With this post, I’d like to encourage everybody to share and discuss their views on subjects related to IT-security and privacy.
One thing that I personally have spent a lot of time refining over the past years, is my handling of the ever increasing number of services and apps that I rely on, and the credentials used to authenticate with these.
I don’t believe that I have the perfect solution, if such a thing ever will exist. However, I’ve aimed for a reasonable compromise between usability and security. Too often, the two don’t go well hand-in-hand, but I am growing increasingly pleased with my own little semi-homegrown solution.
But before we go on to that, I want to ask you, if you ever checked whether your credentials were exposed somewhere online?
One good site to check this is (feel free to suggest others):
The intentions behind the site seems legit and genuine, the guy behind it is Troy Hunt.
One of my email addresses is currently listed as breached from 3 well known sites.
Fortunately, I’ve never used any of these three services for anything I deem sensitive, nor did I reuse my credentials, so I am pretty sure that the risk of this having any further impact on me, is very limited.
One easy way to avoid reusing credentials is to let your browser remember usernames and passwords for the sites you visit.
Personally, I HATE that concept.
Why do I hate this?
Well, I like technology, and I like to be free. If I use one browser to store my credentials, then I am stuck, at least with the browser, perhaps even with both the Operating System and the browser.
Yes, I do know that most browsers are so nice and offer to share your settings (and credentials) between devices, and today you can even get Edge for Android, Firefox and Chrome (Chromium) is on all platforms I use, so is Opera. Yet, I would risk being stuck with one browser or having to import / export between them. No fun.
Also, what is the most exposed piece of software on your rig or device? The browser! So not a particularly good place to store all your sensitive passwords IMHO.
So, what’s the solution then?
Well, I don’t know what will work for you. But I chose, years ago, to go with a simple old school password manager.
The one I chose, stores all usernames, URL’s, passwords, comments, and even files, encrypted. It’s Keepass 2 or KeePassXC, depending on the platform I use.
There is a bunch of plugins and stuff you can use, to make it run on other platforms or integrate with your favorite browser(s). Personally, I use the plain vanilla editions of the two, with no additional tools.
Because of the encryption, utilized by KeePass, I feel fairly safe, even though I actually share my password database between all my platforms via a (public) cloud drive service.
I will not go into which cloud drive service is better for this purpose, and you may have to play around to find the one that suits your needs best, as not all cloud drives behave equally well, on all devices.
One thing you need to ensure, is that the cloud drive is fast at recognizing changes to the password database and sync it with the cloud.
I’d like to stress one little annoying thing, when it comes to syncing between devices, sometimes you may find that updating on one device overwrites the changes made by another device, if you didn’t load the latest version, before adding a new set of credentials.
I “solved” this, in a reasonably neat way, using a feature in KeePass 2, called “Synchronize” -> “Synchronize with File”. This allows merging / synchronizing two password databases (that share the same password / keyfile).
To support this, I have the following structure of files:
In other words, I have one database file for each device. This ensures that I never accidentally overwrite changes made on another system. The only thing you need to remember, is to close the password database, when you stop using a device, but that ought to be part of your best practices anyway, no need to let all those passwords float unencrypted in memory, when it isn’t needed.
Occasionally, I will open the “master” file and sync it with all the other files. Practically, this ends up being something I do once or twice a week.
Note, you need to sync all of them twice. This way all changes from each file is stored in the master and in turn the changes made in the master is stored in the other files. This operation only takes a few seconds.
At this point I manage a total of more than 500 sets of credentials. I reckon that around 80-100 are used more or less frequently, the remainder may be purely historical and could probably be deleted, however, given the structure and search features of KeePass, I don’t really feel a need to tidy the contents of my database. And sometimes you happen to revisit a service that you haven’t used for years and then it is a great feeling to still have the credentials.
For most people, this may seem tedious and troublesome at first, but I find this much better, and more convenient, than having a few fixed credentials that I use everywhere or keeping a spreadsheet or other insecure document with credentials.
Currently, I remember about 10 sets of credentials, this includes PIN codes, phone screen lock, system passwords, KeePass password, and a few more. These are never stored in my KeePass, because I use them so frequently (that I easily remember them) and I need them to access the systems where I store my KeePass file(s). But the remaining, around 500, they are safely and conveniently stored in my KeePass.
Once you get going with your password manager, then remember to play with the short cuts, you will find that getting the credentials using autotype and similar features is very convenient.
A few extra tips for added security
The default setup is probably good enough for most, and “perfectly” safe, as long as the password you use for your KeePass is unique and fairly strong.
However, I also chose to add the security of a “Key file / provider”. This is a “secret” file, which you need to keep safe and far away from your cloud drive.
My “Key file” has never been on any public system, nor has it been sent via any network. It has only been transferred from device to device using an (encrypted) USB stick. But be aware, if you lose this file, then you will NEVER be able to access your password database again, so this measure is not for the faint of heart.
Another thing I did, was to change the “Key transformation” and increase the number of “Iterations”. This basically means that your password is “hashed” X number of times, before it is used to unlock the master key for the database. The larger the number, the harder it is to brute force your password, but be aware, that if the number is too high, then it will take a long time to open your database. In my opinion, any number that allows the transformation to happen in less than a second is acceptable. In other words, this allows you to have a shorter and more simple password for your database. My password is more than 20 characters long, which may be slightly exaggerated.
Oh, one last thing, DO NOT USE the “Windows user account” option for unlocking. Read the fine warnings to learn why. No matter how convenient or tempting this may sound, then it is only good and useful in enterprise environments or if you are an expert in Windows networking.
I’d love to hear how you deal with your credentials, feel free to comment and suggest alternative approaches.