Wednesday, January 25, 2012

Password Management Software: KeePassX

For the progressing student of cyber-jutsu, it will be evident that the number of usernames and passwords one needs to manage can become extreme.  From a white-belt level we learn that human nature must be observed if we are to win in cyberspace.  Human nature, in this case, is the simple fact that most people will take the path of least resistance.  If something is difficult to do - then they will not do it.  If it is easier to do the wrong thing, then most people will do that thing - even to their own detriment.  So our goal in this is simple:  make it easy to do the right thing.

Social networking sites, Blogging sites e-Bay, PayPal, pandora (music site), other web sites and just about any system you need to log into, all require usernames and passwords to access.  The common, but unsophisticated and unacceptable solution many people who have not been initiated into the ways of cyber-jutsu adopt is, to re-use the same password for every site they log into.

The practicing cyber-jutsu student will quickly see the problem with this.  If the password for any one of these sites is compromised or somehow revealed to a malicious person - then all of the accounts with the same password are thus compromised.  The result can be described as a cyber-tsunami.

While the reality is that there is "no silver bullet"; and, we must be perpetual students and develop on-going processes to maintain our cyber-security, we can talk here about one part of the overall process.  Let us look at the pros and cons to employing a software tool category known as password managers.  In particular, I'll talk about a free tool called KeePassX.

KeePassX is a cross-platform password management program.  It is available for Windows, Mac OS X, and our favorite operating system, Linux.  OK.  So, what does it actually do?

The program creates an encrypted database (256 bit key based on either the AES or Twofish algorithms) to store your usernames, passwords, links, and additional related information.  What that means practically, is that even if someone were to get ahold of your database file, they would have a hard time cracking it to get your information.  Additionally, KeePassX gives you what we call a "two-factor" authentication option to access your stored information.

Two-factor authentication, in this case, can be thought of as factor 1. something you know, and optionally factor 2. something you have.  And, in this case, the "something you have" is any file you would like to use.  You identify a computer file that needs to be present to log into the password database.  If this sounds too technical for you - trust me - it takes more brain power to understand the philosophies behind its operation than it does to use the very intuitive user interface.

To use the "second factor", one need only click the "Key File" check-box, and then the "Browse..." button to select the file you want to use.  I recommend using a file on removable media, such as a usb drive.  In this way, whenever you want to log into this program, you have to supply the file that is on the removable media.  This makes your password management database very secure.

Once you are logged in, you can create groups to help classify the different sites or systems you need to log into.  Then you create the accounts within those groups.  When you want to log into a site, you select it in the main window, then click on the "user" button along the top (which looks like an icon of a person).  This copies the username into your clipboard, so you can paste it into the login box on the website (ctrl-v on Windows and cmd-v on Mac OS X).  Then you do the same thing to enter your password.  Click on the password button at the top of the screen (which looks like an icon of a key) and then paste it into the password field on the website.

On Linux systems, you can automate the whole process such that you can select the site you want to log into, double-click it, and your default web-browser will automatically launch and the username and password will automatically populate the fields and log you in.  This takes a bit of configuration, and may be considered a brown-belt level task.

Alas, we are trying to make this an easy process - and so far - it just seems to be more work.  So where do we get our win?

The major win is found in this applications ability to generate random and complex passwords for you.  These passwords that are generated will never need to be remembered, and never need to be typed out.  The only password you will ever need to remember is the password you need to get into KeePassX, when you first launch it (as described above).

You can adjust your settings within the Password Generator window to meet your desired complexity and the capabilities of the site you are using.  You may be surprised to find some of the sites you use will not allow special characters in the password.  Similarly, many sites have unsatisfactory length restrictions.  As a general rule, more complex and longer passwords are the way to go.

The program collects "entropy" based upon your random key-strokes and mouse movements, to ensure that the password that is generated is truly random.

The "New Password" field (see image below) will populate with a complex password after enough entropy has been gathered.  This is a fast process.

And there is your benefit.  That long and ugly password is not crackable in any reasonable amount of time, given current technology.  If you are securing your bank accounts - then a good policy will be to change that password on a regular basis.  As long as you change the password more frequently than the amount of time it would take to crack the password, your account will not be cracked.  The exact frequency will be an increasing quality as technology continues to increase computing power.  At this time, changing your password in this manner once per month should be more than sufficient.

Changing a password that you don't need to remember in your brain should be less of a chore than coming up with new passwords you have to recall from memory every month.

You should also recognize that so many people use a word or a name for their password (often simply appending or prepending a number) that the majority of attackers use "dictionaries" to attack accounts.  You might note that the password listed above, will NEVER be found in a dictionary.  This is important.  It means that an attacker has to "brute force" your password one character at a time.  This is a very time-intensive process, which requires many many computing cycles.

You may note that in the image above, I have NOT selected the option to ensure that the generator includes characters from every group.  Forcing the program to include characters from every group actually reduces the overall randomness of your password.  If an attacker doesn't know exactly what your password is composed of - nor exactly how many characters your password it - this makes the job of cracking the password even harder.

You should use this program, or one like it, for as long as you have to use passwords.  Ultimately, passwords may be replaced by other means such as biometric devices (e.g. fingerprint readers, iris readers, etc.)

Using a program like this means you have to keep your KeePassX database safe and secure.  You can actually keep the entire database on a usb key.  If someone gets your database, and guesses your password, and figures out what file you are using as the second authentication factor - then you still lose.  So, care must be taken.  But - like your house keys, or your car keys - having a small device to keep safe seems to be something we are capable of doing.  Long, complex passwords, on the other hand - are simply better off being managed by a computer program.

How do you come up with a good password for the database itself?  I always suggest that folks use the first letter of each word in a long phrase they can recall easily.  The typical example is the phrase, "four score and seven years ago..."  which would or could yield the password:  4#&7ya

In my humble opinion, that password is too short - but it is good as an example to teach how to come up with a complex password.  Another good thing to do is to come up with a positive affirmation as the phrase for your password.  In this way, you achieve true cyber-jutsu.

"Dissatisfaction with life arises from desiring to have what cannot be had, and desiring to avoid what cannot be avoided." - The Buddha


If you are a brainiac  - perhaps you could take a phrase like that and use the second letter in each word - or the last letter of each word.  I think you get the idea now.  Your goal should be to come up with a password for your KeePassX login that is more than 8 characters in length, and uses upper and lower case letters, numbers, and at least one special character.

Anonymous DDoS Attack: OpIreland

Last night, into early this morning, Anonymous hacktivists launched a successful DDoS (Distributed Denial of Service) attack against, the Department of Justice and Equality in Ireland website as a "warning shot across the bow", in response to an announcement that "the Irish government plans, before the end of January, to bring in a law which would allow Irish courts to block access to websites accused of infringing copyright...".  (See: and search for the twitter tag #OpIreland)

These activities raise many questions about citizenship, the law, liberty on the Internet, intellectual property rights, civil disobedience, and more.

When you think about and research these operations, there are some things that you should keep in mind. Not the least of which is that, according to information published by Anonymous, OpIreland was intentionally conducted "after business hours" when the need for the website would be less critical for anyone seeking to use it.  The goal was to raise awareness, and it seems they have succeeded in that.

Some will denounce these activities out of hand as illegal and wrong.  They will attempt to say that support for these Anonymous Operations is taking a side against intellectual property rights.  I'm not sure that is a fair assessment.  There are already laws on the books which can be used to prosecute those who steal other's work.  What is being attacked here, is the notion that wide-sweeping new laws are required to combat online piracy.  The danger is that these laws are so wide sweeping, that they will end up being used to censor law-abiding netizens and their online content.

In a perfect world, there would be no need to temporarily, forcibly, shut down a government website to direct attention at questionable legislation that, much like our own Patriot Act, is being pushed through the Irish legislature in a timeframe that will not allow proper analysis and debate.  But it is clear that we live in a world that is far less than perfect.

As I write this, is back online.  The site was not damaged, and it was down for probably less than two hours as a result of the DDoS.  The Anonymous threats are far more dangerous.  

A message dropped onto Pastebin advised, "
  1. If SOPA/PIPA/ACTA passes we will wage a relentless war against the corporate internet, destroying dozens upon
  2. dozens of government and company websites. As you are reading this we are amassing our allied armies of
  3. darkness, preparing boatloads of stolen booty for our next raid. We are sitting on hundreds of rooted servers
  4. getting ready to drop all your mysql dumps and mail spools. Your passwords? Your precious bank accounts? Even
  5. your online dating details?! You ain't even trying to step to this."

This may seem like techno-babble to many of you - if that is the case, take my word, it is threatening.

If the Anonymous Hacktivists move into the above noted phase of operations, I fear they will have gone too far.  There is a difference between raising awareness through a more or less peaceful DDoS demonstration and cracking into accounts and distributing private bank account information.  The DDoS operations can clearly be compared to a physical-world protest on a city street that would impede movement through the area for a time because so many people have flooded the street that there is no clear path for traffic to flow.   Cracking into accounts and distributing bank account information is theft.  One could argue, depending upon the owners of the bank accounts, that such operations would be akin to the illegal activities of Robin Hood - but they are clearly illegal, nevertheless.

I have one last thing for you to consider about this most recent, and in fact all hacktivist DDoS activities.  I have heard folks say that because it takes a very large number of computer systems to pull off a DDoS, that there is wide-spread and popular support for Anonymous.  This simply isn't the case.  If it were, the DDoS wouldn't be necessary to raise awareness.  The reality is that the hacktivists who are actually "pulling the trigger" to execute the DDoS are what we refer to as "bot herders".  These are people who have control of hundreds, thousands, and in some cases tens or hundreds of thousands of compromised home and business computers.  When these computers are compromised, software is installed "enlisting" these systems into a "bot army".  The systems continue to function as normal; but, they also wait and listen for the command to attack.  When that attack command is received, it is often a simple command telling the system to repeatedly "ping" the target system.  The target system is quickly overwhelmed by "ping" requests, and can no longer respond to legitimate traffic.  The site, in effect, is taken offline in this manner.

Perhaps a more democratic way to implement a popularly supported DDoS protest campaign, would be to invite folks to join the cause, rather than draft them into unknown participation.  That would be better cyber-jutsu. ;)

Sensei Metajunkie