November 4, 2009
Forget Those Passwords – Literally (Thanks To OpenID)
By Scott Nesbitt – October 11, 2009
You might recall a previous TechTip that looked at software you can use to wrangle all of the passwords you have for your favorite Web sites and Web services. Those apps are a good solution, but what if there was a way to securely log into multiple sites using only one ID?
That's not a pipe dream. And it isn't a matter of using the same user name and password for everything (remember, I said securely). A technology called OpenID offers that promise, and is on its way to delivering it.
What is OpenID?
OpenID isn't software. The OpenID Foundation, a non-profit which works towards the adoption and spread of OpenID, describes it as a decentralized standard for user authentication and access control, allowing users to log into different services with the same ID. Another way that people describe OpenID is single sign-on (SSO).
OpenID, though, does one thing and does it well. It authenticates users, confirming they are who they say they are.
You don't need to worry about having a unique user name and password for each and every site that you need to log into. Instead, your login credentials (called an OpenID) consists of a URL – like http://MySecretID.myopenid.com/ – that's yours and yours alone. An OpenID provider, a site or server that hosts your URL, ensures that your OpenID is authentic.
The URL acts as a universal user name. The only password you need is the one that you use to log into your OpenID provider.
Who controls OpenID?
No single individual, company, or organization controls OpenID. The technology behind OpenID is Open Source. There can be any number of OpenID providers. In fact, if you have the technical expertise you can set yourself up as a provider and run what's called an identity server. You can learn more about doing that here. That's also a double-edged sword, which I'll discuss in a moment.
That said, it's not like the folks working on OpenID are lone programmers in the wilderness. A number of well-known tech companies back and support OpenID. Companies like Google, Yahoo!, VeriSign, and Sun Microsystems.
Using OpenID sounds difficult. It isn't. It just requires you to change the way in which you think about logging into Web sites and services. Luckily, that shift isn't a big one.
First off, you need find an OpenID provider and sign up for an account. If you're looking for one, this is a good resource. Most of the people I know who use OpenID tend to opt for one of the following providers:
The signup process is simple. You choose a user name, which is tacked on to the domain name of generic viagra australia the provider. For example, http://YourName.claimid.com. You also need to create a password and enter an email address.
Once you've signed up, you can use your URL. From there, you go to the login screen of a site that supports OpenID. You can find a comprehensive list of those sites here.
You'll have to click a link, which says Login with OpenID or something similar.
Type your URL in the OpenID field and click Sign In. You'll be redirected to your OpenID provider, where you'll need to enter the password for your OpenID account. The provider confirms that you are who you claim you are, which takes about a second. You'll be sent back to the site where you'll be logged in.
All of this seems a tad cumbersome, but the advantage is that you don't need to worry about remembering a user name and password combination for every site that you use. There's just one.
Advantages and drawbacks
The main advantage of using OpenID is that you only need one user name and password for the Web sites that you use. You'll no longer need to tax your memory or confuse one login with another.
OpenID is Open Source. That means a large number of eyes are on it, and constantly improving it. And it's not just the so-called hobbyist programmers, either. As mentioned earlier, a number of tech giants are involved in the development of OpenID.
Because OpenID is decentralized, no one firm controls it. You don't have to worry about a firm folding or suddenly charging for the service. There are a growing number of OpenID providers out there – all you need to do is pick one.
On the other hand, a large number of Web sites don't support OpenID. As I read somewhere on the Web, some folks cite the chicken-egg problem. Not all sites support OpenID because there aren't enough people using it or who are comfortable with it. The number of sites that support OpenID is growing, but not rapidly.
There's also the potential for phishing and identity theft. Remember what I wrote earlier about setting up an identity server? There's nothing to stop a malicious programmer from setting one up and using your own data against you.
Sometimes, you run into an OpenID-enabled site that doesn't play nicely. I know a couple of people who weren't able to log into certain sites even though their OpenID credentials were valid and correct. This doesn't happen often, but when it does it can be frustrating.
OpenID is an interesting and useful way to log into your favorite Web sites. While the number of sites that support OpenID isn't that large, support is gradually increasing.
You msight not want to use OpenID for logging into all Web sites, but the idea of single sign-on is intriguing. OpenID is another step towards making it universally available and acceptable.
Four Password Managers To Wrangle Those Pesky Passwords
By Scott Nesbitt – August 30, 2009
Passwords. They're a blessing and a curse, aren't they? In today's digital world, we all seem to have passwords for … well, for everything. And a lot of passwords. For online banking, Web mail, e-commerce sites, our favorite Web applications, and more.
As many of us have learned, though, it can be hard to remember all of those passwords. If you forget a password, the kinds of sites mentioned in the last paragraph can either send you a password or reset it. But that's takes a bit of time and just adds to the confusion.
While you can write down your passwords in a paper notebook (remember those?) or in a file on your external hard drive, what happens if you lose the notebook or delete the file? Or if someone else gets hold of them? The situation will end in tears.
Instead of relying on your memory or more traditional ways of storing passwords, why not turn to a password manager?
Enter the password manager
A password manager is a piece of software that, obviously, lets you securely store and organize your various passwords. The software is usually designed for a desktop computer or a notebook computers, but password managers are also available for smartphones. The BlackBerry, for example, comes with one called Password Keeper.
The principle behind the password manager is simple. It stores your login information in an encrypted database or in a file hidden somewhere on your external hard drive. You enter your information using a simple form. This information can include:
Optionally, there might be space for entering a URL and a note.
Whenever you need a password, you just dip into the password manager and pull it out. Some applications, like Apple's Keychain Access, enable you to log into a Web site using a single password.
The obvious advantage to using this kind of software is convenience – you don't need to try to remember multiple user names and passwords, or worry about confusing them. They're all in one secure place. But what's out there? Let's take a look at a few.
Universal Password Manager
This is an interesting one. Universal Password Manager is an Open Source application that runs on Linux, Windows, and Mac OS. You'll need Java installed on your computer to run this application, but the three operating systems on which it runs usually have Java installed already.
To get set up, you create a database for your passwords. From there, you can add your passwords to the database using a simple form.
Universal Password Manager has a nifty feature that lets you copy a user name or a password from an entry in the database, without having to double click on the entry. This is useful when you remember one or the other (it happens!).
The database is encrypted with a scheme called AES (Advanced Encryption Standard). It's not the strongest encryption but it works. While you can create multiple databases – for example, one for our desktop computer and one for your cheap netbook – Universal Password Manager is Web enabled. You can save a database to a Web server and point the application there. No matter what computer you’re using, you can always access your password store.
KeePass Password Safe
KeePass is sort of like a supercharged version of Universal Password Manager, though only for Windows. It comes in two versions. The Classic version, which has more than just basics features, and the Pro version, which needs Microsoft's .NET to run. You can compare the features of the two versions here.
Remember what I said about KeePass being Windows only? That's not quite true. The Classic version also runs in Linux under Wine, although the toolbar buttons go AWOL. And the developer says that the Pro version will run under any operating system, like Linux or Mac OS, that supports Mono (an Open Source version of .NET).
KeePass stores all of its information in a database that's encrypted with AES (told you it was like Universal Password Manager). You can have multiple databases, and add multiple groups to a database. Groups enable you to collect similar Web sites, applications, services in separate folders — one, say, for Web applications, one for e-commerce sites, and another for banking information. This makes it easier to manage your passwords.
You can also tell KeePass to protect certain fields of the database — like password or user name — while the application is running. While you're using a database, or before you save it, this keeps the information safe from other applications, like trojans, that may try to read your computer's memory. What really sets KeePass apart from other password managers is its collection of plugins. There are plugins for importing passwords from other applications, managing databases, integrating KeePass with other software, and more.
GNOME Password Manager
If you're running Linux with the female viagra sildenafil target=”_blank” title=”http://www.gnome.org/”>GNOME desktop, you've got a password manager already installed. Called GPass, you can find it under Applications > Accessories. It's a simple application but one that gets the job done.
To use it, you click the Add button on the toolbar. From there, enter whatever information you need. At the very least, you should specify a name to identify the information, a user name, and a password. Click OK and you're done. It's that simple.
Passwords are stored in a file, encrypted with the Blowfish encryption scheme, somewhere on your computer. I'll be darned if I can find that file …
GPass lacks a lot of frills. But one useful feature that it shares with Universal Password Manager is the ability to copy user IDs and passwords by right clicking on an entry – you don't need to open it. GPass also has a decent search feature, which is useful if you have a lot of passwords.
Passpack is a Web-based password manager. It's said to be quite secure. The login procedure itself is in three steps: enter your user name and password, then click a security image, then enter a passphrase.
Once you're in, it's easy to use. As with desktop password managers, Passpack has a form for entering a user name, a password, and a link to a Web site (if necessary). On top of that, Passpack shows you the strength of the password while you're typing it. I can't vouch for the accuracy of this. If you enter the entire alphabet and numbers from 0 to 9, the password will be considered fairly strong.
Passpack also has some useful tools. You can import and export password files to and from another password manager. There's an Adobe AIR application that lets you access your passwords from your desktop. On top of that, Passpack supports a feature that lets you specify sites to which you can login with a single click.
A few words of advice
If you're using an online password manager like PassPack, it's probably best not to add passwords for online banking, credit cards, or services like PayPal to it. The application might be secure, but you can never be 100% confident. The convenience could wind up costing you.
If your password manager has a feature that automatically generates password, don't use it. A good password is random. These applications generate passwords that aren't truly random. Instead, they're what's call pseudo random. You get a complex password, but there are tools available that can detect a pattern in the password and break it. It may not happen to you, but you never can tell.
And never, ever forget the password to get into your password manager. That seems like simple advice, but far too often people have let that password slip their minds. It's embarrassing, and I'm speaking from experience.
Wrangling your many and varied passwords isn't an art. It can be tough, but with the good password manager the job is a lot easier. You don't have to worry about potentially fallible human memory, and you'll eliminate the chaos that all of your passwords are causing you.