Saturday, July 9, 2005

Secure Password Storage on XP

  • You have a lot of online accounts, and
  • You don't want to use the same password for each, because that is insecure — however
  • It's hard to remember all those passwords, so
  • You need to store the passwords off-brain somewhere.
    • Also, you don't want to store them in a text file, that is very insecure, almost worse than writing them down on paper, because a malicious program could grab that file without your knowing.
    • Therefore, you need to encrypt the data.
  • You could use PGP, because that is undoubtedly the best-designed and strongest encryption software available; but
  • You don't want to pay $50 just to store passwords. You could use GnuPG, which is free and just as strong, but
  • You don't want to have to use the command line every time you unlock your files, use them, and lock them again.
  • You also don't want to store your passwords in the browser because
  • Anyone using your browser could get access to your sites.
    • Even when the browser allows you to use a master password to protect your stored passwords, reason tells you that storing sensitive information directly within the browser brings them that much closer to the reach of security exploits and malware.
So in many cases, for reasons of security/cost/convenience, you can rule out: writing them down, plain text files, PGP, GPG, and browser-saved passwords. For these reasons, I've found that the best program for password storage on XP is KeePass.
  • It's free
  • It is open source, and therefore open to scrutiny for backdoors or weaknesses
  • It has a well-designed interface, specifically tuned to the task of securing and using passwords
  • It is small in size (440k), and fast
  • It doesn't require installation; just unzip and run
  • It doesn't need .NET runtimes or other support files
  • It uses strong encryption
  • It is configurable to be as secure or as convenient as you want
Go to the KeePass website to download it, view screenshots, and read more information. More later on an end-to-end process for securing your software and customizing your KeePass installation.

Friday, July 1, 2005

Outlook 2003: Warn if Subject Line Empty

Outlook does not have a built-in option to warn you if the subject line is empty. (Outlook Express does, but for some reason Outlook doesn't.) Here's how to put one in.

  1. Go to the menu Tools → Macro → Visual Basic Editor.
  2. Now in the Visual Basic Editor, you should see Project1 in the tree menu on the left. Drill down the tree to Project1 → Microsoft Office Outlook → ThisOutlookSession.
  3. In the code area (the big text area on the right) paste in the following code:
    Private Sub Application_ItemSend(ByVal Item As Object, Cancel As Boolean)
    If TypeName(Item) <> "MailItem" Then Exit Sub
    If Item.Subject = "" Then
    Cancel = MsgBox("This message does not have a subject." & vbNewLine & _
                         "Do you wish to continue sending anyway?", _
                         vbYesNo + vbExclamation, "No Subject") = vbNo
    End If
    End Sub
  4. Save and exit the VBA Editor.
You can test this by creating a message with a blank subject and clicking Send. You will be warned that the subject line is empty and asked if you want to send the message anyway. This macro is a simplified version of this code at I tested it on Outlook 2003 and it runs with no problems with macro security set to High. (To check your macro security level, click the menu Tools → Macro → Security.)