Secure password management strategies

By sfarageSecurity

Strong passwords should be very important for any person that has information that the world shouldn’t access.

Typical password approach

For most people, their single method to secure what they have digital access to is a password.  A single password, or a few if they’re “advanced” users, or if the application they use has unusual ‘strength’ requirements.  That’s the crux of the security failure.  A single password is a single point-of-failure, where a database ‘leak’ will lead to all of your accounts being compromised, since typically you use the same email (and generally same password) for access to ALL your online accounts.  So once someone figures out that email/password combo, they can go to major websites and try to login on your behalf…it’s a race to see if you can change your password quicker than they can find sites you use it on – IF you know your password leaked.

If you’re creating your own passwords, you’re “doing it wrong”.

Also, because you have this one password, and you use it frequently, you want it to be simple, easy to remember and easy to type.  This is the second failure of common password usage.  If it’s simple/easy to type, the chances are there isn’t much entropy, meaning it’s easy for someone to use a system to “brute force” the guessing of all passwords, and if yours isn’t complex enough, your password will probably be found.  The shorter, simpler the password is, the more susceptible it is to this kind of ‘hacking’.   Even the government thinks complex passwords are good…we want to use good passwords, but we aren’t good at memorizing strong, secure passwords, there HAS to be a MUCH better way…

For a more extensive explanation of why a password you know is bad, and why password managers are good, read anything by Troy Hunt.

Password Managers

Using any password manager is generally better than using nothing.  However, I encourage the use of KeePass, an open-source, FREE, password manager.  I’ve used it for years and never had any problems.  It uses a ‘master password’ – which should be a LONG and complex pass-phrase like (“Cubic bootleg $12 garden swagger” – created here).

phrase-generator
My settings used to create the base phrase, which I then MODIFY to increase complexity

This pass-phrase will allow you (or anyone) to access ALL your passwords.  You can have common “password profiles” which will specify length and types of characters to use.  You can easily organize all your entries, it will auto-type the passwords for you once you’re on the form, you can have ‘expiration’ dates for passwords, which then flag the entry to encourage you update/change your password for a certain service.

The biggest “feature” and differentiation of KeePass is that it’s an offline, local password storage.  Many consider this the compelling reason to use it, while others view it as a drawback.  If you have multiple computers, the key is to use a file-sync tool to keep the KeePass database file on multiple computers.
I typically use SpiderOak because I love their encrypted service and the flexibility/power they offer in syncing files from various locations around my computer.  Others prefer to use DropBox for a less complex setup, but everything that ‘syncs’, including your KeePass file, has to be contained inside the “dropbox” folder, not just located somewhere on your machine.
GRC Haystack is my tool of choice when I have to manually pick passwords, or for when I just want to see how secure the passwords being generated are.  It teaches you a lot about character sets and length, as they are the primary components of complexity.  However, it fails to take into account dictionary-based password attacks, and other actual ‘content’ within your password.  However, since I no longer use passwords involving those components, I don’t consider that a drawback.  Use this tool when picking your master password or any password you simply must create on your own.  Make sure it’s all green across the top, and no red on the bottom!

Extra security?! Use two-factor authentication

Adding another layer of security to a login never hurts, and two-factor authentication is the best way to secure yourself against a password getting stolen.  Two factor authentication requires something you know (your password – which of course YOU don’t know, but the password manager does…) and something you have – which typically is the time-sensitive code your phone generates.  It may also take the form of a phone-call, a text message, or an email link.  Either way, applying this concept where possible significantly negates the consequences of a lost/stolen/hacked password, since the ‘thief’ will almost never have access to the 2nd factor method.  I always enable two-factor authentication on any service that allows it.  I use Google Authenticator whenever possible.
*This article obviously isn’t meant to be  a review of any of the services mentioned within, it’s just how NIS recommends doing password management.  There are many, many articles all over the internet that will compare password managers, syncing services, etc.*