Password Quagmire

As a follow up to my RTFM post, about getting my password situation under better secure control with a password manager, I have learned something interesting. The number of places that require a password that I use are numerable. I new that there were many places that I use a regular basis, however, I didn't know how many. Now that I have all of my passwords configured into my manager, I'm shocked.

I now have 41 passwords stored in my manager. The device has a maximum capacity of 50. I certainly hope that my internet usage doesn't change too drastically in the near future. I will max it out and then have to figure out a different storage or usage scheme. Right now I have 13 password slots for just work and the Army. If required I could consolidate my US Bank passwords again, but that would defeat the purpose for which this all started. Trying to synchronize all of my passwords at work is a bunch of work. I would rather not have to do that again. Though, keeping the separate might be more difficult, but I've yet to discover this problem as I haven't yet started using this for work purposes. (That will be Monday.)

Anyway, this little device, once configured the way you want it, is pretty simple to use. To begin use, just click the center button. This will cause the device to prompt you for your 5 key finger pattern (a password comprised of a combination of the arrow keys). Once into the token, you use the center button as they enter key and the arrow keys to navigate to which password you want to use. It is pretty simple and straight forward.

However, it doesn't always produce as much feed back as you would like. To shut off the device, you press the left arrow key from the main menu (View, Options). However, while you are in the View mode, you select a site to view the password of by pressing enter, to return to the list press left. However, the first left arrow press only takes you back to the individual record so you can see the username also if required. To get back to the list, press left again. If you get impatient and press left too many times, you could shutdown without wanting to.

The device boasts a last used password memory. I will not tell you that this is false. On a technical level, this is not a lie. As long as your session within the token continues, you can look at a password, return to View, look at options, or whatever else and when you return to View, it will take you to your last used password. However, once you shut it off and return it to use, it will not remember which password you were using. Having a list of 50 available slots in the device, navigating around to view you password can get annoying.

The user interface allows the user to overlook this issue, as they have provided 2 very useful features. The first one is the wrap around. From record 1 you can roll back to record 50. For me, this was very useful. My most commonly used personal passwords are at the bottom of the list. All of my work related passwords are at the beginning. The other solution that they put into place is a common one. If you hold an arrow key down, it will continue to move from one record to another. If you hold it down long enough, the progression speed will increase. Thus, moving faster then continually pressing the arrow yourself.

The instructions also recommend another security tool for those worried about having their token hacked. They recommend that you use a symbol offset for the passwords on the token. Therefore if someone was able to obtain your token AND hack your finger code, the passwords that they see are not the passwords that you actually use. There are simple ways of doing this, but for the paranoid, they have an example of a complex way to use it in their manual. Their demonstration from the FAQ's is as follows:

AN EXTREME EXAMPLE –

The following is an example of a complex offset that
combines multiple techniques which can be used
separately or in combination with other techniques.
This example includes (1) a fractional reading of only
a subset of the displayed code; (2) applying
multipliers against displayed numeric characters; and
(3) substitutions for displayed alpha characters.

For this example, lets say a user utilizing the token
generates and stores a purely random string of 14
printable characters.

The Display reads:

\BjrGjh3>u7A&t

The user secretly applies the following complex
offsets only known to him/her to arrive at the true
password for the Login Record:

 Offset (1): The password length is only the last 8
           Characters read right to left on the display;

 Offset (2): All displayed alphas are decrement by
           one character;

 Offset(3): All displayed numbers are incremented by
           one.

The actual password for the Login would be
discerned in the following 3 step process:

 Step 1: - Locate the Last 8 Characters of the
           displayed password and read them right to left.

                t&A7u>3h

 Step #2: All displayed alphas are decremented by
           one character (application of offset #2):

                s&Z7t>3g

 Step #3: All displayed numbers are incremented by
           one character (application of offset #3):

                s&Z8t>4g

Under this complex example, the displayed password
of

 \BjrGjh3>u7A&t

would be converted by the user to the actual
password of

 s&Z8t>4g

Without knowledge of the offset only known to the
user, it is impossible to deduce the actual password
from the displayed password.

So, since getting this bad boy configured for use, I have done myself a favor to force myself to use it. The first thing was to put all of my passwords into it. The second was to completely turn off password saving in my browser. Since these passwords are more complex and different from anything that I have memorized, I have to go back to it each time I want to log in somewhere of less common use or if I press the wrong link and log out of a commonly used site or due to a reboot.

This might sound and be annoying, however, it is better then what I was doing before. The same password everywhere and/or exposing my site usage to anyone that can obtain access to my computer. For any of you wondering, yes, this also included my passwords for my financial websites. I feel safer knowing that even I don't know my passwords.