Monday, 13 February 2012

Storing passwords

The list of accounts I have for various websites/subscriptions/applications is large, and constantly growing. Having a lot of accounts means having a lot of user names and passwords. A couple of problems arise out of this situation.

First, people are tempted to use a memorable password. This is generally a bad idea. If your password is memorable then it is likely to have a low entropy, i.e. it is more guessable. If your password is really strong and consists of truly random characters, then it isn't memorable. Because it is so strong people may be tempted to use it for more than one account, which leads to the second problem.

Second, people memorise a really good password, then reuse it for several accounts. This is bad because if you reuse your password then you are at the mercy of the website that holds your account. You don't know what that website is doing with it behind the scenes. They may misuse it or leak it.

Choosing a password based on something that only you know often doesn't help because it isn't hard to find out information about someone from Facebook, LinkedIn etc. You're also going to struggle realistically to come up with many different passwords based on different things only you know. Those bits of information can change pretty regularly too. The answer is to use some sort of password manager; a tool that can securely store information about your accounts. Of course this raises the question of whether you trust your password manager. What if it misuses or leaks your details?

Being a programmer, and somewhat paranoid, I obviously wrote my own solution. Its a simple application that encrypts text to a file on disk. It can also read a file, decrypt it and display the plaintext. You can see the source on my github page. The application is really simple. When reading or writing a file it uses AES-256 encryption, with the key being a SHA-256 hash of a password. Now all you need is one single strong password.

How do I use it?
Create a new empty file. The file extension doesn't matter, but .vault makes it easy to remember what the file is.

Run the application. You'll get a file dialog. Open the file you just created.

You will be prompted to enter a password to decrypt the contents of the file. As the file is empty this doesn't matter; just press OK.

You'll see the contents of the file, which will be empty. Enter some secret information and choose Save from the file menu.

You'll be prompted for a password. Choose a good, strong, memorable password. The application will use this to encrypt the contents of the file to disk.

No comments:

Post a Comment