Category Archives: Security

Intuitive Password Online Password Management Review

Written by William Roush on September 8, 2014 at 8:06 pm

A review for the online password manager Intuitive Password.

Disclosure: I was requested to look at Intuitive Password, I generally don’t look at online password managers due to a lack of self-interest in them, but I’d figure I’d give it a go if a reader suggests it.

Intuitive Password is a software as a service platform for storing and managing your passwords, similar to KeePass or PasswordState, but out on the internet where you don’t have to manage it and it’s nearly always available.

Registering

 

Registration page

Registration page

Registration page is really straight forward, just one minor complaint, the “security question” is an open-ended free form text field. This leads to people putting in things like “how many cubes away from John am I?” (I have actually run into this one before), which after a few guesses you’re into their account. Though honestly this is less Intuitive’s fault and more of how security questions can be broken. Just make sure you pick a really solid security question.

Gmail used to do the same thing, now they have more secure password reset options (phone call, recovery e-mail, or a Google-enabled device).

Logging In

On-screen keyboard, an attempt to fool keyloggers.

On-screen keyboard, an attempt to fool keyloggers.

One thing I noticed during the log-in process was a Javascript driven keyboard for password entry, on one hand this will fool a lot of keyloggers, on the other hand I have seen keyloggers that tracked enough to pull your password off of this (some take screenshots, others mouse positions on clicks). I couldn’t really imagine myself using it really.

Password Management

All that you'd really want.

All that you’d really want.

Password management is really straight forward and like every other password manager, give it a title, set the password. These fields are driven by what category your password resides in.

Password ratings give a quick visual cue on your password's security.

Password ratings give a quick visual cue on your password’s security.

Organization

Password category management is nice.

Password category management is nice.

The slick UI really helps with this, and the default layout shows that Intuitive Password isn’t just for logins, but any other encrypted information you want to keep. You can create additional custom categories, each with their own custom fields, leaving it up to you how much or how little you want to keep in here.

This software by default has security questions for general logins, domain/machine name, IP address, etc. for network logins. So a bit of thought was put into having a nice starting configuration for your categories.

Sharing

You can share individual passwords with other people, it’s as simple as inserting an e-mail address. Not exactly useful for larger teams without a lot of tedious work, but it’s good if you want to share a handful of passwords with another person.

Account Management

IntuitivePassword - Account Details

Account management is straight forward: ability to reset your password, your security question, set up two-factor authentication, pretty standard stuff. Biggest thing I like here is the display of the currently running version of the software. I always like to know when my SaaS platforms get updated (and push for this to be an option on projects I work on).

IntuitivePassword - Country Restrictions

An interesting feature I’ve observed was login restriction by country, pretty cool little feature.

Additionally they do support the concept of downloading all of your passwords in case you want to move to another platform which is always an awesome option (may be required by law in Australia, not sure), and have the ability to download/restore your own backups in case you’re paranoid about Intuitive Password’s team to be able to do that.

UI/UX

IntuitivePassword - UI

Intuitive Password has a pretty slick UI, I like the look and feel. The only complaint I have is that the textured background that permeates through all UI elements can sometimes make certain letters not the easiest to read (only had that happen once on a specific field), but generally the chosen font size and style makes everything really clear.

As for UX design, everything is pretty accessible and intuitive (heh), the only feature that wasn’t immediately apparent was sharing passwords (I was always mentally driven to the “shared” tab to try to figure things out, not to the bottom of your currently selected password). The integrated help is unobtrusive and very informative and is available throughout the software.

Quick Login

This is similar to your auto-type you have on similar software, this only applies to web based software (so no auto-logging into your games). It consists of a bookmarklet that pulls scripts from Intuitive Password’s servers and will attempt to log you in.

IntuitivePassword - Quick Login Training

If you attempt to quick login on to a page that Intuitive Password doesn’t know how to log into, it’ll ask you to train it to understand what the login process is. So instead of just jabbing at currently selected fields like KeePass does, it is actually somewhat aware of the website layout (though this wont work for those multi-step banking sites that have a massive amount of security theater going on).

Offline Storage

Offline storage is pretty cool, right now they only support sending you an HTML document with everything embedded. Your passwords sit in a base64 encrypted blob to be decrypted with an AES key derived from your offline password. They’re also looking at add Dropbox, Box, and OneDrive support in the future.

Mismatching password lengths.

Mismatching password lengths.

One thing I thought was a problem but figured out it was a major benefit was this password screen. Here I’m trying to type a 32 character long password (longer than the 20 character limit), here they only truncate the confirmation password field. This prevents silent truncation of passwords, which is a major thing I complain about in my up and coming post about password security theater causing massive user experience issues.

I like these little details that prevent me from accidentally doing dumb things.

Online Storage

Well if I was to investigate how passwords are stored offline, it only made sense to figure out how passwords are being transmitted online. Due to offline storage I had a lot of hopes for this, until I ran across this:

Password being sent embedded in the JSON response.

Password being sent embedded in the JSON response.

I’m kind of surprised that with all the care passwords are given on client-side storage that the server still handles decrypting/encrypting your password for you, meaning a breach at the cloud provider can put your passwords at risk.

This is why I generally like the option like CrashPlan provides — a second password so that the Software-As-A-Service provider CAN’T decrypt it even if they wanted to. There are methods that involve using a single password where this method could be viable (use a derived key from your password to sign something to verify your login instead of sending it to the server, send encrypted data to client to be decrypted with derived key… something of the sort).

Master Password

They do have the ability for you to add additional security to your passwords, via a “master password”, this is still sent to the server and decrypted server side, it really just adds a layer for if someone gets your account password on your desktop.

Overall

Intuitive Password is a pretty slick product, if you’re not paranoid and don’t mind storing your passwords online (and the provider having access) I’d definitely recommend it. I’ve been recommended to eyeball LastPass being as they apparently handle online password transmission differently, so keep an eye out for that review too.

Passwordstate – Enterprise Password Management Review

Written by William Roush on May 30, 2014 at 4:40 pm

An end-user review of Passwordstate, a shared web-based password list software that gets you all the additional features you wanted over KeePass and other equivalents.

Before we start… Sorry about the large gap in posts, a mix of writer’s block and working on a reviews for a handful of things (Zultys PBX, ScreenConnect, etc.), there will be MUCH more to come soon!

I’d also love to write about more IT subjects in Chattanooga (locally developed software, startups, IT community, or businesses), if you have any suggestions feel free to throw them my way!

What is Passwordstate?

Passwordstate is a web-based password management tool written by Clickstudios. Think of it as KeePass on the web, but deployed inside your own private network.

Why Use it Over KeePass?

I personally love KeePass, I can’t talk about it enough, I wrote a post awhile ago all about it. However as much as I like it, it falls short on some management features that I feel I need when working in a team of diverse responsibilities and access levels. While we can create a lot of process and hoop jumping to resolve this issue, I’d rather not if it could be avoided (plus, we’re IT, we want software to do the hoop jumping and process for us! That is what it is there for).

Prerequisites For Install

The requirements for installation are pretty straightforward, IIS7+ and MSSQL 2005+, once these requirements are made the install for Passwordstate is easy. I’m deploying it on IIS8 and MSSQL 2012 Express on top of Windows 2012 R2 for this review.

Organization

Password state makes everything pretty easy to get to, unlike KeePass passwords are kept in “password lists”, imagine these lists as folders in KeePass. These lists can have a long list of permissions and customizations added to them (see later in this review for those options). On top of password lists you can create folders to store groups of password lists.

Navigating password lists is pretty simple.

Navigating password lists is pretty simple.

In the example above we have a folder for development environment passwords, we could grant access to our storage admin to “Storage Arrays”, our DBA to “Database” and so on. Allowing fine control to lists. Additionally I have a personal password list named “William’s Password List”, more on personal password lists later. Password Management Creating and editing passwords is pretty straight forward, a handful of fields you’re pretty familiar with if you use a password vault. Nothing really too special here other than a very nice UX design.

Auditing

By far the biggest benefit over a system like KeePass is the ability to audit access to passwords. What to know who last updated the password on a service account? System admin scanned all passwords before leaving? KeePass won’t tell me any of that.

Simple UI, easy to grab a password or check recent audit events.

Simple UI, easy to grab a password or check recent audit events.

Audit reports can be sent at regular intervals to your e-mail so you can stay on top of what is going on.

Further details on the state of your password lists.

Further details on the state of your password lists.

Personal Password Lists

Personal Password List Passwordstate has a different kind of password list for personal use, you can make a list for yourself that has additional security features (while you can password regular password list, I usually can justify additional passwords on personal lists a lot easier). In this case I’ve put a separate password on it from my account, requiring another step of authentication. These lists cannot be seen by administrators and stick with you.

Keeping personal passwords centralized have many benefits too.

Keeping personal passwords centralized have many benefits too.

The ability to keep your passwords in Passwordstate allows you to easily hand over all account passwords for various pieces of software (for example, if you hold a lot of licensing portal credentials on your personal e-mail account).

Password List Options

Another very powerful addition over Keepass is the customization behind your password lists.

A long list of configurable options to help make each list customized to it's purpose.

A long list of configurable options to help make each list customized to it’s purpose.

You can have some lists sync with Active Directory, others have very strict password complexity requirements, some lists only available during work hours, and other lists have expiration dates.

Problems With Passwordstate

There are a handful of issues with Passwordstate, first and foremost is that everything has to be done via the web UI. While Passwordstate is configured for SSL upfront, I can understand the argument that browsers are one of the most exposed pieces of software we use on a daily basis, putting our passwords in that basket may not be the best idea.

Additionally if you lose your Passwordstate server, your passwords are unavailable. Passwordstate does provide high availability options (additional cost for that though), but I’d throw an export of your password list every once in awhile with a DB backup into a fire safe and offsite just in case things get really bad. Update: version 7 includes an ability to export to a KeePass database which will help if your network is down.

A small annoyance is I can’t do upgrades unless I set up a backup path, when I’m backing up the entire machine with Veeam and I do an upgrade after a snapshot, I really don’t care if I have to roll the entire VM back, but I don’t really have the option. Really minor gripe though, I know why they’ve done it (for those that don’t have good backups in place). Update: version 7 doesn’t enforce this allowing you to upgrade and rely on your own backups.

Overall

With it being free up to 5 users, I don’t see why not for small businesses! Even beyond that I’d say the additional safety and auditing is worth the relatively low price $37/user (that lowers as you add more users) and tops out at $4272 for unlimited user installs. This is by far not an exhaustive list of what Passwordstate can do (we’ve just skimmed the surface), so go grab a 5 user license and try it out today!

100% Qualys SSL Test A+

Written by William Roush on April 1, 2014 at 10:41 pm
Obtaining 100/100/100/100 on Qualys SSL Server Test

Obtaining 100/100/100/100 on Qualys SSL Server Test

For fun we’re going to poke at what it takes to score 100 across the board with Qualys SSL Server Test — however impractical this configuration may actually be.

Qualys SSL Server Test… What Is It?

Qualys SSL Server Test is an awesome web based utility that will scan your website’s SSL/TLS configuration against Qualys best practices. It’ll run through the various SSL and TLS protocol versions, test all the cipher suites, and simulate negotiation with various browser/operating system setups. It’ll give you not only a good basis for understanding how secure your site’s SSL/TLS configuration is, but if it’s accessible to people on older devices (I’m looking at you Windows XP and older IE versions!).

Getting 100/100/100/100

Late at night I was poking at some discussions on TLS, and wondered what it really took to score 100 across the board (I’ve been deploying sites that scored 100/90/100/90), so I decided to play with my nginx configuration until I scored 100, no matter how impractical this would be.

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  # TLS 1.2 only.
  ssl_protocols TLSv1.2;

  # PFS, 256-bit only, drop bad ciphers.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM256:DH+AESGCM256:ECDH+AES256:SH+AES256:RSA+AESGCM256:RSA+AES256:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}
Qualys wants only 256bit (or stronger) cipher suites.

Qualys wants only 256bit (or stronger) cipher suites.

This barely differs from our standard configuration (depending on if you chopse to mitigate BEAST instead of RC4 issues)

This barely differs from our standard configuration (depending on if you choose to mitigate BEAST instead of RC4 issues)

100/100/100/100 comes at a high price.

100/100/100/100 comes at a high price.

To get to having all 100s we drop pretty much all but the most modern browsers… oops!

100s Not Realistic

It seems you’ll want to aim for 100/90/100/90 with an A+. This configuration will give your users the ability to take advantage of newer features (such as Perfect Forward Secrecy and HTTP Strict Transport Security) and stronger cipher suites while not locking out older XP users, and without exposing your users to too many TLS vulnerabilities (when supporting XP, you have to choose between protecting against BEAST or use the theoretically compromised cipher RC4).

So we’ll want to go with something a little more sane:

server {
  ssl_certificate /my_cert_here.crt;
  ssl_certificate_key /my_cert_here.key;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  # PFS + strong ciphers + support for RC4-SHA for older systems.
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:RC4-SHA:HIGH:!aNULL:!MD5:!kEDH;

  # Enable SSL session resume.
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;out 10m;

  location / {
    # Enable HSTS, enforce for 12 months.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
  }
}

10/24/2014 Update: Removed SSLv3 due to POODLE exploit for A+ example.

Dan Kaminsky – Black Ops Of PKI

Written by William Roush on March 26, 2014 at 7:58 pm

Amazing talk by Dan Kaminsky discussing what is broken with X.509 (SSL). It’s an amazing dive into how X.509 works, various exploits, and the impeding problem of the Verisign MD2 root certificate that may be open to preimage attack sometime in the near future.