For the last two weeks I have had the pleasure to discover a new tool to more safely manage passwords and avoid web site spoofing. The tool is PINS, and it is free, but only works on Windows unfortunately.
PINS allows me to create a secure repository on my PC to Store important data. It is encrypted with a 448 bit Blowfish algorithm. I am now storing WebSite URLS, user ids and passwords in PINS exclusively in PINS and have turned off the SAVE PASSWORDs feature in both IE and FireFox.
FireFox stores the passwords encrypted ONLY if you put in a master password, most people don't even put in the master password. Even if you do enter a master password, just google for "recover firefox passwords" and you will have a myriad of choices to use.
IE stores their passwords differently depending on the Version of IE. However, they are easily recovered using a variety of tools. Just google for "recover IE passwords" to see the options.
The key take away here is if you are storing passwords for banking and other critical websites, then understand that any local or domain admin can obtain your passwords. Unless your drive is encrypted, then anyone who has unsupervised physical access to your PC will be also able to obtain your passwords. If you have a PC that can be rebooted using a floppy or CDROM, then your local Windows passwords file is vulnerable and can be obtained and decrypted offline. If your PC drive is disposed of, it should also be wiped. Old drives laying around contain lots of data you don't want in the wild.
Using PINS to keep my URLs, user IDs and passwords safe is a little less convenient than the Browser tools but for the security and piece of mind it is worth it.
I started by extracting my list of saved passwords from Firefox using an ADDON called Password Exporter to export my list of passwords to a CSV file. I edited this file using Excel and Saved to another CSV file. I also added a Category Column that groups URLs by category in PINS.
PINS has an import CSV function that works perfectly and allows you to map columns into their format quickly. Now whenever I want to go to a site I click on PINS, enter CTRL-F to FIND my URL, enter CTRL-H to launch the Website in a browser and then CTRL-Y to enter the user id and password into the appropriate boxes in the website.
One feature I really like is the password generator. When you edit or enter a new record, there is a button to quickly generate a new password. Then I just cut and paste the password that PINS generated into the Website's change password function. Now I can easily have a different password easily for every website I log onto. But with a different random password for each website, I am VERY dependent on making sure I don't ever lose my PINS database of passwords. No file exists until it exists in at least two places
PINS helps with making sure you have safe copies also. In the Tools >> settings >> Saving tab, you can specify a place to store a second copy whenever the file is saved. Keeping the second copy on a thumbdrive or external storage will make you file easily portable.
PINS also protects your password by having a time out that automatically locks the password file after so many minutes. If you don't re-enter the password you can't access the PINS database.
PINS also allows you to keep multiple different password files in use. If you are a consultant then you might have multiple companies or separate files for work and personal.
BY getting in the habit of ONLY accessing websited through PINS I can be assured I am hitting the EXACT URL that I know is correct. Many of the phishing Scams use the fact that the main pages of banking sites are not HTTPS and are vulnerable to man in the middle attacks. I make sure to record the https version of any website in the PINS URL field to make sure I am hitting the right website.
Free Tools:
Drive Encryption: TrueCrypt
Drive Wiping: Dans Boot and Nuke (DBAN)
Windows Password Recovery: google on Windows Password Recovery or go here
