Steganos Blog

SOSVPN_Screenshot_4_ENA new version of Steganos Online Shield VPN for Windows is available.

The update will be offered to current users within 24 hours for automatic download. An installation is recommended. If you don’t want to wait: Download latest version (your trial period or premium license will not be affected)

  • New clear design with integrated presets and more tips
  • Now contains features from Steganos Internet Anonym (like anonymization of your browser)
  • VPN protection of your internet connection using 256-bit AES encryption (instead of 128 Bit Blowfish)
  • Shows devices in your network that could pose a threat (and which can be warded off by using VPN protection)
  • Blocks ads in every browser
  • Prevents social tracking by Facebook und Twitter in every browser
  • Anonymizes your browser and operating system (against fingerprinting)
  • New Multiplex engine: anonymizes, blocks ads and stops social tracking. No more browser plug-ins needed, which can slow down your browser (you can uninstall them now)
  • Automatically deletes cookies after surfing (in Chrome and Firefox), includes an exception list
  • Don’t forget: The premium license includes unlimited protection for your Android smartphone or tablet

Please note: The product name changes from Steganos Online Shield 365 to Steganos Online Shield VPN. If you are using a premium version, don’t worry. This name change does not affect your license period in any way.

Using Steganos Internet Anonym? Within the next week you will receive information on how you can use Steganos Online Shield Premium t no additional cost.

Steganos users do not need to take any action in regards to the so-called Heartbleed bug in the OpenSSL web encryption. Steganos servers are secured. It it not necessary to install a hotfix for either Steganos Online Shield, Steganos Internet Anonym or OkayFreedom. These VPN products are safe.

 

UPDATE: In case you want to use the bugfixed OpenSSL 1.0.1g on the clientside as well, you may now download an update for Steganos Online Shield and OkayFreedom. These updates will be offered to users automatically within 24 hours. Installation is not necessary for  security reasons, since Steganos servers run safe OpenSSL versions. Nevertheless we want to offer you the lastes OpenSSL version. There will be no update for Steganos Internet Anonym, since the OpenSSL version used there is not affected by the issue.

A new version of Steganos Safe 15 for Windows is now available.

The update will be available for download within 24 hours for existing customers. Installation is
recommended.

  • Behavior after unlocking the computer and returning from standby has been corrected
  • Problems with the automatic closure of safes when screen saver starts have been fixed.
  • Unexpected behavior among some operating systems when closing safes has been fixed
  • Settings can now also be changed with opened safes
  • Settings: Access to the safe settings is again possible with the use of USB key devices instead of a
    password
  • Incorrect error message with respect to the safe engine has been removed
  • Adaptation of the French localization

A new version of Steganos Password Manager 15 for Windows is now available.

The update will be available for download within 24 hours for existing customers. Installation is
recommended.

  • Browser Plugins: Compatibility with Internet Explorer 11 and Windows 8.1 has been restored
  • Browser Plugins: Problems with Autofill in Internet Explorer and Firefox have been fixed
  • Browser Plugins: Crashes that occured when multiple password entries were displayed on one page
    have been fixed
  • Browser Plugins: Installation of the Chrome plugins now through the Google Chrome Web Store in
    order to conform to Google specifications
  • Browser Plugins: Password entries on pages with top-level domains such as co.uk and co.nz will
    now be handled correctly
  • Cloud Connection: The automatic creation of keychain backup copies when using the Cloud
    connection now works as expected
  • Cloud Connection: Error messages regarding connection problems during saving have been
    supplemented
  • Cloud Connection: Problems with the connection of the Telekom Media Center have been fixed
  • Errors with the printing of passwords have been fixed
  • Display error with the text size 125% has been fixed
  • Problems with symbols in keychain names have been solved
  • Inconsistent behavior of the user interface during program startup has been fixed

A new version of Steganos Privacy Suite 15 for Windows is now available.

The update will be available for download within 24 hours for existing customers. Installation is
recommended.

  • Private Favorites: Problem with information request from the Systray menu has been fixed
  • Crypt & Hide: Unexpected behavior in deciphering complex directory structures has been fixed
  • Outlook-Add-In: Problems related to the clipboard have been fixed
  • Outlook-Add-In: Accelerated start with Outlook
  • Outlook-Add-In: Compatibility with Outlook 2013 has been ensured
  • Outlook-Add-In: Unexpected behavior with expired test phase has been fixed
  • Outlook-Add-In: Confusing error message has been deleted
  • Shredder: Display error in the progress dialogue has been fixed
  • Shredder: An error with the destruction of directories with unexpected attributes has been fixed
  • Help texts have been updated

Steganos Safe 15.2

  • Behavior after unlocking the computer and returning from standby has been corrected
  • Problems with the automatic closure of safes when screen saver starts have been fixed.
  • Unexpected behavior among some operating systems when closing safes has been fixed
  • Settings can now also be changed with opened safes
  • Settings: Access to the safe settings is again possible with the use of USB key devices instead of a
    password
  • Incorrect error message with respect to the safe engine has been removed
  • Adaptation of the French localization

Password Manager 15.2

  • Browser Plugins: Compatibility with Internet Explorer 11 and Windows 8.1 has been restored
  • Browser Plugins: Problems with Autofill in Internet Explorer and Firefox have been fixed
  • Browser Plugins: Crashes that occured when multiple password entries were displayed on one page
    have been fixed
  • Browser Plugins: Installation of the Chrome plugins now through the Google Chrome Web Store in
    order to conform to Google specifications
  • Browser Plugins: Password entries on pages with top-level domains such as co.uk and co.nz will
    now be handled correctly
  • Cloud Connection: The automatic creation of keychain backup copies when using the Cloud
    connection now works as expected
  • Cloud Connection: Error messages regarding connection problems during saving have been
    supplemented
  • Cloud Connection: Problems with the connection of the Telekom Media Center have been fixed
  • Errors with the printing of passwords have been fixed
  • Display error with the text size 125% has been fixed
  • Problems with symbols in keychain names have been solved
  • Inconsistent behavior of the user interface during program startup has been fixed

spm-BMP_PRODUCT_BIGMay we suggest a New Year’s Resolution for 2014: I’ll start using a password management program so that I am not always using the same password just because it’s the only one I can remember.

Hardly anywhere else is there such a disconnect between knowledge and behavior as with the topic of passwords. Every internet user has them, and everyone knows that secure passwords are
important — yet hardly anyone really takes proper precautions with them.

For most internet users, a password is only an obstacle to the actual goal. Passwords protect e-mails, payment data for online shopping, access to Facebook and much more.

Despite this, many people choose very simple passwords like 123, or they use the same password multiple times. In the best case, two or three different passwords are used.
Even users who lock their doors or take advice from police about how to protect themselves from break-ins abandon their healthy sense of secuity consciousness as soon as they sit down at a
computer.  Why is this?

One reason for this poor “password hygiene” is that the dangers of insecure passwords are not sufficiently known; “I have nothing to hide” is the prevailing attitude.

Laudably, online banking is perhaps the one exception where appropriate security measures are taken. But: it is the banks that set security standards so high, by sending TAN lists without which transactions cannot be completed. Additionally, one increasingly sees “two factor authentification”, which means nothing more than that a second level of protection has been added.

For example, upon entering the password at login, one receives a numeric code sent to one’s mobile. These are measures taken by the providers, because passwords alone are not enough protection — largely because so many people use the same passwords multiple times.

The Risk of Password Recycling

So, why is it so dangerous to “recycle” passwords? Let’s suppose you use the same password for PayPal and Adobe Cloud. We are using this example because Adobe Cloud fell victim to data theft in 2013, as a result of which e-mail addresses and user passwords went missing. As you can see, even well-respected providers are not immune to hacker attacks. The data bank in which your password and mail address are saved together (a combinations also known as “credentials”) can be downloaded on the relevant pages with minimal effort. Meaning: your password is floating freely through the internet. The next step is simple: a hacker only needs to keep trying out your credentials with the major web services; if you use your password in multiple places, it will be found somewhere.

Mentally go through the list of sites and services in which you register. Think about Dropbox, Facebook, Google Mail, your insurance policies, Amazon, iCloud, train services, perhaps your own blog, travel agencies, PayPal, dating sites, your Microsoft ID, Spotify, Skype, LinkedIn — the list goes on and on. In the case of PayPal, a hacker — with your credentials — can now order things in any online shop that accepts this method of payment.

Of course vendors try to detect and prevent such fraudulent practices before damage is done. For example, the Facebook Login Alarm goes off when a user who has just logged in from tge USA tries a few seconds later to log in from Germany with the same access data. Using the IP address that is transmitted as the sender of every data exchange, Facebook can detect from approximately where a data package has come. Since nobody can change countries so quickly, Facebook flags such login attempts as potentially fraudulent and requires the entry of more data to authorize the login.

For this reason, it is important not to use the same password again and again. Even if one considers a particular service to be benign in relation to the data obtainable, we cannot recommend using a password multiple times. Something that one considers unimportant now can become critical later, and suddenly one has entrusted sensitive information to a seemingly harmless vendor. Just think of the ubiquitous synchronization of services with address books. Modern routers often function as simple telephone systems or as base stations for cordless phones. These routers can cull the Google address book in order to display telephone numbers. One does not want to imagine what could happen if the router at home is not protected with a good password. Many providers also „talk“ with each other nowadays over program interfaces — so called APIs. Through these APIs, Facebook or Twitter are often used as authorization services. Simply put: it is virtually impossible to know which ways your data travel. For this reason, varied and good passwords are a must.

The Myth of the „Safe“ Password

What is a good password? The decades-long enduring requirement is that it should look something like A3jNk$1d — in other words, it should not be a word out of the dictionary and should contain numbers, symbols and upper- and lower-case letters. But this is only partially right. In order to determine what a good password is, one needs to know how many variations of passwords are even possible by the respective providers. For example, a provider that only allows passwords containing numbers makes it easier for hackers—not more difficult, as presumed. In this case, they can eliminate anything without numbers when running through passwords.

For simplicity, we will consider in this blog passwords for authorization (such as with Facebook) and passwords that are used as keys for encryption (such as with Steganos Safe) together.


The cartoonist Randall Munoe, known for his math cartoons on xkcd, demonstrates that passwords created from simple English words are better to remember and are more secure than complicated chains of characters like A3jNk$1d. However, his calculation has a flaw that makes the chain of characters harder to see than they need to be. What is the flaw?

The more variation the password creation process allows, the better it is. This is called entropy, and the higher it is, the more variations possible. Thus, a word out of the standard German vocabulary that includes around 75,000 words has an entropy of 17 bits. In other words, one needs a maximum of 75,000 attempts to „guess“–the 17 bits are just a more concise representation of otherwise very large numbers. If one chooses a single word from the entire German vocabulary, he will come to a selection of a half a million different terms, which corresponds to an entropy of 19 bits. There may not seem to be a large difference between 17 and 19 bits, but that is deceptive.

Supposing one wanted to crack a password with 17 bits through random attempts and has a program that runs through 1,000 different passwords per second (which is not unrealistic), he would be finished in just over two minutes ( 217 / 1.000 = 131 seconds). With an entropy of 19 bits, one would need almost 9 minutes, with 20 bits over 17 hours.

9 Minutes or 714 Centuries

Critics now argue that a password that consists only of a German word has a very low entropy and that one would be better off choosing a meaningless string of characters with letters, symbols and numbers, such as the abovementioned A3jNk$1d. But is this really the case? A password that consists of three real words from German vocabulary strung together (for example carbooksausage) has an entropy of around 51 bits, whereas a password like A3jNk$1d has an entropy of only 49 bits. Surprisingly, the easier-to-remember password in this case is also the better one. In both cases, however, we are dealing with dimensions in which the data to be protected are likely to have lost their sensitivity; 49 bits corresponds to 178 centuries of attempts, 51 bits to 714 centuries.

Now, one must of course put these enormous numbers into perspective. It cannot be ruled out that under certain circumstances not only can 1,000 different passwords be tried per second but maybe also 10,000 or even 100,000 (when, for example, it’s not a slower web service to be cracked but rather a locally present piece of encrypted data). Even with 100,000 attacks per second, we are still talking about a search time of 714 years. For very important data, one could connect several computers in a row and let them search in parallel. We don’t know exactly what resources the NSA has at its disposal, but if one such intelligence agency left 1,000 computers to crack our 51-bit password, then it could bring down the time to under one year; with 10,000 computers, one would already be in workable dimensions.

This is also the reason why 51 bits is simply not enough for really sensitive data. In Steganos Safe, a 384-bit long key has been used ever since the revelation of the Snowden leaks. With this, the number of variations exceeds the unfathomable 3,940 novemdecillions; this is the name for a 115-digit number.

Let’s go back to the xkcd. Munroe tries to demonstrate that the complicated string of characters Tr0ub4dor&3 is a worse password than the easier-to-remember correct horse battery staple. Tr0ub4dor&3 is a variation of the already unusual and misspelled english word “troubador”. Then he replaces an “o” with a “0” and an “a” with a “4” and adds two additional characters. The result is a seemingly random word, but only seemingly. Because his password is based on an already-existent English word, his entropy is only 28 bits. No wonder that the much longer password with the horse ranked better, with an entropy of 44 bits. If one were to really randomly select a password with upper- and lower-case letters, numbers and symbols, one would create an 11-digit password with an entropy of a significantly higher 68 bits.

Reliable Password Manager as Solution

Because it is almost impossible to remember such numbers of passwords, the use of a password manager is recommended. These programs encrypt and save your passwords; you need only remember a single password—namely the one for your password list (sometimes also referred to as the “keychain”). The password manager enters your passwords automatically when a website requires them. This is not only convenient but also increases your security since the password manager creates good, long and complex passwords that you needn’t remember because they are entered automatically.

http://dl.dropboxusercontent.com/s/ve618cxki08yfyw/Passwortgenerierung_en.png
The Steganos Password Manager allows the automatic creation of really secure passwords, and displays their entropy so one has an idea how safe they really are. The selection of a password manager should be done carefully, as you are after all entrusting the key to your sensitive data to this program. Respectable vendors encrypt and save your passwords on your computer and only transfer this data to a cloud server if you have expressed the wish to do so.

Even then, data should only be saved to the cloud if it has been encrypted and is thus not visible to the cloud provider. This is the case with Steganos Password Manager.

Tips for Secure Passwords

    • Long passwords are better than short ones because they have a longer entropy, even if they are created from real words
    • It is only worth using numbers and symbols to increase entropy when the password is short
    • Passwords should never be used over and over, even with seemingly harmless services
    • Ideally, one should use a password manager which encrypts and saves the passwords locally on your computer
    • The password manager should generate passwords itself — that way, one does not have to wrack one’s brain and gets significantly better passwords
    • Passwords for your e-mail provider and payment services like PayPal should be changed at least every three months; this also applies to cloud providers like Dropbox or iCloud

Even if we have by far not covered every aspect of password protection, we hope to have given you some insight into and understanding of this complex topic. Please post any questions in the comments section, and have a great and secure start to the year 2014!

Subcategories

Page 5 of 7