‹ Back to the blog listPasswords are awful, but…

PasswordManager.Owl.590.308.png

Until something better comes along it seems we're stuck with them.  Here's how to cope with this necessary evil…

 

Getting a grip

If your digital life is anything like mine, you're drowning in passwords.

According to the experts, we're supposed to create passwords with long, random strings of characters, not words. 

For example, something like "x6yjG880k32#44m2i0A4", rather than something memorable like "Megan78".  

And we're not supposed to use the same password in more than one place.  

PasswordManagers.NoWayToRemember.150.144.png

That's fine, in theory.  But the practical result is a frightful mess; I mean, who can remember even one password like that, let alone dozens?  

The obvious solution is a password manager.  The problem is, which one?  It's not so obvious…


Summary: Use a product called KeePass, and manage your encrypted password file yourself.



What are my options?

The first stop for most people is to read reviews and feature comparisons. Here's a bunch of the more recent ones to get you started:

This can be very helpful, and you should definitely invest some time looking at your options.  

But be wary, because as they fall over themselves comparing every last little feature, most reviews obscure a simple yet critical question: where exactly are my passwords actually kept?


Online or device password storage?

The big decision you have to make is about the technology a password manager uses to store, sync and retrieve your passwords.

Password managers vary greatly in the features they offer, but they all have at least one thing in common: the passwords they manage are all stored in one or more encrypted data files, which you unlock using a master key.

PasswordManagers.Lens.300.210.png

Online solutions like LastPass, Dashlane or RoboForm offer a plethora of cool features, including the ability to access your passwords from any device.  But to do that they store or sync your passwords online.   
 
They're encrypted, of course, but you'd better hope they haven't snuck a copy of your master password, and that they use strong and verifiable open source encryption, not some home-brewed technology that can be hacked or otherwise opened if they're mandated to do so.

"Storing dozens, hundreds, or even thousands of passwords in a single place poses catastrophic risks should that resource be breached. Exploits become easier by convenience features that, for example, store encrypted password vaults in Internet-accessible locations or automatically paste passwords into websites".   (Source)

You also have to trust that they contain no hidden vulnerabilities. Although most companies are quick to fix problems once discovered, overall it turns out to be a bigger problem than it should be.


UPDATE June 2, 2017: Online Password Manager OneLogin has been hacked in such a way that customer data has been exposed and decrypted.  Really, again?

Assuming a proper cryptographic implementation, the only way the decryption could have happened is if the hackers also stole the keys. 

But why does OneLogin have keys in the first place?  We can't stress it enough: any system in which someone other than you has your decryption keys is a crisis waiting to happen.


Password-Manager.Cloud.300.166.png

Files containing all your passwords are just too attractive a target to trust to online services.  Don't do it.


A more secure alternative

We recommend using an open-source password manager called "KeePass".  It's fast, easy to use and widely respected#1.  It stores passwords in one or more encrypted files right on your device, eliminating the vulnerabilities of storing passwords online.  

And best of all, it's completely free.

KeyPass.Main.554.423.png

It's not the most modern user interface design, but it's extremely secure and effective.  The only real disadvantage is, it's a bit more difficult to synchronize your passwords across devices. 

But that's is easy to solve by getting a free file-sharing account like Dropbox (or similar), and adding an additional layer of encryption using a product like Boxcryptor, or simply copying your password file using a USB memory stick.

"Keep your passwords close. Very close".

Versions are available for Windows, Linux and Mac OS X, with ports for Android, iPhone/iPad and other mobile devices.


Legal Aspects

There's something else too. It's important to examine the privacy, licensing and service agreements for the password managers you consider.

Look for a clear and explicit statement from each supplier that they do not possess the technical capacity to open your password file, no matter who asks or what hacks occur.

Unfortunately, what you'll discover is that after all the fuss they make about how fantastic their products are, most of them do not guarantee the safety of your passwords.

For example, here is what Siber, the makers of RoboForm, have to say on the topic:

"SIBER FURTHER DOES NOT WARRANT THAT PRIVATE INFORMATION THAT
BELONGS TO YOU AND THAT YOU STORE IN ROBOFORM WILL NOT BE STOLEN
OR OTHERWISE ACQUIRED BY THIRD PARTIES".  (Link)

They are not alone.  Here's what LogMeIn, the makers of LastPass, say:

"WHILE WE STRIVE TO PROTECT YOUR PERSONAL INFORMATION, WE CANNOT
ENSURE THE SECURITY OF THE INFORMATION YOU TRANSMIT TO US, AND SO
WE URGE YOU TO TAKE EVERY PRECAUTION TO PROTECT YOUR PERSONAL DATA
WHEN YOU ARE ON THE INTERNET".  (Link)

 

With KeePass you don't have to worry about any of that because nothing is stored online in the first place.


And finally… Do NOT allow your browser to store passwords

Most browsers have a built-in convenience feature that offers to remember passwords for websites and other online services. 

When you return to a site and type the first few letters of your ID, the browser will fill in the rest of it, and fill in the password for you as well. 

That's extremely convenient, but it's also insecure because most browsers do a poor job of protecting them.  Keep all your credentials in your password manager, not in your browser.

MerlinEarthIcon-Green-10percent.png

If you found this blog useful please like us on Facebook!


1. MetaLuminous is not affiliated with the makers of KeePass.

 

Published on 2017-04-22 by:
avatar
Alan
Data Integrity and Security