If you are a Firefox user, you may have heard about the vulnerability discovered which could allow malicious web sites to steal passwords that you have stored in your password safe. You didn't know that? It could suck. I don't have the details, but you can get a hint in the description of the session "Breaking Browsers: Hacking Auto-Complete" at the upcoming Blackhat conference. (That's were security-conscious people get together and talk about bad-guy stuff.)
The upshot is that after this conference, the precise method for doing
this will be out in the open, and there may be a lot of enterprising
hooligans who immediately make use of it. Get your passwords out of
Firefox now! I found a handy tool that
will look pull the passwords from your local repository and help you
dump it into another format before you clear them out of Firefox. I
know that sounds alarming, but you save it to your local system and run
it from there. (It will warn you if you try to run it from the
Internet.) It will show you a list of your passwords and let you copy
them into another file. I dumped them into a spreadsheet. (ODS format, of course!)
So... what to do with this file. I don't feel much better having a
spreadsheet laying around on my system with passwords to everything.
True, it's much less likely that someone will poke around on my file
system than that people will mess with my browser... but it's still not
a good idea. It's time to crank up the encrypted file space!
I've talked from time to time about working with encrypted file systems, but not much beyond that. But now it's pretty urgent and I want to make sure that I have an easy-to-use space available right now for this and other sensitive information for which I need better habits. I know that encryption sounds hard, but it's really not that bad. There's a lovely open-source, multi-platform tool called TrueCrypt that makes this all pretty easy to handle. Don't think encryption will make that much of a difference? Take a peek at this article on how long it takes to break passwords of varying complexity. Good encryption with a good password will likely surpass the attention span or statute of limitations for most situations.
How easy was this to do? I installed TrueCrypt, which took a few
minutes of downloading and script-running. I fired up the program
which, incidentally, had a nice GUI. I created a 1GB volume which
resides as a file on my file system. It's formatted internally just
like a file system and it mounts that way too. I could easily have put
it on a flash drive if I wanted to. TrueCrypt also supports encrypting
partitions. Now I have a moderately safe repository that I can save my
spreadsheet into. I can mount it when I need to and not have to do
anything too weird with it. I can also keep multiple things in it,
consolidating my secured items. In Linux, and Mac OSX as well, I
think, it's easy to make a relative pointer to a file. That means that
I can take some key configuration and data files and store them in my
encrypted area, but allow the applications to deal with them as though
they were standard. I can explain that in more detail if someone is
interested. There is probably a way to do that in Windows by now, but I just don't know what it is. Maybe someone can fill us in.
So, I'm sorry to bear the news. I rather like the convenience of
the password safe... but it's just not safe right now. And don't feel
that putting Firefox's password file in your encrypted volume will
help. The problem is that Firefox will give up your password if it's
asked in the right way. We need to make sure that Firefox doesn't know
the password. Ultimately I'm sure this will be fixed. Then it may be
safe to go back. There are also other password safe tools that might
be helpful... but for now, I think I'm going to go with the
old-fashioned copy and paste approach with the spread sheet.
I hope that all of you will take this stuff seriously and give TrueCrypt a try.
We really do need to start taking personal responsibility for securing
our communications. Government is too slow and to clumsy to do it for
us (not to mention that they don't want anything to be secured from them).
Manufacturers have too many points of view to accomodate to make it
automatic. It has to be the right solution for you. Start with this
and before you know it I bet you'll be asking me about encrypting your