Password Managers

Monday , 16, September 2019

How often should you change your password? Should you use a password manager? Should you store passwords in your browser? There are many common questions about passwords and password managers, so let’s take a look at a few of them.

How to choose a password manager? Do you really need one? 22% of 12,500 people surveyed, from 21 countries, said they wrote their passwords down in a notepad, 11% said they wrote it on a sticky note or piece of paper, and 11% said they stored it in a file on dropbox or similar. None of these behaviors is secure in the way that using a password manager is, so go ahead and make the switch.

One important feature to look for is storing the password database locally instead of in the cloud. If you can store the encrypted database on a USB drive then it is portable and easily backed up. Of course a high security posture is to avoid using credentials on multiple devices; i.e. always access online banking from one specific device only. However, most people will share credentials between devices, hence the appeal of cloud storage. If this is important to you, the best strategy is to persist the encrypted database to a cloud service you control such as an instance of syncthing or nextcloud.

Try not to use browser based password storage, by doing so you’re adding additional attack surface. Instead of being accessed only by a dedicated password manager they’re accessible by a huge general purpose, scriptable program (browser) that is orders of magnitude more complex and continually being updated. The security zealots among us will not use browser plugins to provide password database access to the browser either for the same reason – it requires extending trust to the javascript code that the plugin is comprised of as well as the browser process itself.

Another feature that is important to many people is cross-platform compatibility. If you can use your password manager on many platforms and on different devices, then it is just more convenient. Extreme caution should be used when downloading and accessing the contents of a password database on an unknown or new device, but for some people who travel or in certain business contexts this might be neccessary. If this is the case for you, or if you use multiple platforms to access credentials then consider the cross-platform applications.

Choosing an open source password manager is critically important as well because it will get reviewed by security experts, since these programs are so important. Security issues in software that encrypts data are usually not flaws in the underlying cryptographic primitives, but errors in coding, so use code that’s been scrutinized. How can you trust all your valuable passwords to all your accounts to code that nobody can inspect?

This password database is a central point of failure; if it is compromised then all your passwords are in jeopardy. The database is almost certainly encrypted, but keeping a backup copy is crucial. It’s also important to keep up to data backups beause database get corrupted sometimes.

Most modern encryption algorithms like AES 256 are strong and will protect your passwords from attack for some time to come. However, data at rest is significantly more vulnerable, so if an adversary has a copy of your password database they can attempt to compromise it offline for as long as needed. For this reason, we only recommend using a password manager that stores the database locally – on your device.

Needless to say this strategy depends on you keeping a backup copy in case of device failure. Make a couple backup copies and keep one at a remote location, or hide the database inside another file (see steganography chapter) and store online, or make a physical backup and store it in a bank safety deposit box. Make the effort, so you’ll never discover how disruptive losing your passwords can be.

Be sure to take advantage of the strengths of password managers if you use one. Foremost among these strengths is the ability to use long passwords; whether you use a traditional style mix of alphanumerics and other characters, or a sequence of words you should feel free to use very long passwords if the website allows them. Set your password manager to use long passwords by default, and shorten them if required.

Another great way to take advantage of using a password manager is to use it to generate usernames and security questions/answers. Asking a user what their mother’s maiden name is, or what the name of their first pet was does not provide strong security. The name of your first school might as well be a 90-character string for authentication purposes. Usernames are a great choice for long strings as well – people often overlook the fact that 1/2 of your credentials in a username/password system is that username!

One note of caution – always let the software generate passwords for you instead of simply storing yours in the database. People do not generate strong passwords and have some bad habits as we discussed in the previous post about password basics. It’s not related to intelligence or security awareness, so don’t take this as an insult but just let the program do what it’s good at.