This blog post describes how I manage my many website logins (usernames, passwords). I am very interested in how I can improve my current approach. I want it to be highly secure and highly convenient. Please feel free to add your comments and suggestions!
I try to use secure passwords for all of my web accounts, i.e. long random combinations of “special characters”, mixed case letters and numbers. They are usually so secure that I definitely cannot remember them.
So I let my web browser remember, manage and auto-fill my website logins. I use
- Firefox Secure Password Generator when creating new accounts
- Firefox password manager to remember the credentials, with master password
- “Allow Password Save” Greasemonkey user script to force some websites to allow this
- Firefox Sync to make all the remembered logins equally available on all my computers
- Firefox Secure Login extension for single-click logins (works on most major sites)
- Firefox Saved Password Editor to correct auto-detected login info where necessary
- Firefox Password Exporter extension for occasional password backups to an offline file
The approach works well and I never have to memorize my passwords. But my worries are:
- Is Firefox Sync data as secure as Mozilla claims it is?
- What can happen if malicious hackers gain access to the Firefox Sync servers?
- Is the Triple-DES encryption with cipher block chaining that is allegedly used for local password storage in the Firefox profile secure enough (especially given this long-standing bug)?
- Is it a bad idea to let Firefox even remember my online banking, Paypal and other sensitive passwords?
If I have to work on a Windows machine, these are the tools I usually install and use:
Free/Libre/Open Source software (“FLOSS”) with OSI certified Open Source license
- Latest JDK
- Intellij (Community Edition)
- Eclipse (Platform Runtime Binary + plugins required for my work)
- Apache Tomcat
- Apache Maven
- Git (from git-scm.org)
- Cygwin (with openssh, wget, nano)
- Firefox (with Adblock, Secure Login, Firebug, Uppity)
- Link Shell Extension
Binaries currently available for download without license fees:
- Adobe Reader
Recently I have been getting error messages like “You are already using another session” (when signed in at browserling.com) or “You are already using the service from the same IP address (…). Please log in.” (when not logged in). It looked like somehow the site had stopped working for me.
So the errors finally stopped when I selected “Allow all this page” in the NoScript menu:
I like this visual history of HTML5 …
Recent Firefox versions show a fancy “top sites” overview page every time the user opens a new (empty) tab. This is supposed to allow quick navigation to your most often visited sites.
If you (like me) don’t like the lag (and related security issues) that this adds to opening new tabs then set the new tab behavior back to showing a blank page:
- Open “about:config” in the address bar
- Acknowledge the warning to be careful
- Search for “browser.newtab.url”
- Right-click, Modify
- Change the value from “about:newtab” to “about:blank”
Only after writing this blog post, I noticed that there is a Firefox help page that explains the same procedure.
I just tested my personal “résumé” – British folks would say “CV” – website at oliver.doepner.net successfully on IE8, IE9, Firefox 3.6 to 9, latest and older Chrome versions, Opera 10 and 11 and Safari 4 and 5.1. It works on all browsers and looks fine.
You might wonder if I have all these browser installed? No, I don’t. I used the amazing browserling.com service that runs all the various browsers in virtual machines “in the cloud”, and embeds the UI in their website. Cool stuff and currently free for everyone to use!
One caveat with browserling.com is a tool called IETester that they use to emulate the ancient IE5.5 and IE6 browsers. Its seems to have bugs related to PNG graphics which prevented reliable testing. So if anyone out there still uses IE5.5 or IE6: Please visit oliver.doepner.net and let me know if you can see the photo of me on the page with the transparency effect.
On the newer CSS3 capable browsers, my site now sports drop shadows and rounded corners, using
I also tested W3C standards compliance (HTML5, CSS3) and all my pages did pass those tests as well, except for some stuff caused by bugs in the CSS3 validator at w3.org. What a nice way to end the computer oriented part of the day …
My sources.list entries:
# local repo (manually downloaded debs, etc.): deb file:/usr/local/packages ./ # The closest Debian mirror is at Dalhousie University, Halifax: deb http://mirror.its.dal.ca/debian/ squeeze main contrib non-free deb http://mirror.its.dal.ca/debian/ squeeze-updates main deb http://mirror.its.dal.ca/debian/ squeeze-proposed-updates main # See http://www.debian.org/mirror/list for mirrors closer to you # Security updates (not mirrored) deb http://security.debian.org/ squeeze/updates main # Official backports repo for squeeze (I install the Linux kernel from it) deb http://backports.debian.org/debian-backports squeeze-backports main # Debian multimedia, a must-have for mplayer et al. deb http://mirror.its.dal.ca/debian-multimedia squeeze main non-free # Repo that provides latest Iceweasel (aka Firefox) deb http://mozilla.debian.net/ squeeze-backports iceweasel-release