Codebook Password Manager Mobile App

I have written about Codebook Secure Notebook and the STRIP Password Manager, both here and in Your Ultimate Security Guide: iOS.  Due to some major recent changes to these systems they merit a revisit.  Zetetic, the company that publishes both of these applications, has merged them into a single app.  At first this concerned me greatly.  Though I loved STRIP and think it is one of the more secure password managers on the market, acceptable replacements exist.  What really concerned me was the potential loss of Codebook.  Codebook was an encrypted notes application for which I have not yet found a suitable alternative.  Fortunately Zetetic has given us our cake and allowed us to eat it, too.  The new application, Codebook Password Manager and Data Vault, combines the best features of both of these applications.

One of the stated reasons for the change was the name “STRIP”.  Originally STRIP was a light-hearted acronym for Secure Tool for Remembering Important Passwords.  Unfortunately, people searching for the app online often found many other, less savory uses of the word “strip”. The full name of the application is now a much more serious, though somewhat unweildy, Codebook Password Manager and Data Vault.

The new version of Codebook Password Manager provides the same password management tools as the old version.  My favorite among these is the organic ability to store TOTP/OAUTH tokens inside the app.  TOTP/OAUTH is the Time-based One Time Password/Open Authentication protocol that is commonly referred to as “Google Authenticator”.  This capability negates the need for a second authentication app on the device.  The new Codebook also mimics the old version’s ability to record and securely store notes.  I love the ability to jot down notes on my iPhone but hate that they are not securely stored.  I also dislike that the native iOS Notes application can by synced with (insecure) email accounts.  Codebook solves this problem by giving you an encrypted platform for securely storing notes.

Codebook Secure Notebook Screens

Codebook Password Manager is very easy to use.  Enter your password (or create a new one).  Once you are logged in to your database click the “+” icon in the upper-right side of the screen.  This will allow you to create a “New Entry” or “New Note”.  Entries are password managment fodder like usernames and passwords.  New notes are free-form entries that allow you to jot down thoughts, lists, etc.

I have only two complaints with the updated version of Codebook.  First, I miss the old Codebook shield icon.  The icon really doesn’t matter, but I really liked the old one.  Also worth noting: I miss some of the old menu options.  The old Codebook was a dedicated note-taking app and allowed me to choose my font and pitch.  The new version does not; alas the text in my notes look big and clunky in comparison. As I said, these are minor complaints and really don’t matter to the app’s function.

The new app is  available for Android, iOS, OS X, and Windows.

3DSC Day 8: Change Your Passwords

Last week we primarily worked on securing your local computer.  Yesterday we focused on installing a local password manager.  Today our view will expand outward.  On this, the eighth day of the Thirty-Day Security Challenge I will challenge you to change your passwords on your online accounts.  Don’t rush in and try to change them all at once though – that could be a recipe for disaster.  Instead, try to change your passwords during your normal logins.  Time to check your Gmail account? About to settle in for some Netflix?  Getting ready to order that new book on Amazon?  Take an extra couple of minutes and change those passwords.   Your Dropbox account can wait until tomorrow when you will be logging into Dropbox, anyway.

When changing your passwords you should definitely pay attention to the qualitative aspect of the new ones.  All of your passwords should be:

  1. Unique.  Don’t use the same password on any two accounts.  Each account gets its own password – this is critical to good online account security.  This is much more important than even the quality of your passwords.  No ifs, ands, or buts.  This way if one account is hacked it won’t effect any of the others.  Mat Honan is an excellent example of why using the same password on multiple accounts is a bad idea.
  2. Long.  Use the maximum allowable length.  Google accounts allow you to use up to a 99-character password.  Your password manager does all the work and you’ll never enter it manually, so what do you care?  Max it out!
  3. Randomly generated.  Human-designed passwords are terrible, in the vast, overwhelming majority of cases.  We just have a hard time reliably generating truly complex strings of letters, numbers, and special characters.  Don’t try to make one up.  Instead let the password manager do the work and generate one for you.

The password manager you installed yesterday will be fairly critical to this task.  Without it you won’t be able to generate password meeting the above criteria…and if you do, you won’t be able to remember them.  Add each one as a new entry to your password manager when you change it.

This will be a carry-over task that won’t be finished in a day (unless you really work at it).  If you only change your passwords at your normal logins the process will be slower but it will also be more manageable.  By this time next week I bet that the majority of your accounts have been changed, and by the end of this month all of your accounts should have new passwords.

3DSC Day 7: Install a Password Manager

Welcome to the second week of the Thirty-Day Security Challenge!  We are officially one-quarter of the way through the process!  Today’s task is install a password manager on your computer and/or phone. This is an absolutely critical step.  Future posts in this series will ask that you change current passwords and create new accounts with good, strong passwords.  Being limited to feeble human memory requires most of us to choose poor passwords.  We use the same ones on multiple accounts and some of the new ones we will create this month will probably be lost or forgotten.  Storing passwords insecurely on a Word document or spreadsheet isn’t a great idea, either, since it’s really vulnerable to loss.  The password manager will solve these problems for us by creating good passwords, recalling them for us, and storing them securely.

Below I have listed some reputable password management options.  Review these, choose one, and install it.  After you have chosen a password manager, secure it with a good, strong password.  Pin it to your taskbar (Windows) or keep in in your dock (Mac). This will place it within easy access for the remainder of the month.  Take a few minutes to get familiar with creating and accessing entries – you should be using this a lot in the future.

There are a number of good password managers out there and your choice will be somewhat driven by your operating system(s).  The list I give here is by no means exhaustive and there are loads of options.  I am only willing to list the ones that I have used and have familiarity with, however.

FREE OPTIONS

Password SafeWindows:  If you primarily use a single Windows computer, Password Safe is the way to go.  It is widely known for it’s user-friendliness.  Password Safe is what is known as a host-based password manager meaning your password database is stored only on one, single device.  It isn’t transmitted to the cloud or stored on a remote server.  There are variants of Password Safe for other operating systems, too, but none of them are supported by the original developer.

KeePass/KeePassX/MacPassCross-platform:  KeePass and its variants are open-source password managers and perhaps the most universal of the ones listed here.  There are forks that work on nearly any operating system you can imagine and all of the databases are compatible with other versions.  These are not the most user-friendly password managers, however, and they lack some of the functionality and polish of most of the alternatives.  They do enjoy the benefits of being strongly encrypted, cross-platform, and totally free.  Like Password Safe, KeePass (and its sister applications) only stores your AES-256-encrypted password database locally, on a single device.

LastPassCross-platform: LastPass is the only cloud-based password manager I would even begin to recommend.  LastPass stores all of your passwords in an encrypted database in the cloud.  This means that you can access your passwords from any device, as long as you can access the internet.  One other major benefit of a cloud-based password manager is that you will have an offsite backup of your passwords should your computer crash or be stolen. Unfortunately this is exactly the reason I don’t prefer LastPass; being able to access your passwords from the internet means that someone else can, too.  It also means that you might be tempted to enter your master password on a computer that you don’t own or control.  LastPass is free on a single device; to install it on multiple devices will require a premium account, which is only $1/month (which is still really close to free).  Premium accounts can be installed on all your devices and shared among up to five users.

PAID OPTIONS

Codebook Password Manager:  I have a fondness for Zetetic’s Codebook that I have written about it before.  I have used it for years on my iOS devices, and if you only have one or two devices this may be a great option for you.  However it is a paid program and you must purchase a subscription for each device.  Codebook is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.

1Password:  I include 1Password because it consistently ranks among the most popular password managers.  I personally don’t love it but I also don’t have anything against it, and it does have some good things going for it.  1Password is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.  It is also incredibly user-friendly and good looking, but it is expensive.

Thoughts on the LastPass Breach

I have a couple of thoughts regarding the breach on the popular password manager LastPass earlier this week.  Initially I was disheartened to hear about the breach but was very glad that LastPass dealt with it swiftly and responsibly.  I actually learned of the breach from LastPass, with an email alerting me to change my master password.  Additionally LastPass is verifying all intial post-breach logins via email unless two-factor authentication is enabled on the account. I was also glad to hear that the attackers were unable to make off with anything more substantial than very strongly hashed (encrypted) master passwords, cryptographic salts, and email addresses.  Though certainly less than ideal, the attackers were still unable to capture plaintext password vaults.

LastPassLogo822x100

Though I don’t use LastPass anymore I did for several years and because of this and my comfort with it, I recommended it in Your Ultimate Security Guide: Windows 7 Edition and plan to in the upcoming iOS 8.3 Edition.  The two big take-aways from this breach (at least in my mind) are:

Cloud-based password managers are inherently risky.  This may be a provocative statement because many people use web-based password managers without incident.  But for how long?  Because of the treasure trove of information a password manager contains they are naturally a target.  Secondly, because they are a more complex system than a host-based password manager like Password Safe there are more potential points of failure.  The data must transit the internet, back and forth from your computer to the internet, be decrypted locally to be used, be re-encrypted before being re-uploaded to the cloud server, etc.  A lot of things have to be done correctly for it to be secure throughout the entire process.

Two-factor authentication is important.  When I first saw the email from LastPass about the breach my heart sank.  I no longer use LastPass but I know a lot of people who do.  Fortunately I know that msot of them also use two-factor authentication and as I learned more about the breach I realized that accounts protected with two-factor were still safe.  I gave high praise to LastPass in Your Ultimate Security Guide: Windows 7 Edition for the multitudinous two-factor options it offers: “The Grid” (my favorite), Google Authenticator, fingerprints, Yubikey, etc.  With two-factor enabled my friends were able to rest easy that their passwords had not been breached.  This is the kind of confidence I want in an internet system, especially one with which so much critical data is entrusted.

As I said earlier, I would still recommend LastPass to anyone who is determined to have a web-based password manager.  The convenience of the system is hard to deny, but personally, I’d rather have the security of knowing exactly where all of my passwords are stored.