Keep your passwords safe - Part 2

Transport Secure Layer

When you enter a password at a website you should check if the password is transmitted using SSL. If you are at https://lautering.net/user you will recognize two things: 1. there is an "s" behind the http. That means "secure". 2. You will recognize that "lautering.net" within your browsers address bar is blue coloured. Blue and green stands for secure. You can click on the blue bar and see the certificate which is used to secure this site.

By using SSL your information - in your case your password - is transmitted in an encrypted layer. That makes it difficult to have it sniffed out of the network traffic. Consider yourself in an open wireless network in a pub. You log in to a community you are using very often. One the table near you sits someone using a wireless sniffer to sniff the network traffic. Because he is in the same network and you are using wireless he might be able to get the right packet out of the stream – the packet with your password. Login to secure sites using SSL is important.

Addinational setups

With grid computing and many core cpus the calculation power to crack passwords is speeding up. According Mores law we get the double processing speed every 20 month. You can imagine how passwords could look in 4 years to be still considered as secure.

Password safe

An alternative way is to use password safe(s). They store your password in an encrypted database. You have to remember one main password to get to your other passwords. The usage of a password safe makes it possible to use many different, especially generated passwords which could be 20 characters long, like for example y)nvTWxLbIqPsOG\S - which is very strong.

I would suggest to not storing passwords for banking into your password safe. That’s one of those passwords you still have to keep in mind.

Another way, but that’s not implemented in many systems, you could use a combination of key and pass phrase. You create a private / public key and store your public key at the machine you want to login in later. By showing your private key to the machine you want to log in and entering your pass phrase you get authenticated. If your private key gets lost or stolen your key still needs to be cracked. In the meantime you can delete your public key from the machine. Your private key is rendered to be useless then.

VPN

With a VPN (virtual private network) you can tunnel through open networks. If you are within your favourite brewpub around the corner and you are using the open wireless network (open wlan) browsing websites or login in to services you probably expose your password to the “air” if not using TLS. With a VPN you create a secure network with a server on the internet using the not secure open wireless network. You basically tunnel through the open wlan.

Setting up a VPN will take too long to describe within this article. I suggest to check out openVPN or Tinc documentation. Both are reliable VPN server / clients. Both of them are available for different operating systems. OpenVPN is known for a long time and considered to be very stable.

Dominik Jais's picture