Introduction

You don't need me to tell you that there has been many high-profile hacking going on all over the internet recently. And you and I know, that we're all lazy with our passwords, we probably use at most 4 different passwords for different internet services we log on to because we can't remember more. So when that news of the 5 different sites that we have accounts on got hacked, and a couple of them was revealed to have stored their passwords in plain text! We all have to change our passwords across all the different sites. 

Oh but wait! We don't even remember how many sites we've created accounts on that have the old compromised passwords. Now we're screwed.

Fear not! Passwords managers comes to the rescue! Starting today, we'll be storing different complex passwords for every different login we use. We're safe!.... Or so you think! There is an old saying amongst computer geeks that the only real way to keep your passwords safe, is to only have it inside your head, but we've already thrown that idea out the window now that it's basically impossible, but password managers like 1password is no better.

Passwords managers sure can typically store all your passwords in a central repository and allow you to make backups. All of these are of course encrypted, using a single password. So in the end, you're still relying on passwords. But that's not the issue, the issue comes when hip password managers like 1password now-a-days try to be web 3.0 like so they implement database sync on iPhones, Android and across the cloud (on dropbox).

The most major problem is, you expose your password database to so many places that it becomes really easy to grab your password database. (Remember dropbox recently had a free-for-all where anyone can login as anyone else and grab anything they want for 4 hours due to a 'mishap')

You might be thinking to yourself now, it's not that big a problem since it's encrypted right? Wrong. Because you've used a single password to encrypt the entire content of a password database. Coupled with the fact that password managers are inherently software based. There is nothing to stop the person that has gotten hold of your password database from brute forcing it on a compute cloud. Which means, you're more screwed than before.

This is a reason why I haven't used any password managers in the past. But here is the good part. There are ways to ensure nobody (well, almost nobody) can get unlock your encrypted password database ever even if they gotten hold of it (well, at least not in a million years - literally), furthermore, there are ways to make sure nobody can even get hold of your password database.

Here is what you'll need:

Pre-requisite

• A certificate based encryption token
  This is an external device that can store and generate PKI certs. I brought one (iKey 4000) a few weeks ago directly from the Hong Kong Post Office (link here: http://www.shopthrupost.hk/hkpost_front/product_listing.jsp?catid=CA89&ad=none) I'm sure you can find better keys especially if you live in the US/EU where there is no 'export' restrictions on such security devices.
• A password manager
  Many mac lovers use 1password, many linux lovers user keepass, many windows users don't bother. Well for what it's worth, I use keepass as I don't see the need to pay for a password manager when one already exist and also more importantly where many people's eyes can actually inspect the source code to ensure there is no foul play involved. Get yours here: http://keepass.info/
• A small portable usb stick that can be attached to your keyring
  Any will do really, but make sure you have got enough room to store what you would like to keep secret, but don't be stupidly greedy and get a massive portable hard drive because we're only provisioning for what we need. (this is because the bigger the encrypted storage device the longer and slower it takes to process, so it's not recommended) 
• Truecrypt
  Do I need to explain? Do a google search and you'll find plenty of intros. 
• Windows (dependent on whether your encryption token supports other OS)
  If your PKI security token works on all platforms, good for you! I have to suffice with Windows and this guide will be based on the iKey 4000 so you'll be on your own in regards to the installation and setup of the device for your computers. 

1st - Setting up the iKey 4000

With the iKey 4000, unfortunately for me it didn't came with any instructions or software drivers. (weird huh?) So I had to browser around for the software to run this stupid key.

Fear not however my friends, for I have found the site that seems to have all the files avaliable. So first, we'll install the driver for the key which you can obtain from here: http://www.safenet-inc.com/support-downloads/ikey-drivers/.

Then we'll install the software that manages it which is called Borderless Security. The latest version I've found is 7.3.0 and you can get it from this URL: http://202.83.243.99/iKey/.

Once you've installed both software you should be able to plugin your new key and it should install the right driver for it and you should get to see a tray icon that is named "Safenet Borderless Security Applications" that will detect whether the key is currently plugged in.

When you plug it in for the first time, you will need to setup the key phrase/password that will 'unlock' your key upon insertion. (This is obviously so that even if someone HAS your key, they'll also need your brain)

2nd - Setting up Truecrypt on your portable USB stick

Now you should install the latest Truecrypt onto your computer. It would be best if you read up on the options yourself. For the purpose of this guide though.

I've installed it as a permanent service that starts whenever Windows starts. Once you've got it installed, setup a new Truecrypt volume.

• Open Truecrypt 
• Select "Volumes" -> "Create New Volume..."
• "Create an encrypted file container"
• "Standard TrueCrypt Volume"
• "Select Location" and select the USB stick you just inserted (not the key, though you should already have the key inserted).
• Call it whatever you want, so long as it doesn't attract attention.
• Encryption algorithm select "AES-Twofish-Serpent"
• Hash Algorithm I used "SHA-512".
• Define the size of the 'drive' as large as you want, I set mine to be 200 mb, so I can put other files in if I feel the need to. Passwords and keepass itself isn't going to take up much space.
• Next you have to define the "volume password", but instead of another password. We'll start utilising the key. So select the checkbox "Use keyfiles" and click "Keyfiles..."
• In the pop-up select "Add Token Files...", then a passphrase prompt should come up for your iKey 4000. Authorize yourself and you should see another popup with a token record that has a Slot, Token name and File name. 
  • #NOTE, if you don't see one, then you haven't setup your iKey 4000 with your own Key and Certificate yet. Set your up with a client certificate from http://cacert.org/ and import it into your key.
  • #NOTE2, if you can't see the pop up with the token files, you'll need to check that "Settings" -> "Security Token" points to a dkck201.dll which should be under your Windows System 32 folder.
• Next is the creation process which means you should randomly move your mouse around the screen and select your Filesystem and Cluster choice, I'd recommend leaving as default FAT.
• You're done, but we'll set it up so that everytime you plugin your encrypted stick and key it'll decrypt and mount automatically.
• Mount your new volume into any drive letter you want. 
• Select the newly mounted volume in Truecrypt, "Add Mounted Volume to Favourites"
• Select "Mount selected volume upon login" and "Mount selected volume when it's host device gets connected"
• OK, there you go!

3rd - Setting up Keepass on your Truecrypt partition

Now we have a auto-mount drive that utilises your iKey. We can setup Keepass. Extract Keepass into the newly created and mounted secure volume. 

Open keepass from there and follow the onscreen instructions to setup a new database that utilises keyfiles only similar to the creation of the Truecrypt volume (sorry this section is lacking as I've already set mine up). If you encounter any problems let me know and I'll try and help.

Procedure on using your new security process

So now you have it all. A secure key, secure drive, and secure password manager. I'd say you can securely use it to your heart's content without the worry of your password manager getting cracked with a password.

Just plug in your key and your drive anytime to start keepass and login to websites with unique long 200+ bits passwords that automatically expires every 6 months.

:) Have fun.

Need a new CPU or graphics card? Get AMD.