Passwords, identities and data breaches


  • VulnDetect Team Member

    Hi,

    With this post, I’d like to encourage everybody to share and discuss their views on subjects related to IT-security and privacy.

    One thing that I personally have spent a lot of time refining over the past years, is my handling of the ever increasing number of services and apps that I rely on, and the credentials used to authenticate with these.

    I don’t believe that I have the perfect solution, if such a thing ever will exist. However, I’ve aimed for a reasonable compromise between usability and security. Too often, the two don’t go well hand-in-hand, but I am growing increasingly pleased with my own little semi-homegrown solution.

    But before we go on to that, I want to ask you, if you ever checked whether your credentials were exposed somewhere online?

    One good site to check this is (feel free to suggest others):
    https://haveibeenpwned.com/

    The intentions behind the site seems legit and genuine, the guy behind it is Troy Hunt.

    One of my email addresses is currently listed as breached from 3 well known sites.

    Fortunately, I’ve never used any of these three services for anything I deem sensitive, nor did I reuse my credentials, so I am pretty sure that the risk of this having any further impact on me, is very limited.

    One easy way to avoid reusing credentials is to let your browser remember usernames and passwords for the sites you visit.

    Personally, I HATE that concept.

    Why do I hate this?

    Well, I like technology, and I like to be free. If I use one browser to store my credentials, then I am stuck, at least with the browser, perhaps even with both the Operating System and the browser.

    Yes, I do know that most browsers are so nice and offer to share your settings (and credentials) between devices, and today you can even get Edge for Android, Firefox and Chrome (Chromium) is on all platforms I use, so is Opera. Yet, I would risk being stuck with one browser or having to import / export between them. No fun.

    Also, what is the most exposed piece of software on your rig or device? The browser! So not a particularly good place to store all your sensitive passwords IMHO.

    So, what’s the solution then?

    Well, I don’t know what will work for you. But I chose, years ago, to go with a simple old school password manager.

    The one I chose, stores all usernames, URL’s, passwords, comments, and even files, encrypted. It’s Keepass 2 or KeePassXC, depending on the platform I use.

    There is a bunch of plugins and stuff you can use, to make it run on other platforms or integrate with your favorite browser(s). Personally, I use the plain vanilla editions of the two, with no additional tools.

    Because of the encryption, utilized by KeePass, I feel fairly safe, even though I actually share my password database between all my platforms via a (public) cloud drive service.

    I will not go into which cloud drive service is better for this purpose, and you may have to play around to find the one that suits your needs best, as not all cloud drives behave equally well, on all devices.

    One thing you need to ensure, is that the cloud drive is fast at recognizing changes to the password database and sync it with the cloud.

    I’d like to stress one little annoying thing, when it comes to syncing between devices, sometimes you may find that updating on one device overwrites the changes made by another device, if you didn’t load the latest version, before adding a new set of credentials.

    I “solved” this, in a reasonably neat way, using a feature in KeePass 2, called “Synchronize” -> “Synchronize with File”. This allows merging / synchronizing two password databases (that share the same password / keyfile).

    To support this, I have the following structure of files:
    • MyMasterPasswordDatabase.kdbx
    • LaptopPasswordDatabase.kdbx
    • HomeRIGPasswordDatabase.kdbx
    • TabletPasswordDatabase.kdbx

    In other words, I have one database file for each device. This ensures that I never accidentally overwrite changes made on another system. The only thing you need to remember, is to close the password database, when you stop using a device, but that ought to be part of your best practices anyway, no need to let all those passwords float unencrypted in memory, when it isn’t needed.

    Occasionally, I will open the “master” file and sync it with all the other files. Practically, this ends up being something I do once or twice a week.

    Note, you need to sync all of them twice. This way all changes from each file is stored in the master and in turn the changes made in the master is stored in the other files. This operation only takes a few seconds.

    At this point I manage a total of more than 500 sets of credentials. I reckon that around 80-100 are used more or less frequently, the remainder may be purely historical and could probably be deleted, however, given the structure and search features of KeePass, I don’t really feel a need to tidy the contents of my database. And sometimes you happen to revisit a service that you haven’t used for years and then it is a great feeling to still have the credentials.

    For most people, this may seem tedious and troublesome at first, but I find this much better, and more convenient, than having a few fixed credentials that I use everywhere or keeping a spreadsheet or other insecure document with credentials.

    Currently, I remember about 10 sets of credentials, this includes PIN codes, phone screen lock, system passwords, KeePass password, and a few more. These are never stored in my KeePass, because I use them so frequently (that I easily remember them) and I need them to access the systems where I store my KeePass file(s). But the remaining, around 500, they are safely and conveniently stored in my KeePass.

    Once you get going with your password manager, then remember to play with the short cuts, you will find that getting the credentials using autotype and similar features is very convenient.

    A few extra tips for added security

    The default setup is probably good enough for most, and “perfectly” safe, as long as the password you use for your KeePass is unique and fairly strong.

    However, I also chose to add the security of a “Key file / provider”. This is a “secret” file, which you need to keep safe and far away from your cloud drive.

    My “Key file” has never been on any public system, nor has it been sent via any network. It has only been transferred from device to device using an (encrypted) USB stick. But be aware, if you lose this file, then you will NEVER be able to access your password database again, so this measure is not for the faint of heart.

    Another thing I did, was to change the “Key transformation” and increase the number of “Iterations”. This basically means that your password is “hashed” X number of times, before it is used to unlock the master key for the database. The larger the number, the harder it is to brute force your password, but be aware, that if the number is too high, then it will take a long time to open your database. In my opinion, any number that allows the transformation to happen in less than a second is acceptable. In other words, this allows you to have a shorter and more simple password for your database. My password is more than 20 characters long, which may be slightly exaggerated.

    Oh, one last thing, DO NOT USE the “Windows user account” option for unlocking. Read the fine warnings to learn why. No matter how convenient or tempting this may sound, then it is only good and useful in enterprise environments or if you are an expert in Windows networking.

    I’d love to hear how you deal with your credentials, feel free to comment and suggest alternative approaches.


  • VulnDetect Team Member

    Thank you for your feedback.

    I agree, the "solution" I suggest, may not suit everybody. I did test out Lastpass at some point, one or two years ago, I didn't really like it, despite all the plugins to support my browsers (or perhaps, that was the very reason I didn't get comfortably with it, I like to keep the password manager far away from my browser).

    But I guess more users would find Lastpass easier to deal with, compared to the KeePass solution.

    I just noticed that Troy Hunt posted about his new collaboration with 1password, which allows checking if your credentials has been breached. A similar thing can be achieved with a plugin for KeePass, but again, the KeePass approach is less user friendly.

    In either case, a password manager will be a great step-up, for most of us. Choosing the right one is a matter of taste and preferences, and trust.

    I agree, there could be some perspective to Webauthn, though I always get a rash, when we all start relying on the same technology. Nonetheless, I will test it, once one of my favorite sites / services, offer Webauthn authentication.



  • I largely agree - a password manager is the best solution.
    I chose Lastpass - it is cross platform and I don't have to worry about database management - the DB is in their cloud (encrypted with a key they don'y know).

    Adding two factor authentication (2FA) for the most critical sited (gmail, lastpass, bank, etc) is IMO mandatory an excellent layer of added security with a minimum of hassle. Most sites only ask for 2FA if you are on a new device or once a month or so.

    As to your “Key file / provider” - you might want to consider using a USB security key, like Yubikey. That removes the vulnerability you have by having your key permanently on your SSD - if it is on your SSD is can be copied by others if your devices is hacked or stolen. The data on a USB security key, on the other hand, cannot be copied. And if it stolen, you will know it. I keep my with my house/car keys and the keyring.

    Finally, I relly look forward to when Webauthn becomes widespread - perhaps removing need for passwords.