Regex Password Vault Blog

Heartbleed and Regex Password Vault

by Shawn O'Hern April 13, 2014

Heartbleed logoSome of our users have asked if Regex Password Vault is vulnerable to the Heartbleed bug. This is important information, so we want to share it with all our users.

Regex Password Vault is not vulnerable to Heartbleed. The Heartbleed bug is a weakness in how some web servers have implemented the SSL/TLS protocol. SSL/TLS is the protocol used in secure (encrypted) Internet communications. When you visit secure websites with an https:// address, it is SSL/TLS that is encrypting the connection. Heartbleed exposes a weakness that could allow an attacker to snoop on the data being transferred, despite the use of encryption.

Regex Password Vault works by storing your passwords locally on your own computer. It does not transmit your passwords over the Internet. Therefore, by design, Regex Password Vault is not affected by the Heartbleed bug.

With that being said, it is wise to change the passwords to all your online accounts. Online services could possibly be affected by Heartbleed, depending on which type of web server they use. The best way to find out if the services you use are affected is to contact the companies that operate each service. If you cannot find information for a specific service, then it is best to change that password.

For more information about Heartbleed, please see http://heartbleed.com/ or http://en.wikipedia.org/wiki/Heartbleed.

If you ever have any questions about the security of Regex Password Vault, please contact us!

Categorized as: Personal Security, Security News

Don't reuse passwords

by Shawn O'Hern February 25, 2013

In light of the recent attacks on Twitter, The New York Times, Zendesk, and several other companies within the past month, I thought it would be a good time to discuss the dangers of using the same few passwords everywhere.

Imagine that one day, a website or service you use suffers an attack. Your password and some other personal info is leaked as part of the data breach. If that password is unique to that one account and used nowhere else, as unfortunate as the attack would be to you, at least the damage will be limited to that account. But now imagine that password is the same password you use for your online banking, webmail, or any other sensitive accounts. Suddenly you are in much more danger. If the attacker uses the breached password to access those other services, he or she will be able to wreak some serious havoc on your life.

Unfortunately, this is not just a theoretical threat. This sort of thing happens quite frequently and can lead to identity theft. If an attacker steals credentials to one site or account, he or she will try using those same credentials to log into other sites to see if they work. So if you are in the habit of using a few favorite passwords everywhere, stop it! Believe me, I know it's a hard habit to break. I even catch myself reusing passwords sometimes, either because it's too hard to memorize new passwords, or just out of sheer laziness. But it's just something we have to do. Online security and identity theft are not things to be taken lightly. Regex Password Vault is one of the most secure and convenient ways to store large numbers of passwords. When coupled with the built-in random password generator, it is super-easy to use strong and unique passwords for all your accounts.

We plan on adding a tool in a future release of Password Vault that will smoke out any duplicate passwords you may have in your Vault file. More details about this will follow.

Categorized as: Personal Security, Security News

Security questions: What to do when you encounter them

by Shawn O'Hern October 30, 2012

Picture of security questionsYou have probably seen these things popping up on many websites in the past few years. Security questions and answers are all the craze in the field of cyber pseudo-security these days. When you sign up for an account, you provide answers to questions that supposedly only you would know. Then, if you ever forget your password, you can provide the same answers to prove your identity and reset your password.

Sounds good, right? The problem is that the questions themselves are completely inane. They require answers that can be easily guessed or researched, for example, What's your pet's name, or What's your mother's maiden name. To an attacker who has the ability to launch brute-force dictionary attacks, and who has access to social media and Google, these questions pose no barrier to entry. In fact, they completely circumvent the password-based security of your account. If an attacker can just successfully answer the questions, then he or she can reset your password to access your data, and worse yet, lock you out of your own account.

How should I handle them?

So what should you do when you're forced to give answers to these security questions? Well, the number one rule is: never answer them truthfully. The absolute least you should do is give false answers. That way, you will trip up would-be attackers who will try finding the answers to your questions through research. This isn't a lie detector test. It doesn't matter if you lie to a website about your favorite color...as long as you can provide the same answer later when you need to reset your account. So even though you have a fondness for periwinkle, say sea foam green instead.

The better solution, however, is to use random text for your answers. What was your first car? uCnyprOz4cl02AVO5gH8No. What is your paternal grandfather's first name? Why, atKIne9qe0m2y9 of course! Random text generated by a password generator is impossible for an attacker to predict.

How can Password Vault help?

Okay, so now what do you do with all these random answers that you need to keep track of? Fortunately, Password Vault makes it easy to store security questions and answers along with your passwords. In addition to the standard username, email, and password, Picture of custom fields in Regex Password Vaulteach password record can also store a number of user-defined custom fields for additional data. These are perfect for storing your questions and answers.

 In Password Vault, create a new password or edit an existing password. On the Password Properties dialog, in the lower-left corner you will see an area labeled Custom fields. This is where you want to put your security questions and answers. Put the question in the Name box, and the answer in the Value box.

By following this best practice, you will greatly increase the security of your online accounts.

7 Steps for Choosing a Strong Password

by Shawn O'Hern August 24, 2012

Below are 7 steps to help you choose strong passwords. By following these steps and using strong, unique passwords, you will greatly enhance the security of all your password-protected accounts.

1. DON'T use an obvious password ("password", "123456", "qwerty", etc.)

This shouldn't even need to be written. But unfortunately, every time there is a security breach in the news, there inevitably follows a story about how someone analyzed the leaked data and determined half of all user accounts have "letmein" as their password.

This can't even be characterized as mere laziness. If you use one of these passwords, you are practically begging to have your account hacked.

2. DON'T use names, nicknames, dates, or any meaningful numbers

Don't use your child's name, your pet's name, birthdays, anniversaries, or your old football number. These are all too easy to find, either through public records, or just a little bit of Googling.

3. DON'T use words

Attackers have access to dictionaries too. It is trivial for a hacker to launch a brute-force attack to try every word in the dictionary. They can also anticipate tricks such as using a non-English word, or replacing "s" with "$".

4. DON'T use the same password everywhere

Hopefully you are never unfortunate enough to have one of your passwords stolen or leaked, but you never know. If you are in the habit of using a different password for every account, at least the damage will only be limited to that one account. On the other hand, imagine if that same password could also be used to get into your email, online banking, and social networking accounts...the result could be devastating.

5. DO use the longest password possible

If your password must be between 8 and 15 characters, make it 15. Each additional character makes your password exponentially harder to crack.

6. DO use random passwords when possible

The strongest password you can create is a completely random sequence of uppercase and lowercase letters, numbers, and symbols. If you use a password manager (or if your brain actually has the capability to memorize these things), this is the only type of password you should be using.

7. DO build passwords out of phrases

When a password manager isn't an option, your best bet is to use a long phrase. If you can use the entire phrase for your password (some systems will allow very long passphrases), that is great! Otherwise, you can create your password using the first letter of each word, the punctuation in the phrase, and even some numbers substituted in for good measure.

This system works well because phrases can be easily memorized, but are quite difficult for an attacker to guess. In this regard, the more nonsensical the phrase, the better. Don't use quotes or phrases that are published, try to think of your own.

For example, the phrase:
Sally said, "Look! Harry the goose jumped over the moon."
can be turned into the following password: Ss,L!Htgj0tm.

Categorized as: Personal Security

What is Regex Password Vault?

Regex Password Vault is a password manager and form filler for Windows. It simplifies your life by remembering all your usernames and passwords for you, saves you time by logging you into websites and filling out long web forms with a single click or keystroke, and keeps you safe online by making it easy to use strong, unique passwords for all your accounts!

Introduction
Features
System requirements
Download a free trial