• Home
  • Report an Incident
  • Read Bulletins
  • Discuss Viruses
• Articles & Guides
  • For Everyone
  • For Sysadmins
  • For IT Managers
  • Recent Articles
• Resources
  • External Advisories
  • Vendor Information
  • Further Reading
• Tools
  • Network Scanner
  • Web Scanner
  • Certificate Authority
• Training
  • LSP Services
  • Unix Systems Support Group
  • Windows: End-User Security
  • Awareness and Education
  • SANS Partnership Series
• About
  • Contact Information
  • ITSO Staff
  • Mission Statement
  • Recent Changes
  • Site Index
  • Colophon
• Search

Passphrase Vaulting

Not so long ago, if you needed money from the bank you walked inside and interacted with a teller. Eventually, you got to know the bank teller, and proving who you were was rather easy. Then, banks realized that customers were willing to accept less personal interaction with a teller in exchange for the 24-hour convenience of an ATM. With an ATM, there are two elements of security: you need both an ATM card (that is, something you have) and a PIN number (something you know) to access your account. The internet made things even easier: you no longer have to drive around to find an ATM; instead, the bank has a website that customers can use from anywhere in the world via a web browser. The problem with this system is that the only thing protecting your account on the web is the passphrase you have selected (something you know). When the only thing required to access your bank account is something you know, anyone else who knows your passphrase can access your account.

Faced with this security problem, you might think about just selecting a really long and complicated passphrase. That is a great solution when you have only one passphrase to remember, but consider all the other accounts you access online: your credit union, your retirement account website, Hotmail, facebook.com, the lawn service, the newspaper, the gas company, the electric company, etc. Before you know it, you have over a dozen unique, difficult-to-remember passphrases.

How do most people cope with this problem? One method is to use the same passphrase everywhere. However, the problem with this is that if any one of the places where you use the passphrase is compromised, or if you use the passphrase on a compromised computer with a keystroke logger, you have just given an attacker the passphrase to all of your online accounts.

Another common method is to write all the passphrases down on a piece of paper. All too often this is a sticky note attached to the monitor of the computer or left under the keyboard. Even worse, frequently these notes do not just contain the passphrases, but also usernames and even the associated services. Anybody that finds the paper gets a list of all your important accounts and how to access them. Variations on this method, such as only writing down clues to help you remember what passphrase you need are sometimes successful, but these successes are the exception to the rule.

So, since you probably cannot remember all of your passphrases (the most secure option), and you should not repeat them or write them all down (the most convenient options), what can you do? Balance the need for security and convenience by storing your passphrases in a secure manner. Fortunately, numerous programs exist to do this for you. They are known as passphrase vaults.

Passphrase Vaults

A passphrase vault is a program that balances the security of multiple passphrases with the convenience of recording them. You create a single strong passphrase to protect the passphrase vault, and then the vault program takes care of securely storing the rest of your hard-to-remember passphrases. Think of a passphrase vault as being similar to a bank vault; only with the vault combination (passphrase) can you unlock the protected items inside (other passphrases).

Passphrase Vault Best Practices

Protect the passphrase vault with a strong passphrase.

A good passphrase vault is encrypted with a passphrase of your choosing. Since the passphrase keeping program stores passphrases using reversible encryption, if an attacker is somehow able to obtain the raw password vault file, your password vault passphrase is the only thing stopping her from decrypting the contents of the file.

Use a passphrase to protect the password vault that is different from any of the passphrases stored inside the vault.

All of the passphrases in the passphrase vault can be displayed on the screen for the user or placed in memory (as clear text) for the computer. The only passphrase that is not stored this way is the one used to protect the passphrase vault itself.

If a passphrase used for a particular web site is compromised, this prevents the malicious person from using that passphrase to gain access to the rest of the passphrases in the vault.

Protect the password vault file.

Simply put, the passphrases must be saved in a file somewhere. Place the passphrase vault file on a small USB drive (e.g., thumbdrive, mp3 player, or iPod) that you always keep with you. Storing this vault file on a system other than your computer's hard drive adds an additional layer of complexity; many viruses (and other forms of malicious software) just search the hard drive or the logical drive of the Operating System and do not look for other drives).

Also pay attention to where any temporary files are stored. If your passphrases are stored in a clear text file on the hard drive while the passphrase vault is in use, that temporary file may leave traces behind that an attacker would be able to find.

Clear the clipboard.

Some programs will copy your passphrase into the clipboard and allow you to simply paste it into a form. This can be incredibly convenient, but the passphrase is stored in the clipboard as clear text. Therefore, you need to be sure that the passphrase is removed from the clipboard as soon as it is used.

Never leave your computer logged in and unattended.

Again, because passphrases are stored using reversible encryption, anyone can sit down at your computer, open the password vault program, and read or write down your passphrases. This makes logging off or locking your computer when you step away critical. In less than the time it takes you to walk to the restroom and back, a malicious person can find and write down your password vault passphrases.

Passphrase Vault Programs

• Password Safe - Windows
• KeePass Password Safe - Windows
• Mac OS X Keychain - Mac OS
• Lavasoft PC-Mac PasswordVault Lite - Windows/Mac OS/Linux - Free for up to 15 passphrases
• CiphSafe - Mac OS X
• pwguru - Linux KDE
• PassGuard suite - Linux
• GPass - Linux GNOME2
• Password Gorilla - Windows/Mac OS X/Linux/Solaris/*BSD

Additional Resources

• Passphrase Announcement
• Passwords are passe
• In Windows NT, 2000, and XP, how do I lock my workstation without logging off?
• In Unix, how do I log into and out of my account?
• In the IUB STCs and RTCs, how do I log in or log out?
• Wikipedia: Key Logger