How to protect your PC passwords

Yubico
The Yubikey effectively works as a personal OTP

The security benefits from a two-factor authentication system are unquestionable: for online accounts that can be attacked by anyone with internet access, the extra protection is making more and more sense. But what about your home PC?

In a way that already has two factors, the first being the bricks and mortar that surround it. Before you can even log in, you have to get through the front door. Even so, many people run their Windows installation with no log-in password or with a weak one for ease of use.

Besides all of that it's easy enough for people to circumvent the whole process anyway, if they're really keen to get at your stuff. So where does that leave your desktop? We talked about one-time passwords (OTP) in our article How to protect your gaming account. So are these applicable to your desktop?

Yes and no is the annoying reply. Online services require a zero-downtime server to be constantly available for when you request the OTP. Happen to have one of those spare? We didn't think so.

Technically there's no reason you can't establish your own authentication server - a product like OpenOTP from www.rcdevs.com is a full enterprise-level solution that happens to be free for deployments of 25 or fewer users and if you have a lot of spare time on your hands.

If you're not an enterprise-level system administrator, true home-based OTP solutions are rare. One we've come across is the £23 Plurilock from www.plurilock.com. This uses a pseudo-random number generator and a key fob to enhance the standard Windows log-in with an OTP. This is locally generated on the PC and is matched by the key-fob.

Its necessity for an offline solution, however, leaves it vulnerable as a recovery master-code will still unlock the system, while the contents of the drive will remain vulnerable if that's what an attacker is after.

Key to safety

Another solution is from www.yubico.com with its Yubikey. It's an interesting product that supports a range of open standards and open source projects, such as OpenID, TrueCrypt, WordPress and the Windows log-in.

While it can function at an enterprise level with its support for the Open Authentication standard, it also has a couple of personal-level features. It can function as a basic password key-fob that carries a static password, but more interestingly it works with a number of online password storage services such as LastPass and Passpack. This effectively turns it into a personal OTP for all the various applications and services that are supported.

There is a minimal subscription fee attached to the service of £8 per year for LastPass, but when bought with the key this is reduced to just over £3 for two years. It's one of the few services we've seen that can provide cheap and simple personal one-time password protection.

Safe browsing?

google

Less well-known are the security features built into Firefox, Internet Explorer and Chrome. You've probably noticed that they offer to store website login details and passwords. It's a handy feature but what happens if someone is wandering by and decides to start poking around with your soft and vulnerable internet sites?

It doesn't matter how secure your passwords are if you've allowed a browser to store them with no protection. You're left doubly unprotected by having no Windows password, as an unattended PC will force the user to log back in but without a password, an intruder is straight in.

Firefox offers good protection in that it can store an encrypted password file on your hard drive, if you ask it nicely. This protects all the log-in user names and passwords with a master password. So if someone happens to be on your computer and fires up the browser, they'll have to enter your master password before the browser starts to automatically fill in all of your bank details without you.

For Internet Explorer there's no such direct replacement. There is a Content Advisor that's designed to block inappropriate content rather than block access to the browser and stored passwords. If you open Internet Options > Content and under Content Advisor click Enable, you'll be prompted to enter a password and hint.

Initially this is massively annoying as it'll prompt you for every website. We suggest you set a homepage, so when the browser is first opened the password will be required and you can allow all the other sites. The alternative is to set up blocks just on sites that require passwords.

When it comes to Chrome, security is even more lax: there isn't any way to password protect access to the browser within Chrome itself. There is an extension called Secure Profile that goes some way to address this. It forces a password to be entered before access to the browser is allowed. However, as it's an extension it can be disabled by knowledgeable people and due to limits on Java it displays the password being entered. But it does block access and is better than nothing.

How to strengthen your password protection in Firefox

1. Meet the master

Firefox 1

Letting your browser remember passwords weakens security. Anyone who manages to access your system can log into any shopping site, and possibly your bank and email. In Firefox, add a Master Password by selecting Firefox Menu > Options > Security and ticking Use a master password.

2. Out, damn spotter

firefox 2

There's a prompt to enter the password, click the Save Passwords... button and you're done. Normally you'd be able to browse all of your saved passwords but instead you're confronted by a security check. People can still use Firefox: this just blocks access to the automatic form filling.

3. Extra-strong flavour

firefox 3

A program called FireMaster can locally brute-force attack the encrypted Firefox password file. To boost security, enable the enhanced encryption scheme by selecting Firefox Menu > Options > Advanced > Encryption > Security Devices and clicking Enable FIPS.