Password Management

By | 2016-08-28

Passwords are used for banking, work, school, social media, message boards, email, and more. That is a lot of passwords to keep track of. Most of you have probably heard the advice to use pass phrases or long and complex passwords, even with secret questions. This is hard to do when you have dozens of them to keep track of. There are a number of methods that I have seen people use. I will briefly describe some of them, how they can be securely used, and potential problems with them. Fortunately, there is an easy and reasonably secure way to keep track of them all. I am going to address the pros and cons of several of the common ones before diving into what is, in my opinion, the only good way to keep track of dozens of passwords. If you want to learn the basics of how cryptography works, I recommend reading my guide: A Simple Introduction to Cryptography.

Before going any further, keep one thing in mind. Do not, under any circumstances, login to anything that you wouldn’t want the device owner to access. For example, if you don’t want your employer to have access to your social media accounts, do not login to any of them from any device your employer owns. Whoever has administrative access to a device can capture every keystroke you make, take screen shots, and see anything you have stored on the device.

For Most People

I recommend using your browser to save your passwords. I will be writing a guide on browser password managers soon.

Use a password manager. Browsers aren’t practical for storing all of your administrative passwords to everything you will need to login to because a lot of things you will need to login to won’t be web interfaces. I recommend Keepass2 or Password Safe.

Smartphones and Tablets

I generally advise against saving credentials on mobile devices. They are too easy to lose or steal and touch screens are hard to type long and complex passwords on. There are some exceptions. If your browser has a master password used to encrypt the database, or if your device is encrypting the storage your password database resides on, you might be able to get away with this. Just make sure to use a strong master password or encryption password.

There are some password managers for mobile devices, but I will admit I haven’t used them, so I can’t say if they are safe to use or not. A few third party versions of Keepass2 for Android and iOS, meaning that they aren’t officially supported by the Keepass2 developer. Use these at your own risk.

Suboptimal Methods

Office or Text File

I have seen a lot of folks save passwords in an office or text file on their computer. This is better than reusing them, but has a few problems. The first problem is if your computer gets lost or stolen, someone has all of your passwords. Bypassing an operating system login is easy. The only way to protect yourself in this situation is full disk encryption. The second problem is your passwords will be on your screen whenever you have the file open. This leaves you open to someone looking over your shoulder. If you trust people around you and use full disk encryption, you can probably get away with doing this.

Password Reuse

Some people resort to using the same password, or variations of it, everywhere. The major flaw with this method is that a breach of any system you use can result in all of your accounts being compromised. Your security is limited to the least secure system you login to. I highly recommend against doing this.

Encrypted Office File

One of the better suboptimal methods is saving passwords in an encrypted office file. Both Microsoft Office and Libre Office support encrypting files. Both use strong enough encryption that have no feasible attacks. An office file is easy to backup, safe, and requires you to only remember one good password. It does have the disadvantage of displaying your passwords on your screen. I don’t recommend doing this if there is the possibility of someone looking over your shoulder. If you forget your encryption password, there is no way to recover it. This is by design. If it is recoverable, it is recoverable by someone other than you as well. If you go this route, use a very strong password that you will not forget. Consult your office software’s documentation for instructions on how to do this.

Writing them Down

Writing them down is probably the simplest way to track your passwords. As long as you can keep where you have them written down physically secured, you can probably get away with this. This method has the advantage of being completely offline. Being completely offline means that malware or your computer being compromised will not expose all of your logins, just the ones you login to while you are compromised. If you do this, keep a few copies. In the event a copy is lost, stolen, or you suspect it has fallen into the wrong hands, change every password as soon as possible.

Optimal Methods

I recommend one of two methods:

  • Use your browser’s password manager.
  • Use a password manager.

Use Your Browser

Browser password managers is a subject worth of its own guide. Most browsers will use your OS login credentials or a master password to encrypt your password database. Assuming properly implemented cryptography, this means that someone would have to get your computer password or a master password in order to compromise your password database. Even if someone is able to get physical access, they would have to resort to something like a key logger to compromise your passwords.

Synchronization Features

Some browsers allow you to store passwords on a remote server for easy synchronization. Since this guide is meant to be as general as possible, I would advise thoroughly researching the service first. Make sure that the sync feature encrypts the passwords in a way that whoever is hosting the synchronization service can’t access. This prevents a breach of the sync server from compromising your passwords. It also keeps malicious server administrators from accessing them.

Use a Password Manager

A password manager is a program that creates and keeps track of passwords for you. Good password managers store your passwords in an encrypted file. As with an encrypted office file, you will be prompted for a password or phrase when you open your password file. This is often called a master password. Password managers have all the advantages of using an encrypted office file and more. The advice on using a strong password that you won’t forget applies here as well. As with an encrypted office file, assuming good cryptography, there is no way to recover a lost password.

Password managers can generate very long, random passwords that can be tuned to meet the each system’s password requirements. This has the advantage of being pretty much impossible for a person to guess or for a computer to obtain through brute force within your lifetime. Brute force is security jargon that means to use a program that keeps trying passwords until it finds the right one. They can also be setup to remind you to change them after a certain amount of time has passed. Unlike office files, password managers won’t show your password on the screen unless you click a button telling it to do so. They typically copy the password to your clip board so you can paste it into the application or web site when prompted. Some password managers let you store your passwords in the cloud for a recurring fee. These have the advantage of allowing you to easily synchronize your password database across multiple devices. If you decide to use one of these, make sure you are absolutely certain that your password database is encrypted before it leaves your device when saving it, and after it is downloaded when reading it.

I recommend using one of two password managers, Password Safe and Keepass. I’m sure there are other good password managers out there, but I recommend these because I have looked through the source code and found that the developers didn’t make any obvious mistakes that would compromise their security. That doesn’t mean there aren’t any flaws or vulnerabilities, just that I couldn’t find anything. I won’t guarantee that these two tools can’t be broken, but I will say that they are probably safe. Here are some things I look for in a password manager, and why I consider them important:

What to look for Why it is important
Open Source Publicly available source code makes it easier for security experts to vet. The bad guys have to qualms about stealing source code from companies to look for exploits. Having the source code allows the good guys a chance to find exploits and inform the developers and/or public. Closed source managers can be safe too, they are just harder for security experts to vet.
Uses a NIST AES Finalist Algorithm While there are other strong encryption algorithms, the five finalists competing for the US NIST AES standard are considered safe. They are AES (Rijndael), Twofish, Serpent, MARS, and RC6. Always do a quick web search to see if an algorithm is broken before using it.
Popular Popular applications are more likely to get attention from security experts. If the password manager you are considering is reasonably popular and vetted by the security community, it is probably safe to use.
No Master Password Recovery A recoverable master password means someone else can recover it too. I highly recommend avoiding products with the ability to recover your master password. As mentioned before, do not lose your master password!

Password Manager’s Aren’t Perfect

One thing password managers won’t protect you from is malware. If your computer gets infected, all bets are off. Malware that logs key presses can steal your master password along with your password file. This is not a reason to not use a password manager. Malware can log your password when you enter it in to the website or program as easily as it can steal your master password.

Password managers won’t protect you from bad password reset systems either. I have seen a case where a secret question was the year I graduated high school. It forced me to under a four digit number greater than 1900. How hard do you think it would be to figure that one out, especially if you know anything about me? Good password reset systems will send you an email or text message to reset your password. Bad ones will just prompt you for a new password. I recommend seeing how a reset system works after you set your answers. Good systems will require opening an email, entering a code from a text message, or something similar. In these cases, you can probably use answers that are memorable. If not, I highly recommend using gibberish and storing it in your password manager.

If you are using a device that you do not control, such as a work or school computer, a password manager doesn’t guarantee a nefarious systems administrator can’t steal your credentials. They can login with an administrative account and install a key logger without you knowing it. In these situations, I wouldn’t login to anything personal.

Using a Password Manager

Password managers tend to be intuitive, so you shouldn’t have to spend much time learning how to use the one you choose. Use a very strong password or pass phrase that you won’t lose or forget. Keep the file backed up in multiple places, with a copy on removable media. Keep a copy in more than one physical location so something like a fire or natural disaster doesn’t destroy it. If you decide to use one of the cloud based ones, I would keep a backup on one of your devices if possible.

Password Management Services

Without access to the source code, I can’t say whether or not password management services, such as Last Pass, are safe to use. I would like to assume that the popular and reputable ones that make most of their money from users are probably fine for most people. A breach compromising customer passwords would probably cause them to lose a lot of business, so they have an incentive to run a tight ship.

Summary

I recommend using a password manager to keep track of your passwords. I have reviewed the source code of Password Safe and Keepass. Use a very strong password for your computer login or master password. Keep the password file backed up, ideally in more than one place. Don’t trust devices others can control. Last but not least, do everything you can to avoid malware.

Discuss