Earthweb.com Practically Networked Home Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation
Welcome to PractiallyNetworked
Product Reviews

 • Routers
 • Hubs/Switches
 • Wireless Gateway
 • Wireless AP
 • Wireless NIC
 • Network Storage
 • Print Servers
 • Bluetooth Adapters
Troubleshooting
& Tutorials

 • Networking
 • Internet Sharing
 • Security
 • Backgrounders
 • Troubleshooting
    Guides

 • PracNet How To's
User Opinions
Practicallynetworked Glossary

 Find a Network Term  
 
Forums
About
Jobs
Home

  Most Popular Tutorials

• Microsoft Vista Home Networking Setup and Options
The most daunting part of upgrading to Windows Vista may be trying to figure out where in the layers of menus the networking and file-sharing options are hidden.

• Do It Yourself: Roll Your Own Network Cables
It may not be something you do everyday, but having the supplies and know-how to whip up a network cable on the spot can be very handy.

• Tips for Securing Your Home Router
Seemingly minor and easily overlooked settings can still have profound security implications. Here are some steps you can take to make sure your wired or wireless home router and by extension, your network is as secure as possible.

  Most Popular Reviews

• Microsoft Windows Home Server
If you have a home network, you'll welcome the easy file sharing, remote access and the image-based backup features of Windows Home Server.

• Iomega StorCenter Network Hard Drive
Iomega's fourth generation StorCenter Network Hard Drive brings many of the features found in higher-end storage devices down to an attractive price.

• MikroTik's The Dude
This free tool delivers many of the same capabilities that you'd find in pricey network monitoring tools. As long as you don't mind tinkering, The Dude is a decent network utility that should be worth the download.



Security Notes: Manage Your Passwords With 1Passwd

In our ongoing look at password security, this week we take a look at an application for Macs.

Networking Notes

Last week, I wrote about Password Composer, a handy tool for creating a kind of do-it-yourself single sign-on for Web sites.

To recap: Password Composer uses a strong root or master password in combination with the domain name of the site you're logging into and produces a password unique to that site using encryption techniques that make it impossible to discern your master password. A simple bookmarklet or Greasemonkey script can recall the unique password using the original master password. Using Password Composer, users get both the security of multiple, strong passwords for all their Web identities, and the convenience of remembering just one password.

What's That Term?
Not sure what a particular term means? Check out the searchable PracticallyNetworked Glossary.

This week, we'll take a look at an application for Macs: 1Passwd from Agile Web Solutions takes a different approach to the same problem password proliferation poses, and leverages some key pieces of Mac technology to do its work.

One solution people use to get around the problems caused by having too many passwords involves taking advantage of a common feature in browsers: remembering passwords for later.

That feature is implemented at varying levels of security: Some implementations simply save the password and username combination, others (like Firefox) offer the opportunity to lock the user's list of passwords and usernames behind a master password.

There are a few problems with this approach:

  1. Some implementations are very insecure. They rely on the user always having control of the computer the passwords are being stored on.

  2. Users who have more than one browser can never be sure that the browser they're currently using has all their passwords and usernames.

  3. Users who work on multiple computers can't take their passwords with them from machine to machine.

  4. Some browser-based solutions are circumvented by sites that use a number of tricks to disable password saving for their customers' own good.

1Passwd addresses these problems by relieving browsers of the duty of remembering passwords and handling that itself in conjunction with Apple's Keychain. It also generates strong passwords, stores user identity information to help fill out forms, and it provides a secure note-taking facility.

1Passwd Basics

The 1Passwd application installs a browser plugin. It currently supports Safari, Firefox, Camino, OmniWeb, Flock and DevonAgent.

At installation, 1Passwd prompts for a master password that should be very secure.

It's able to import stored passwords from the browsers it works with as well as a number of other password manager applications, such as SplashID and Roboforms.

Once you've imported your passwords into 1Passwd, you should turn off password saving and autofill in your browsers and purge their password records.

From that point forward, 1Passwd steps in when it detects a form and offers to save the login information. It stores that information in a Mac Keychain that, by default, locks automatically if the computer is idle for more than 60 minutes, or if it sleeps.

There are a few convenience features built-in to the password saving process: Users can opt to be presented with an option to name the password (which is useful with the many pages that have somewhat obscure names for signon pages and HTTP Authentication realms), and users can opt to override 1Passwd for HTTP Authentication in favor of their browser.

1Passwd can also provide a secure password during registration at a site with its Strong Password Generator. The nice thing about the generator is its customizability: Users can tell it how long the password can or must be; how many letters, numbers or punctuation characters it must contain; and whether or not to avoid potentially ambiguous characters like "0" and "O" in the password it generates.

Recalling passwords is simple: 1Passwd can automatically submit forms when it comes across a site it can fill out automatically (Autosubmit) or it can be invoked with a keystroke ( ⌘ \ ) in cases where it can't.

The latter case pops up with unfortunate frequency in cases where one might have multiple logins under the same domain. For instance, a user who has logins at webmail.foo.com, a blog login at blog.foo.com and an HTTP Authentication signon at dev.foo.com won't get the benefit of Autosubmit because 1Passwd takes a conservative approach to guessing which identity to use. It does, however, offer a useful visual guide to which password it thinks is the most likely to work in the form of red bars next to each choice. The more bars a choice has, the more closely it matches the form 1Passwd remembers saving.

Managing passwords is also pretty easy: 1Passwd provides an easily searchable list organized either by domain name or the name the user assigned when the form was first saved. It's possible to change autosubmit settings, which URLs match the password, and which values go in a field. Passwords can also be organized into folders.

Password entries also include a menu that permits the user to "Go and Fill," which opens the saved form in the user's browser, or "Copy Go & Fill Link," which copies the appropriate link to the user's clipboard for use in a browser besides the current default, or to create a "Go and Fill" bookmark for use right from the browser.

Managing Identities

1Passwd also has facilities for remembering form data outside user names and passwords. It calls this stored information "identities," and provides fields for a number of pieces of data: Basic name and address information, a reminder question & answer, e-mail address, numerous instant messaging handles, forum signatures, phone numbers, social security, driver's license and credit card information (number, expiration date, security code).

1Passwd remembers multiple identities. That makes it possible to fill out forms appropriate to a given situation quickly: A work identity might use an office phone, work e-mail address and work IM handle. A formal personal identity might store the name, e-mail address and information you'd want to use if you were filling out an application. An informal identity might use your nickname instead of your given name and provide a less important e-mail address or IM handle for site registrations.

Once an identity is created, it can be recalled to fill out a form with a single keystroke ( ⌘ ⌥ 1-9 )

All this information is stored in the 1Passwd keychain, so it's encrypted and somewhat secure if you mind your keychain security.

Extras

At the top of the column, I mentioned that 1Passwd could help get around the problem of using multiple computers. It handles that in two ways: One's good for .Mac users and the other's good for cross-platform or non-.Mac users who own a PalmOS-based organizer.

For .Mac users, the 1Passwd Keychain can be synced among computers. It's an option under the Keychain Settings window in 1Passwd's configuration.

For Palm & Treo users, there's 1Passwd Reader for Palm, a $12.95 extra that stores 1Passwd data in the device for recall away from a Mac. I don't have a Palm, so I can't speak to how effective or secure it is, but, like 1Passwd, it's available for trial download.

Finally, there's the overall issue of Keychain security: By creating a convenient, automatic mechanism for recalling passwords, 1Passwd's convenience involves some increased danger.

If you're frequently away from your computer and it's in an area where others could use it without your knowledge, none of the security Keychain provides does much good. In those cases, make sure the idle interval at which 1Passwd will lock the keychain is short.

You can also consider going to the Security settings in System Preferences and setting the option to require a password to restore the computer from its screensaver. Combined with an Active Screen Corner setting in the Dashboard & Exposé preferences, you can activate the screensaver and secure your computer with a flick of your wrist.

Add to del.icio.us | DiggThis


For more help, don't forget to try one of our PracticallyNetworked Forums.



Earthwebnews.com Earthweb developer.com HardwareCentral earthwebdeveloper CrossNodes Datamation


Home | Networking | Backgrounders | Internet Sharing | Security | HowTo | Troubleshooting | Reviews | News | About | Jobs | Tools | Forums