This article talks about how to securely handle your passwords, and why password managers may be a good solution. I intruduce KeePass Password Safe as my program of choice and add some advice for syncing passwords into other devices.
I consider myself to be heavy internet user and have great number of registered account accross the internet. Maybe even over 100. The more accounts you have, the higher is the probability that you are going to loose your data to same attacker. And it is no fun.
Take a look on a website called have i been pwned. You can search there your email address or username through various various data breaches. I found my data to be in atleast 6 publicly anounced data breaches. Some of them multiple years old, others quite recent. And there are probably more that I don't know about. Majority of them contained my email and password.
The more time you spend on the internet, the more valuable your data gets. You shouldn't say that it's not valuable, because potential breachers are able to use your account for many purposes—stealing your data is only one of them. They can exploit your account for another criminal activity. There is always a good use for legitimately registered account with somebody else's name.
Changing your password once a website is compromised is bad solution. In some cases it can take up to years before company says it has lost your data. And in the meantime, the attacker can try your email and password combination in different services. Because they know that remebering multiple passwords is hard and people rather use one repeatedly.
Using only one password is easily bad. Somehow better advice I heard is to keep atleast 3 passwords: one for email, second for banking and the last for everything else. Although this is still better than having one password, it's not a pretty solution. While email and online-banking may be the most important online accounts you have, the other should not be put last. It's the other accounts that are targeted first.
They usually doesn't have state-of-the-art security. But they still can lead to valuable information about you. Once the attackers know something about you, he can start social engineering. When the technology holds, human fails.
You have to think about every account you have as potential threat vector. And the only viable solution is to have them all secured. It all starts with good password. I already said that reusing one password is bad. If the attacker has your email and passwords, he will try this combination on another website. The only thing you can do is to have different password for each website. But how can you remember all of them?
This is when password managers come to the scene. These programs are meant to store every password you have. Don't panic yet. They store your passwords in encrypted way, so that nobody can read it without master password. You can compare it with loging into your computer so you can open your files.
So you may ask: “How is having one master password better than having one password to everything?” The master password you choose has to be really strong. It will by the only password you have to remember, so it can be a little bit longer. Random mix of text and numbers won't cut it. Everything shorter than 9 characters is considered unsafe to brute-force attack nowadays. (That is trying every combination of characters until one works; with every added character, required time to this guess work expontentially grows.)
Before I introduce you to your first password manager, you can think about your master password. I placed below a good XKCD comic to help you think. Nine random words are much better than nine random characters. Words are long so it puts brute-force attack out of the game. And there is a lot more words you can choose from, compared to letters and numbers. That plus it is simpler to remember and write (atleast for me).
There are many password managers you can choose from. Starting with commerical ones like 1Password and LastPass to open-source KeePass. Without any doubt, commercial password managers are easier to use. The problem is that you can't really verify that they work the way they are meant to work. And—in my honest opinion—that's bad when it comes to your password, the most important thing you have. But it's ultimately your choice to make. If you prefer ease of use over top-notch security, thats fine. But I will be talking about the second group here.
Password manager of my choice is KeePass Password Safe. It is free and open-source. That means you can use it without paying and you can check the source code to make sure it behaves correctly. It should work on both Windows and Linux, however the database file where it stores your password (
.kdbx) can be opened by other programs. That comes handy if you want to use it on your mobile too.
I have KeePass configured to start at system boot and run in background showing only tray icon. This way I am always ready to get my password. When you open the program it will asks for your master password. I like when it asks for password whenever I close it—even though it may be paranoia when I use a desktop computer at my home. I am sure you can change settings so it asks for password only once at the startup.
After you unlock your password database, you can read or add your passwords. KeePass lets you generate random passwords by scheme of your choice. This way you can generate a random 30-characters long password for every website. You don't need to remember them. KeePass will do this for you.
If you need to login into some service, just open login screen and click into first input box (usually username or email). Then open KeePass, click on correct saved password and username (that you put there) and press
Ctrl + V. KeePass will automatically switch to your browser and autofill both username and password. Or you can just copy password and manually insert it into login screen.
It's even easier on Android 8+ since it got brand-new autofill function. KeePass2Android is my favorite password manager for Android that supports it. When loging into app, just press on input box and a popup asking for auto-fill will appear. If you click on it, it will open KeePass2Android and asks for master password (it also support fingerprint reader, which might be a security threat for some). You simply click on item in your database and app will do the rest.
You probably want to have your database synced across devices. Commercial password manager have this easier since they're cloud based service. With KeePass you have to unfortunately do this other way. It is still easy though. Just save your file into prefered cloud (like OneDrive or Google Drive) and open it with KeePass2Android on mobile. If you make changes to your database on desktop, Android app will sync it. Don't forget to make offline backups though. Better safe than sorry.
Although you upload database that contains your every password to some untrusted cloud service, you probably can rest easy. Database file is encrypted, therefore nobody can open it without master password (that's why it has to be really strong). Encryption algorithm is based on time-verified scheme that even a goverments use and should be safe. If you compare it to commercial password managers, you can also be sure that your passwords are really encrypted before syncing. That is why I prefer KeePass though it may be a bit complicated.
Password managers may seem complicated at first. Just like with everything else, it gets easier as the time passes. Beyond storing passwords, I like it because I can keep list of services I registered to. You won't go wrong with them—as they may save your day one time. ✌