Passwörter

Jeder kennt das Problem mit den Passwörtern. Es sollen starke Passwörter sein, sie sollen für jede Site unterschiedlich sein und außerdem soll man sich das alles auch noch merken und auf keinen Fall auf einen Zettel unter der Tastatur “speichern”.

Was ist ein starkes Passwort?

Diese Frage muss man unter Beachtung des aktuellen Stand der Technik beantworten. Wörterbuchangriffe sind ein alter Hut. Das Passwort darf kein Wort aus dem Duden sein, das ist einfach zu knacken. Für zufällige Kombinationen aus Buchstaben, Zahlen und Sonderzeichen kann man Cloud Computing für Brute Force Angriffe nutzen. Dabei werden alle möglichen Kombinationen durchprobiert. Ein 6-stelliges Passwort zu knacken, kostet 0,16 Euro. Eine 8-stellige Kombination hat man mit 400 Euro wahrscheinlich und mit 850 Euro sicher geknackt. Man sollte mindestens 10…12 Zeichen verwenden. (Stand: 2011)

Warum sollte man nicht das gleiche Passwort für viele Logins verwenden?

Diese Frage beantwortet der Hack von Anonymous gegen HBGary. Den Aktivisten von Anonymous gelang es, Zugang zur User-Datenbank des Content Management Systems der Website zu erlangen. Die Passwörter konnten geknackt werden. Die Passwörter wurden vom Führungspersonal für weiterer Dienste genutzt: E-Mail, Twitter und Linked-In. Die veröffentlichten 60.000 E-Mails waren sehr peinlich für HBGary. Das Add-on PwdHash vereinfacht den Umgang mit Passwörtern. Wenn man vor der Eingabe des Passwortes die Taste F2 drückt oder mit einem doppelten @@ beginnt, wird es in einen einen Hash aus dem Master Passwort und der Domain umgerechnet. Das Ergebnis der Berechnung ist eine 10-stellige zufällige Kombination von Buchstaben und Zahlen und wird als Passwort gesendet. Damit ist es möglich, ein merkbares Master-Passwort für alle Sites zu nutzen, bei denen PwdHash funktioniert.

Wichtig ist, dass die Domains der Webseiten für die Änderung und Eingabe der Passwörter identisch sind. PwdHash schützt auch vor Phishing-Angriffen. Da die Seite des Phishers von einer anderen Domain geliefert wird, als die originale Website, wird ein falscher Hash generiert, der für den Angreifer wertlos ist. Sollte man unterwegs auf einem Rechner das Add-on nicht installiert haben, ist das Login-Passwort natürlich nicht zu erraten. Auf der Website des Projektes steht der Algorithmus auch als Javascript Applet zur Verfügung. Man kann sein Master Passwort und die Domain eingeben und erhält das generierte Login Passwort. Das kann man mit Copy & Paste in das Passwort Eingabefeld übernehmen.

Passwortspeicher

Passwortspeicher sind kleine Tools, die Username/Passwort Kombinationen und weitere Informationen zu verschiedenen Accounts in einer verschlüsselten Datenbank verwalten. Es gibt mehrere Gründe, die für die Verwendung eines Passwortspeichers sprechen:

  • Viele Programme wie Pidgin oder Jitsi speichern Passwörter unverschlüsselt auf der Festplatte, wenn man die Option zur Speicherung aktiviert (nicht empfohlen!). Andere Programme bieten keinen Möglichkeit zur Speicherung von Passwörtern, fordern aber die Nutzung einer möglichst langen, sicheren Passphrase (z.B LUKS oder Truecrypt).
  • Bei vielen Accounts muss man sich neben Unsername und Passwort weitere Informationen merken wie z.B. die Antwort auf eine Security Frage oder PINs bei Bezahldienstleistern.
  • In der Regel enthalten Passwortspeicher eine Passwortgenerator, der wirklich zufällige und starke Passwörter generieren kann.
  • Das Backup wird deutlich vereinfacht. Man muss nur die verschlüsselte Datenbank auf ein externes Backupmedium kopieren.

Mir gefällt Keypass (Windows) bzw. KeepassX (Linux) sehr gut. Die Bedienung ist übersichtlich. Man kann Einträge gruppieren, komplizierte Passworte können über die Zwischenablage in die Eingabefelder kopiert werden und müssen nicht (fehlerhaft) abgetippt werden. Um kryptoanalytische Angriffe zu erschweren, kann man die Datenbank mehrere 10.000x mit AES256 verschlüsseln. Einige Passwortspeicher werben mit der Möglichkeit, die Datenbank zwischen verschiedenen Rechnern und Smartphones zu synchronisieren. Dabei wird die Datenbank in der Cloud gespeichert. Das ist für mich ein Graus, vor allem, weil der geheimdienstliche Zugriff auf Daten in der Cloud immer mehr vereinfacht wird.

Keeping passwords safe

Passwords are like keys in the physical world. If you lose a password you will not be able to get in, and if others copy or steal it they can use it to enter. A good password should not be easy for others to guess and not easy to crack with computers, while still being easy for you to remember.

Password length and complexity

To protect your passwords from being guessed, length and complexity are important. Passwords like the name of your pet or a birth date are very unsafe, as is using single word that can be found in a dictionary. Do not use a password containing only numbers. Most importantly a secure password is long. Using combinations of lower case letters, capitals, numbers and special characters can improve the security, but length is still the most important factor.

For use with important accounts like the pass phrase which protects your PGP/GPG or TrueCrypt encrypted data, or the password for your main email account, use 20 characters or more, the longer the better.
See this XKCD cartoon
„correct horse battery staple“ vis–vis „Tr0ub4dor&3“ for an explanation.

Easy to remember and secure passwords

One way to create strong and easy to remember passwords is to use sentences. A few examples:

IloveDouglasAdamsbecausehe’sreallyawesome.
Peoplelovemachinesin2029A.D.
BarneyfromHowIMetYourMotherisAWESOME!

Sentences are easy to remember, even if they are 50 characters long and contain uppercase characters, lowercase characters, symbols and numbers.

Minimizing damage

It is important to minimize the damage if one of your passwords is ever compromised. Use di?erent passwords for di?erent websites or accounts, that way if one is compromised, the others are not. Change your passwords from time to time, especially for accounts you consider to be sensitive. By doing this you can block access to an attacker who may have learned your old password.

Using a password manager

Remembering a lot of different passwords can be di?cult. One solution is to use a dedicated application to manage most of your passwords. The next section in this chapter will discuss Keepass, a free and open source password manager with no known vulnerabilities, so long as you chose a su?ciently long and complex “master password” to secure it with. For website passwords only, another option is the built-in password manager of the Firefox browser. Make sure to set a master password, otherwise this is very insecure!

Physical protection

When using a public computer such as at a library, an internet cafe, or any computer you do not own, there are several dangers. Using “over the shoulder” surveillance, someone, possibly with a camera, can watch your actions and may see the account you log in to and the password you type. A less obvious threat is software programs or hardware devices called “keystroke loggers” that record what you type. They can be hidden inside a computer or a keyboard and are not easily spotted. Do not use public computers to log in to your private accounts, such as email. If you do, change your passwords as soon as you get back to a computer you own and trust.

Other caveats

Some applications such as chat or mail programs may ask you to save or “remember” your username and password, so that you don’t have to type them every time the program is opened. Doing so may mean that your password can be retrieved by other programs running on the machine, or directly from your hard disk by someone with physical access to it. If your login information is sent over an insecure connection or channel, it might fall into the wrong hands. See the chapters on secure browsing for more information.

Encrypting Passwords with a Password Manager

To encrypt password we use KeePass on Windows and KeePassX Ubuntu, and Keychain on OSX. The basic principle is the same; you have a file on your computer which is encrypted with one single very secure password. This is sometimes referred to as a ‘Master Password’, ‘Admin-Password’, ‘Root-Password’ etc. but they are all the ultimate key to all your other keys and secure data. For this reason you can’t and shouldn’t think to light about creating this password. If a password manager is part of your OS (like it is with OSX) it unlocks automatically for you after you login to your account and so opening secure information like passwords. For this, and other, reasons you should disable ‘Automatically Login’. When you startup your computer you should always have to login and, even better, set your computer to automatically logout or lock the screen after a set amount of time.

Encrypting Passwords with KeePassX on Ubuntu

First open KeePassX from the Applications->Accessories -> KeePassX menu. The first time you use KeePassX you need to set up a new database to store your passwords. Click on File->New Database. You will be asked to set a master key (password).

Choose a strong password for this field -refer to the chapter about passwords if you would like some tips on how to do this. Enter the password and press ‘OK’. You then are asked to enter the password again. Do so and press ‘OK’. If the passwords are the same you will see a new KeePassX ‘database’ ready for you to use.

Now you have a place to store all your passwords and protect them by the ‘master’ password you just set. You will see two default categories ‘Internet’ and ‘Email’ -you can store passwords just under these two categories, you can delete categories, add subgroups, or create new categories. For now we just want to stay with these two and add a password for our email to the email group. Right click on the email category and choose ‘Add New Entry. . . ’:
So now fill this form out with the details so you can correctly identify which email account the passwords are associated with. You need to ?ll out the ?elds ‘Title’ and the password ?elds. All else is optional. KeePassX gives some indication if the passwords you are using are ‘strong’ or ‘weak’. . . you should try and make passwords stronger and for advice on this read the chapter about creating good passwords. Press ‘OK’ when you are done.  To recover the passwords (see them) you must double click on the enter and you will see the same window you used for recording the information. If you click on the ‘eye’ icon to the right of the passwords they will be converted from stars (* ) to the plain text so you can read it. Now you you can use KeePassX to store your passwords. However before getting too excited you must do one last thing. When you close KeePassX (choose File->Quit) it asks you if you would like to save the changes you have made.


Press ‘Yes’. If it is the ?rst time you used KeePassX (or you have just created a new database) you must choose a place to store your passwords. Otherwise it will save the updated information in the ?le you have previously created. When you want to access the passwords you must then open KeePassX and you will be asked for the master key. After typing this in you can add all your passwords to the database and see all your entries. It is not a good idea to open KeePassX and have it open permanently as then anyone could see your passwords if they can access your computer. Instead get into the practice of just opening it when you need it and then closing it again.

Encrypting Passwords with KeePass on Windows

After you installed KeePass on Windows you can ?nd it in the application menu. Launch the application and the following window should appear. You start by making a database, the ?le which will contain your key. From the menu select File > New. You have to chose the name and the location of the ?le in the dialog window below. In this example we call our database my password database. The next screen will ask you for the master password. Enter the password and click on ‘OK’. You will not need to select anything else. The next window allows you to add special configuration settings for your new database. We do not need to edit anything. Just click on ‘OK’. Now the main window appears again and we see some default password categories on the left side. Lets add a new password in the category ‘Internet’. First click on the word ‘Internet’, then click on the add entry icon under the menu bar. A window will appear like below. Use the ?elds to give a description of this particular password, and of course, enter the password itself. When done, click on ‘OK’.

Encrypting Passwords with Keychain on Mac OSX

Mac OSX comes pre-installed with the build in password manager ‘Keychain’. Because of it’s tight integration with the OS most of the time you will hardly know it exists. But every now and then you will have a pop-up window in almost any application asking ‘do you want to store this password in your keychain?’. This happens when you add new email accounts to your mail client, login to a protected wireless network, enter your details in your chat client etc. etc. etc. Basically what happens is that Mac OSX o?ers you to store all that login data and di?erent passwords in an encrypted ?le which it unlocks as soon as you login to your account. You can then check your mail, logon to your WiFi and use your chat client without having to enter your login data all the time over and over again. This is a fully automated process, but if you want to see what is stored where and alter passwords, or lookup a password you will have to open the Keychain program. You can find the Keychain program in the Utilities folder which lives in the Applications folder.

When you open it you will see that your ‘Login’ keychain is unlocked and see all the items contained in it on the right bottom side of the window. (note: the window here is empty because it seemed to be deceiving the purpose of this manual to make a screenshot of my personal keychain items and share it here with you) You can double click any of the items in the Keychain to view it’s details and tick ‘Show password:’ to see the password associated with the item.


You will note that it will ask you for your master or login password to view the item.

You can access modify any of the items and also use the Keychain to securely save any bits and pieces of text using the notes. To do this click on notes and than choose ‘New secure Note item’ from the file menu.

Installing KeePass

We will cover installing KeePass on Ubuntu and Windows. Mac OSX comes with an excellent built-in password manager called Keychain that is just as safe. Downsides are that it isn’t Open Source and doesn’t work on other systems. If you’d need to take your passwords from one Operating System to another it is better to stick with Keepass after all. How to use Keychain is covered in the next chapter.

Installing KeePassX on Ubuntu

To install on Ubuntu we will use the Ubuntu Software Center. Type KeePass in the search ?eld at the top right and the application KeePassX should automatically appear in the listing. Highlight the item (it may already be highlighted by default) and then press ‘Install’. You will be asked to Authorise the installation process:

Enter your password and press ‘Authenticate’ the installation process will then begin. Ubuntu does not o?er very good feedback to show the software is installed. If the green progress indicator on the left has gone and the progress bar on the right has gone then you can assumed the software is installed.

Installing KeePass on Windows

First visit the KeePass download webpage and choose the appropriate installer. For this chapter we are using the current installer. Download this to your computer then double click on the installer. You will ?rst be asked to select a language, we will choose English:

Just press ‘Next >’ and go to the next screen. In the screen shown above we must select ‘I accept the agreement’ otherwise we will not be able to install the software. Choose this option and then press ‘Next >’. In the next screen you will be asked to determine the installation location. You can leave this with the defaults unless you have good reason to change them. Click on ‘Next >’ and continue. The above image shows the KeePass components you can choose from. Just leave the defaults as they are and press ‘Next >’. You will come to a new screen. This doesn’t do anything but give you a summary of your options. Press ‘Install’ and the installation process will begin.

Installing KeePass on Mac OS X

Although Keychain in Mac OS X does an excellent job of storing your passwords, you may want to run your own password database and manager. KeePass allows this added ?exibility. First visit the KeePass download webpage (http://keepass.info/download.html) and choose the appropriate installer. Although the o?cial installers are listed at the top of the page, there are uno?cial/contributed installers further down. Scroll down to find

As this is an external link, your browser will be redirected to . Note here that you must install the Mono framework ?rst, so that KeePass can run in OS X. So click on each of the links Mono 2.10.5 and KeePass2.18 to download the DMG Files to your computer. Double-click on each of the DMGs in your downloads folder to unpack the volumes to your desktop. The Mono Package installer is called ‘MonoFramework-MRE-2.10.5 0.macos10.xamarin.x86.pkg’, so double-click on this document in the MonoFramework volume on your desktop:

The installer will open and run: Follow each of the steps by clicking ‘Continue’, the next step being ‘Read Me’. Inhere is important information such as all of the ?les that the package will install, including information on how to uninstall Mono: Click ‘Continue’ to the next screen, the license. Clicking ‘Continue’ on the license screen pops up the agree/disagree dialogue box. If you agree with the license conditions, the installation will continue. The following two steps in the installation ask you to choose an installation destination, and check there is enough space on the install disk. Now you can quit the installer. Now KeePass is ready to use for Mac OS X.