The security of Twofish in a password database

 

Password Safe

Support

Password Safe is now an open source project. The current version as of February 15, 2007 is 3.0.6. To download it, or for technical support, please visit its passwordsafe.sourceforge.net Sourceforge page.

For support of 1.7.1 and earlier versions, see the www.schneier.com/ Password Safe FAQ or e-mail passwordsafe@schneier.com.

Many computer users today have to keep track of dozens of passwords: for network accounts, online services, premium web sites. Some write their passwords on a piece of paper, leaving their accounts vulnerable to thieves or in-house snoops. Others choose the same password for different applications, which makes life easy for intruders of all kinds.

With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all.

Password Safe protects passwords with the Twofish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Twofish algorithm.

Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.

See the www.schneier.com Twofish page for more information on the Twofish algorithm, including www.schneier.com links to other products that use Twofish.

Security Strategy

Is your cat a target for password-stealing hackers?

Despite increased awareness about the need for secure passwords, internet users are still leaving themselves vulnerable to hackers by choosing easy to guess subjects such as their cat or partner's name.

Over three-quarters choose passwords relating to friends, family and memorable dates, according to research into 1,000 internet users by Visa Europe.

The favourites are nicknames (21 per cent), birthdays and anniversaries (15 per cent), pet names (15 per cent), family members' names (14 per cent) and memorable dates such as the Battle of Hastings and England's World Cup victory (seven per cent). Thankfully very few people (two per cent) use 'password' as their password All of those are details that basic social engineering techniques would uncover relatively quickly. To make matters worse a third of respondents said they use the same password for all their log-ins, while a quarter using it nearly all or most of the time.

But the message about choosing hard to guess passwords does seem to be getting through to some people with 22 per cent opting for random letters. And it's the silver surfers who are leading the way with almost a third of over-60s using random letters and numbers, compared to the under-30s who prefer nicknames.

Hugo Bottelier, VP at Visa Europe, said in a statement: "It is not surprising that loved ones and pet names top the most popular list as often people struggle to remember random characters or designated log-in codes and opt to choose their own. Of course, it is important that our passwords are personal and meaningful to us, but also that they are difficult to decipher and not easily guessed.”

Visa's tips on choosing secure passwords include to avoid using words that appear in the dictionary, which can be cracked by hacker tools; try not to use any personal information as it can be inferred or guessed; don't write it down and leave it by your credit card or PC; and try to use random letters, numbers and punctuation.

In a separate announcement, the UK's Chip and PIN organisaton has started a campaign to help people memorise their PINs. With chip and PIN, credit and debit card holders will need to remember their four-digit PIN - the same number they would use to withdraw money at a cash machine - to verify purchases at the point-of-sale.

A guide with tips and memory tricks such as linking numbers with memorable images is available from the chip and PIN www.chipandpin.co.uk website.

More than 41 per cent of UK cardholders had been issued with a chip and PIN card by the end of May 2006 and major retailers including Dixons, Wilkinsons, Asda and Tesco are currently making the upgrade in stores across the country.

Network Security

Network Security: What you need to know

Wheaton's community depends heavily upon electronic services, from its business systems to electronic mail, to accomplish its mission. In support of that mission Wheaton's information services objective is to maintain an open, collaborative and secure computing environment. There is an inherent conflict between open and secure; one that is difficult to balance. We have an obligation to provide accurate and reliable information to any authorized user.

Our electronic services are increasingly targeted by viruses, junk mail (SPAM) senders and intruders. We are working to protect our networked resources and want to keep you posted on our progress.

Viruses: LIS has taken steps to control viruses through central system monitoring and licensing antivirus software for all computers used by faculty, staff and students. We block certain email attachments that typically spread viruses; we will stop them at our "front door" before they enter our systems. For more information, please see Wheaton College's Email Attachment Practice. Some extensions will be quaratined for your review before being delievered to your Inbox; pay attention to your Quarantine.

Junk mail: LIS is currently screening for junk mail and will continue to research the best practices for its control while being sensitive to the value our community places upon academic freedom and various points of view.

Intruders: Intruders present the biggest challenge to the openness of our computing environment and to the viability of our electronic services and the critical information they house. Intruders routinely attempt to break into the central servers that run our electronic systems. If successful, they could damage or steal the information that is housed there or lurk, stealing passwords that could be used to access other campus systems and beyond. LIS monitors Wheaton's servers, looking for suspicious activity. LIS monitors national security alerts and constantly updates operating systems to respond to known vulnerabilities. In addition, LIS is researching software and hardware solutions to decrease the risk from intrusions.

How You Can Help

You can help maintain our critical network and data assets by practicing good password management adhering to the college's Acceptable Use Policy (AUP), and protecting privacy.


Good Password Management

A new, stricter password policy will go into effect for all members of Wheaton's community in April. This new policy will require you to change your password every 6 months. You will be reminded by email that you have not changed your password after 170 days. Please note that the passwords you have used in the past are not acceptable.

A new password must.....

- contain at least 8 characters
- must not contain more than 15 characters
- cannot contain special characters (you can use letters, numbers, dashes and underscores)
- must contain at least 2 numbers
- must contain at least 1 capital letter
- cannot be a previously used password
- must be reset every 6 months (you will receive a warning after 170 days if you have not changed it)


The new password policy will at first only apply to accessing email and network file storage. Over time, more services will be incorporated into this infrastructure (like Blackboard for example). See below for instructions on how to change those passwords as well.

In addition it is recommended that you...

1. Keep all your passwords private.
2. Until we are able to provide a more robust, single sign-on authentication environment, please use different passwords for the various Wheaton systems you access Banner, email, Meeting Maker, Blackboard, etc. It is particularly important to keep your Banner and WINDOW passwords separate from your others given the sensitivity to the information housed there.
3. Never share your password or request it over the phone.
4. Do not allow a computer, or a service provider, to automatically save your password.
5. Do not make your passwords from any words or names, either backwards or forwards, that you can find in a dictionary it takes only a few seconds for an intruder to throw a whole dictionary at your account.


Change Your Passwords

1. For general electronic services, like email and file services, go to the password changing page on this page:
www.wheatoncollege.edu/

or directly to the password change page at:
https://ldap.wheatoncollege.edu

2. For WINDOW, after logging into WINDOW, select "Personal Information" and the PIN change option is available. Note that WINDOW requires a 6-character PIN.
3. For Blackboard, after logging into Blackboard, select "Personal Information" and then the password change option.
4. For Banner, after logging into Banner, type GUAPSWD into the Direct Access space.
5. For Meeting Maker, after logging into Meeting Maker, select 'Edit' and then 'Preferences' and it will take you to the password change form.


Acceptable Use Policy

Wheaton has policies regarding appropriate use of our networked resources. Your use of Wheaton's network indicates your acceptance of these policies; please be sure you have read them:

Students - www.wheatoncollege.edu
Faculty and Staff - www.wheatoncollege.edu


Use Your Wheaton ID Card

Your Wheaton ID is now used to access Wheaton's many electronic resources, so you should take steps to protect it. Carry your Wheaton ID card with you. Use it when making routine transactions, such as checking out library books and eating in campus dining facilities. Please note: The barcode found on the back of your Wheaton ID card will still be needed to check out libarary materials, view your circulation record and use the patron self-renewal function in ELIZA.

Clear the Cache on the Public Computers You Use

Do not walk away from a public or shared computer unless you have first logged out of every single service you've touched during that session. Just closing a window is not enough. Look for a log out button -- use it -- and then quit the application.

Most web browser software applications save some information about your activity and reuse it as you work to improve their performance. Safeguard yourself and your personal information by clearing this information out of the browser's memory before you walk away from a public machine.

Here's how to clear your browser's cache file:

Internet Explorer (Windows):

Tools > Internet Options > Temporary Internet Files > choose Delete Files and then choose Delete Cookies

Internet Explorer (Macintosh):

Edit > Preferences (see screen snapshot)

Safari (Macintosh): Safari > Empty Cache


As always, please call the Support Center (x3900) if you need help with password changes or have any other computer support questions. Network Connection Guides for XP, OSX and wireless

Quick start guides added for XP and OSX operating systems and for connecting to the wireless service in the Library

 More