Passwords are a thing of the past, or at least they should be. But as long as they are not, we have to deal with them. With many of them. You will agree that this is far from being an easy task. By now, we all know that using the same password across different web sites is a very bad idea.
You might think “great, so if someone gets access to my password manager, they are able to hijack all of my accounts at once!” That, in fact, is a legitimate concern — and the very reasons why you need some caution when selecting a password manager software. Just using a spreadsheet to store your passwords might not be the smartest idea.
There are three basic qualities you should consider when choosing a password storage strategy: Encryption, trust, and location.
But we can’t possibly remember a completely different password for every website or account? Yes, we can. Use a password manager! But choose wisely.
Password Managers — good or evil?
A password manager is a program which stores all of your passwords for different accounts in one place. Whenever a web site asks you to log in, you can consult the password manager to look up the right password. It is like a sophisticated version of those yellow sticky notes that some people have next to their screens with all their passwords written down.You might think “great, so if someone gets access to my password manager, they are able to hijack all of my accounts at once!” That, in fact, is a legitimate concern — and the very reasons why you need some caution when selecting a password manager software. Just using a spreadsheet to store your passwords might not be the smartest idea.
There are three basic qualities you should consider when choosing a password storage strategy: Encryption, trust, and location.
TL;DR: — Use KeePass, Mitro, or PasswordSafe.
1. Encryption
You can be as careful as you want, there always remains a risk that someone gets access to your computer and password file, albeit a virus, a rogue coworker, or a foreign or domestic government agency.
You want to use a password manager which offers strong encryption using an algorithm which underwent enough research and studies to be trusted. Example of such algorithms are AES and Twofish.
The master password you choose to protect the file with all your other passwords should be very strong (minimum length 16, some numbers and special characters, for example peopleTHINKit5isreallyHARDto2re$emberaPASSWORD).
2. Trust
Good encryption is useless if the software you are using has an intentional or unintentional backdoor or vulnerability allowing attackers to bypass it. (You all watched Citizenfour…?)
One option is to pick a company that you trust to be competent, and careful enough to not give your data away. Apple, for example, offers a password manager that you could use.
I prefer using a product from developers who show that they have nothing to hide by publishing the source code of their software, making it much harder to hide or oversee weaknesses. Working off this list, that leaves three candidates: KeePass, Mitro, and PasswordSafe.
3. Location
It is convenient to have your passwords synchronized to the cloud. You will be able to restore them after your local hard disk crashes, you can access or update them from different devices, etc. — But it also adds the risk of them getting in the wrong hands.
The safest way is storing your passwords locally. If you do want the extra convenience of having them in the cloud, choose a password manager which uses a technology that never transmits your unencrypted passwords to the cloud. (Hint: If a service offers you to log in to their website and see your passwords there, they do have access to your unencrypted passwords.)
The simplest option to do so: save the encrypted password database (e.g. the .kdbx file from KeePass) on a shared drive (Box, Dropbox, …). Even if that file gets into the wrong hands, it will be useless because you encrypted it using good encryption with a really strong password.
There are other solutions out there, some more trustworthy than others. Mitro, e.g., seems to be using a really neat approach using public key cryptography to ensure they can’t read your passwords even if they wanted.
What should I use?
Choose a software that you like and is easy to use, but also one that you feel comfortable using after measuring it against the three criteria above.
I personally think KeePass is one of the very few solid choices.
Pro-tip: 2-factor authentication
P.S.: Don’t rely on your password alone. All services that are serious about safety offer 2-factor authentication. Switch it on! (Let me know if you’re interested in a separate article on this.)
No comments:
Post a Comment