I’m writing this mostly as a means to relay, to those interested, my recommended way of managing passwords across computers using a password manager. I tell many about my methods but writing this gives me something to point you to and say “Hey read what I wrote it’s all laid out for you.” If you’re a power user then this is for you. So here we go.
Oh wait before I forget. I feel obligated to first issue a little disclaimer: I am not affiliated with any of the companies whose tools I am using. I am (unfortunately) not getting paid to write this. It is also worth noting that there will always be implementation layer flaws so I am not claiming that this is in any way perfectly secure or anything.
Let’s start from the ground up and talk about passwords in general. You’re probably using the same password across multiple services. Using actual words in your passwords, are we? You’re likely adding the same numbers at the end of your passwords like a year or date, and maybe adding a symbol or two in an attempt to be clever. You may be using pass phrases instead of a password in an attempt to make your password longer. Sorry Not Sorry but these common password practices are generally considered insecure and could leave you exposed to risk. Researchers have been continually reviewing leaked passwords and extracting trends from this leaked data. Malicious actors leverage these trends, and as such, the more of these common yet bad practices you utilize the easier it is for you to have an online account hijacked with relative ease.
The method I use to protect my online identities may seem a little convoluted at first. But it’s not as complicated as it seems. Initially setting yourself up can be time consuming as you’ll be going through all of your accounts but once you clear this stage you’ll be sitting pretty and more secure than you were before.
Let’s talk about a security measure that you should first employ before you begin touching your passwords.
2 Factor Authentication (2FA)
2 Factor Authentication (or multi factor authentication, MFA) is a simple way to protect your accounts. 2FA adds a second layer of security by requiring you to enter a one time generated passcode at the time you are accessing your account. This passcode is commonly sent to you as a text message but apps exist which, when configured, can also generate these codes for you. Even with your password an attacker cannot access your account without this passcode. I recommend you use 2 factor authentication on all services that support it. For more details on 2FA in general check out this in depth NIST article about it: Back to basics: Multi-factor authentication (MFA). Exact methods for enabling 2FA will vary across your accounts, so look at the documentation provided for the specific account you are turning 2FA on for.
Alright so this section’s heading has the word “math” in it. But don’t get scared. We’re not doing any calculus just yet. We should, however, touch on compute power and how it relates to some statistics. There are many scenarios where “hackers” will employ software to crack your password. Some software is as simple as brute forcing the login page of a website. Others involve breaking into a server’s database, stealing email addresses and password hashes, and running some code to iterate through passwords until they get a password match. With computational power doing nothing but getting better and faster the time it takes to perform these tasks decreases. This is especially worrisome for those using pass phrases. Attacks use a list of dictionary words against a hash or login until success is met. Adding numbers or symbols, or even the substitution of them, is easily programmed into password cracking software. What’s the best way to reduce hacker’s efficiency? Well, a mathematically sound password is one constructed of totally random characters of the largest size allowed. For software to iterate through all combinations of random letters, numbers, and symbols the process becomes more timely the longer password you use. As you add characters to a password the cracking difficulty increases exponentially.
Let’s look at an example. Let’s say we are using all 95 printable (not control characters, you comp sci nerd you) ascii characters. This includes all letters, both upper and lower case, numbers, and symbols. Let’s say your password is one character long. This means we are looking at 95 different possible one character passwords. Right? Right. So let’s add a second character. Does this mean we have 95×2 possible characters now? Nope. It means we have 95×95 possible combinations: 9025. Adding a third character cubes 95 (95x95x95) bringing the total of 3 character passwords up to 857375 possibilities. This gets large quickly, which is good. This is what we want. We want completely random passwords with as many characters as allowed. 12, 16, 32, 64 characters. Amazon allows for up to 128 character passwords. I’ll let you calculate what 95^128 is. It’s a fucking big number.
I’m Not Memorizing That
Alright so now we know a few things. We know that large and random passwords are the safest, but we also know that memorizing these things are virtually impossible. No doubt. Writing these down is counter productive. I’m not going into how that post it on your computer with your password written on it is bad for your health. So what do you do? Alas! Tools exist that facilitate the storage of crazy passwords. Enter the password manager. A password manager is an application that runs on your computer that stores an encrypted vault of some sort. Within this vault are your usernames, login emails, passwords, notes you may have made, credit card info, whatever you wish to store. Most allow you to throw whatever sensitive info you may wish into them.
The really neat thing about password managers is their web browser extensions. They will open the webpage of the site you wish to log into, paste the username and password into their respective fields, then log you into the site. This makes using crazy long and random passwords easy. Pretty sweet.
My Password Manager of Choice
I condone the use of 1Password by AgileBits. I appreciate their sales model (I pay for a yearly family subscription) as well as the fact that their vault is pretty secure. I don’t mind paying for software that is under continuing development. Elcomsoft did a review on password managers and although they initially stated 1Password was of average strength further review indicated it was the strongest. You can read their follow up here: Attacking the 1Password Master Password Follow-Up.
The 1Password family sharing bit is pretty useful although I am personally a little sketched out by it. Your password vault is stored on their servers in this scenario. I don’t utilize this and have my vault setup locally on each of my computers. This vault syncs across devices using a 2FA protected DropBox account. 1Password can store the vault for you on their servers but this makes me a bit uneasy. The benefit of them storing your vault for you is that multiple users can share vaults (sharing what to whom is at your discretion) allowing access to the same passwords from any designated account. You also get some admin functionality like being able to recover and unlock fellow 1Password accounts. It’s not that I don’t trust them, it’s that they are and will always be a juicy attack surface.
Syncing Across Devices
I mentioned above that I store my 1Password vault locally in DropBox. I can access Dropbox from whichever devices I choose, and thus, my vault is accessible across my computers, both Windows and Mac. I have 1Password and Dropbox on my iOS devices as well. 2 factor authentication adds a layer of security to my DropBox account. I encrypt my vault twice, technically. Once by 1Password then again by Dropbox. The NSA could probably get my vault files but who’s stopping that anyway? And even then they still have to crack my vault.
If you do not wish to go this far you can still sync across devices using a 1Password hosted vault. Once signed into 1Password your online vaults will be made available to you.
Secure Password Generator?
We know that simply using a super long and random password is secure but where can you generate these random passwords safely? I use Steve Gibson’s Perfect Passwords page to generate random passwords securely. Steve was clever when creating this page. The page is delivered over a secure connection so no one can snoop. In addition the web page’s expire tag is set to a date in 1999. The passwords page, which was generated for you and only you, is ignored by search engines and is not cached by things like the Wayback machine. Steve’s generator also doesn’t generate the same password twice. Math is cool. Pretty nifty. Bookmark it.
I’m just a normal sysadmin type guy who likes cybersecurity a lot.