of choice.

The password manager automatically recognizes websites that it has user data stored for in its database and will fill out the login forms automatically so that it is only a matter of clicking on login to login to the website.

Each password and the rest of the user data can be accessed on the last pass website. Sites can be loaded from there and data changed. The online profile provides access to another interesting feature: It is possible to fill out form data for login forms so that it will be automatically filled out as well when the user registers at a new service.

The password generator comes in handy when registering to a new service on the Internet. A hotkey or the notification on top of the website can be used to open the password generator which can be configured to suite the website’s requirements.

The Password Management Software Last Pass will also recognize password changes and ask the user if he wants to store the new password in the database. The passwords can be easily backed up and restored to access them on multiple computers. Since all of them are stored in encrypted form on the Last Pass website it’s only a matter of entering the login information and / or installing the plugin for the browser to access the passwords on other computers.

Windows users can also use a portable USB client that can connect to the password management service and pull the passwords from there after proving the correct login details.

One interesting feature is the function to share passwords. Have you ever send someone passwords in plaintext before? That should be a thing of the past because passwords can now be shared securely using Last Pass as well.

Lastly there is a feature to supply different login credentials if more than one account is stored in the password manager for a website.

The only problem that was encountered during tests happened when trying to change passwords on websites. The generated password would fill out the Old Password and the first form of the New Password field. A workaround for this was to copy the password from the password generator, let it paste the password and paste it manually in the second password field and enter the old password manually. Not a huge deal but something that could probably be easily fixed in future builds.

Last Pass is a comfortable password management software that should appeal to many users.

ChromePass is a new software program by Nirsoft that can display the most relevant information that have been saved in Google Chrome. The browser provides a basic password manager. The Google Chrome password manager displays the url of the website and the username by default and provides a Show Password button to display the password as well.

The data cannot be copied which is one of the major disadvantages of the Chrome password manager. Chromepass displays the data that has been stored in Google Chrome. The application displays additional parameters like the action url, data and the names of the user and password fields.

The passwords can be saved as txt files or generated as html files. Several command line parameters are available that can be used to save the list of passwords automatically. Chromepass is a portable application for Microsoft Windows operating systems.

Outlook Express Password Recovery by Passcape (via Techmixer) is able to recover all saved passwords in Outlook Express including smtp, pop3 and imap passwords. It does that by either decrypting the passwords or revealing the real chars behind asterisks depending on the menu in Microsoft Outlook Express.

It can even decrypt passwords directly from the ntuser.dat file which is handy if only the files but not the installation can be accessed.

The password recovery software is compatible to Microsoft Outlook Express 4-6 and can be installed on most Windows operating systems starting with Windows 95 including Windows XP and Windows 2003 Server. Passwords can be exported in text, Microsoft Excel and html files.