Password Management

I’m writing this mostly as a means to relay, to those interested, my recommended way of managing passwords across computers using a password manager. I tell many about my methods but writing this gives a way to articulate all the moving parts in an easily digestible and easy to reference format. I touch on a few topics here. What makes up a solid password? Can we every be truly safe from password attacks? What is 2 Factor Authentication? What is a password manager and how do I use it? Where can I go to get truly safe random passwords?

Oh wait before I forget. I feel obligated to first issue a little disclaimer: I am not affiliated with any of the companies whose tools I am using. I am not getting paid to write this. It is also worth noting that there will always be implementation layer flaws so in no way am I claiming that anyone will ever be 100% safe by using these methods.

Basics

Let’s start from the ground up and talk about passwords in general. Let’s talk about your passwords. You’re probably using the same password across multiple services and websites (oh my please do not do this). Or you’re using a word that is familiar and memorable. Or you’re adding the same numbers at the end of your passwords like a commemorative year or date, or maybe adding a symbol or two in an attempt to be clever. You may be using pass phrases instead of a password in an attempt to make your password longer. (hey kudos for trying). But these common password practices are generally considered insecure to varying degrees and could leave you exposed to risk. Researchers have been continually reviewing billions of leaked passwords and extracting trends from this leaked data. Malicious actors leverage these trends to acquire useful information. This results in breaking into accounts becoming mathematically easier. The battle between those who are attempting to gain access to accounts and those securing those accounts will wage on forever.

So what can we do? Is there a 100% safe solution? Well, no, not in mathematical terms. You can always guess an account password if given enough time. But realistically, yes, because we’ve been able to make that period of time insanely long. Long enough where it is infeasible to do so by a human both because of the associated time constraint (the earth will be gone) and the cost (it costs more to crack the password than what you gain from it).

The method I use to protect my online identities may seem a little convoluted at first. But it’s not as complicated as it seems. Initially setting yourself up can be time consuming as you’ll be going through all of your accounts but once you clear this stage you’ll be sitting pretty and more secure than ever.

But first. I want to talk about a security measure that you should first employ before you begin touching your passwords.

2 Factor Authentication (2FA)

2 Factor Authentication (or multi factor authentication, MFA) is a simple way to protect your accounts. 2FA adds a second layer of security by requiring you to enter a one time generated passcode at the time you are accessing your account. This passcode is commonly sent to you as a text message or email but other ways to get those passcode are also available. These include using a smartphone app or your password manager. Even with your password an attacker cannot access your account without this passcode. I recommend you use 2 factor authentication on all services that support it. For more details on 2FA in general check out this in depth NIST article about it: Back to basics: Multi-factor authentication (MFA). Exact methods for enabling 2FA will vary across your accounts, so look at the documentation provided for the specific account you are turning 2FA on for.

Password Math

Alright so this section’s heading has the word “math” in it. But don’t get scared! We’re not doing any calculus or playing with finite fields. We should, however, touch on compute power and how it relates to some statistics. There are many scenarios where “hackers” will employ software to crack your password. Some software is as simple as brute forcing the login page of a website. Others involve running some code to iterate through passwords on stolen password hashes until they get a password match. With computational power doing nothing but getting more efficient and faster the time it takes to perform these tasks decreases. This is especially worrisome for those using pass phrases. Attacks use a list of what’s called dictionary words against a hash or login until success is met. Adding numbers or symbols, or even the substitution of them, is easily programmed into password cracking software. If this is the case, then we’ll want to reduce an attacker’s efficiency to a point where their attempts will be futile. To do that we’ll need a mathematically sound password. A password of this sort is constructed of random characters whose length is the longest size allowed. For software to iterate through all combinations of random letters, numbers, and symbols the process becomes more costly and thus less timely the longer password you use. As you add characters to a password the cracking difficulty increases exponentially.

Let’s look at an example. Let’s say we are using all 95 printable (not control characters, you comp science nerd, you) ascii (pronounced ask-key) characters. This includes all letters, both upper and lower case, numbers, and symbols. Let’s say your password is one character long. This means we are looking at 95 different possible passwords. Right? Right. So let’s add a second character. Does this mean we have 95×2 possible passwords now? Nope. It means we have 95×95 possible combinations: 9025. Adding a third character cubes 95 (95x95x95) bringing the total passwords of length 3 up to 857375 possibilities. This gets large quickly, which is good. This is what we want. We want completely random passwords with as many characters as allowed. 12, 16, 32, 64 characters? Bring it. Amazon allows for up to 128 character passwords. I’ll let you calculate what 95^128 is!

I’m Not Memorizing That

Alright so now we know a few things. We know that large and random passwords are the safest, but we also know that memorizing these things are virtually impossible. No doubt. Also note that writing these down is counter productive. I’m not going into why that post-it note on your computer with your password written on it violates corporate policy. It is also unreasonable to write down and then enter a 60 character password every time you need it. So what do you do?  Alas! Tools exist that facilitate the storage of crazy passwords. They also allow you to easily copy them to your clipboard for easy copy/pasting. What is this sorcery? Enter the password manager. A password manager is an application that runs on your computer that stores an encrypted vault of some sort. This vault is stored on their company servers and your password manager accesses it when needed. Within this vault are your usernames, login emails, passwords, notes you may wish to secure, credit card info, whatever you wish to store. Most allow you to throw whatever sensitive info you may wish into them.

The really neat thing about password managers is their web browser extensions. They will open the webpage of the site you wish to log into, paste the username and password into their respective fields, then log you into the site. All automatically. This makes using crazy long and random passwords easy. Pretty sweet.

My Password Manager of Choice

I condone the use of 1Password by AgileBits. I appreciate their sales model (I pay for a yearly family subscription) as well as the fact that their vault is pretty secure. I don’t mind paying for software that is under continuing development. Elcomsoft did a review on password managers and although they initially stated 1Password was of average strength further review indicated it was the strongest. You can read their follow up here: Attacking the 1Password Master Password Follow-Up.

The 1Password is very, very useful although I am personally a little sketched out by one aspect of it. Your password vault by default is stored on their servers. With this comes its own risk as their servers are an attack surface. I don’t utilize this and have my vault setup locally on each of my computers and smartphone. This vault syncs across devices using a 2FA protected DropBox account. 1Password can store the vault for you on their servers but this makes me a bit uneasy. The benefit of them storing your vault for you is that multiple users can share vaults (sharing what to whom is at your discretion) allowing access to the same passwords from any designated account. You also get some admin functionality like being able to recover and unlock fellow 1Password accounts. It’s not that I don’t trust them, it’s that they are and will always be a juicy attack surface. Is it fine? Yea probably, but I enjoy that control.

With that said you are perfectly fine not setting things up using DropBox. Using the default vault after you install 1Password is safe enough for anyone.

I mentioned above that I store my 1Password vault locally in DropBox. I can access Dropbox from whichever devices I choose, and thus, my vault is accessible across my computers, both Windows and Mac. I have 1Password and Dropbox on my iOS devices as well. 2 factor authentication adds a layer of security to my DropBox account as well.

1Password Sync Settings
1Password Sync Settings

Again, if you do not wish to go this far you can still sync across devices using a 1Password hosted vault. Once signed into 1Password your online vaults will be made available to you.

1Password - Vault Settings
1Password – Vault Settings

In the above screenshot of 1Password’s “Vaults” preferences you can see how the upper, indented section shows my shared vaults (hosted online). “Personal” refers to my online vault that only I can see. The 2 “Shared” vaults are ones others in my accounts can also access. My “Primary” vault is the one synced using Dropbox.

Secure Password Generator?

We know that simply using a super long and random password is secure but where can you generate these random passwords safely? I use Steve Gibson’s Perfect Passwords page to generate random passwords securely. Steve was clever when creating this page. The page is delivered over a secure connection so no one can snoop on it. In addition the web page’s expire tag is set to a date in 1999. The passwords page, which was generated for you and only you, is ignored by search engines and is not cached by things like the Wayback machine. Steve’s generator also doesn’t generate the same password twice. Math is cool. Pretty nifty. Bookmark it. Use it.

GRC Perfect Passwords
GRC Perfect Passwords

Password Manager Migration Quick Checklist

Ok so now that you have your password manager installed we can go ahead and get your accounts setup one by one. The order of events for say your social media account should looks something like this:

  1. Sign into your social media account.
  2. Navigate to your account settings to the change your password screen.
  3. Generate a new secure password using the tool of your choice (GRC!).
  4. Verify the length limit for your new password. Most sites are nice and tell you but you may need to enter one to generate an error telling you about the length limit.
  5. If you need to shorten the password paste it into Word or Notepad and do so, then copy it again before pasting.
  6. When you change your password your password manager may ask you if you wish to save the password. We’ll decline just this time.
  7. Once the password is changed, log out.
  8. Log back into your account using your new password.
  9. Your password manager will ask you if you wish to save your password. Do so and your password will be stored.
  10. If your account supports 2FA:
    • Browse to your account settings to the 2FA section
    • Enable 2FA and change any setting that says SMS/Text to authenticator app.
    • When the QR code appears use your password manager to save it if supported (you’ll have to read up on your manager’s documentation)
    • Alternatively you can use an authenticator app on your phone to scan the QR code.
    • Follow the instructions to finish setting up 2FA.
  11. Repeat for all accounts