Password Management

The average person has dozens or even hundreds credentials (which is a more general term that includes passwords) from various services and software products.

This blog article explains the most important things to take into account when using and managing credentials.

Knowing and understanding how passwords get stolen is very important to understand the importance on handling passwords.

Here is a selection:

• Brute force attack
  • Trying out all possible passwords of a given length.
  • Modern computers or networks are able to try out millions of passwords per second.
• Try out default and common passwords
  • You don't have to try out millions of passwords per second when you are able to crack 98.8 percent of all passwords using the top 10,000 passwords.
• Dictionary attack via rainbow tables
• Key logging software
  • Sending you an email which you open in Outlook might as well hack your computer. An installed tiny software that records everything you type sends home all passwords to the bad guy.
• Phishing
  • Be careful when clicking any URL in your emails.
  • Open up important web pages such as net-banking only via your browser bookmarks.
• Man-in-the-middle attack
  • When I am able to get in-between you and the web server you want to access, I can sniff your whole communication.
• Shoulder surfing
  • Sitting next to you on that train or attaching a video camera behind your desk reveals your passwords for free.
  • Use privacy filters for notebook displays or even on smartphones.
• Try out other known passwords of the user
  • Do register for my free service for you and chances are that you are using a password you already used elsewhere. Thanks for that password.
• Kindly ask the owner (It's easy.)
  • You wont believe what you might get by just asking kindly with a good background story.

The strength of a password is measured in entropy and the availability within rainbow tables. Rainbow tables are used to break passwords. They are basically very large databases with pre-encrypted (pre-hashed) known password candidates that include all kinds of words and phrases. Billions of it.

Entropy is mostly influenced by password length and character variety: letters, digits, special characters. The more, the better.

It is also necessary to know what weak passwords are:

• Standard passwords: 1234…, password, qwertz, letme1n,…
• Names of pets, towns,… or birthdates or any dates
• All passwords shorter than nine characters (rule of thumb)
• All words within dictionaries or books in any language
• Phrases within all published books
• Any patterns of keys on your keyboard
• Passwords with a fixed part followed by a number
• Any password that was used and leaked before
• Any default password
• Miscel4n3ous subst1tut10n tr1cks

Most people don't know how ineffective certain password obfuscating methods are. You can crack 98.8 percent of all passwords using the top 10,000 passwords. Usually, this means an effort of a few seconds maximum. You have to be aware that passwords get stolen by many different methods. The list above mentions some ineffective measurements to obfuscate passwords against being cracked.

But how to come up with a good password then? Following simple method got famous by a xkcd comic:

• Take three to five common words, separated by spaces
• Never ever seen in that order in any document worldwide

Such passwords are easy to remember, easy and fast to type, and hard to crack using the most common methods due to sheer password length (big entropy) and high unlikeliness for being part of any rainbow table (global uniqueness).

For deviating password restriction policies, please add corresponding characters to your strong password:

With two-factor authentication (2FA) like OTP using FreeOTP you can add an effective additional layer of security if the service supports it. I personally will not give away my personal mobile number to cloud vendors for that purpose. With FreeOTP, there is a really cool alternative.

Never ever give away your passwords to anybody.

Simple as that. Please do remember that rule.

A large portion of security incidents is caused by not changing default passwords to a new, strong one.

Default passwords are insecure by definition.

For example, WiFi routers are sold with pre-configured default passwords that may look random and secure. Unfortunately, this is also a known password. Usually, there is an algorithm which derives the default password from the so called MAC-address, the hardware address of the network interface. This algorithm gets public quite easily. Therefore, most private WiFi networks are a very easy target to be hacked.

Same holds for any other digital equipment that gets shipped with any default password.

Change default passwords to a secure one right from the start.

Credentials should not be re-used. That means that a password you have used for, let's say, Google should not be used for Amazon. Or a password you once have used anywhere should not be re-used as a new password for a different purpose. If one service gets compromised, your whole digital identity could be stolen very easily.

It is also a common attack to offer a free service to people which will use their email address and "their" password for this free service. The owner of this service (or a hacker that hacked that web service) does now have your email address and your password.

Passwords get hacked or leaked. There are huge databases that contain billions of passwords bad guys are able to try out on your account. So when you are using a weak password, you account get hacked quite easily.

When following the rules above, you end up with dozens or hundreds of different passwords. You can't possibly remember them. Therefore, everybody needs to use a password manager.

A password manager is a piece of software (or a service) where you can store your passwords, PINs, TANs, lock combinations, credit card secrets, and so forth. This highly sensitive database is then encrypted using a hopefully very good passphrase. This way, you only need to remember this single passphrase in order to get to the clear text versions of your other passwords.

I did not use the section title "Choosing a Password Manager Software" because the following rules apply to any kind of software whose main purpose is to offer a decent level of security.

Closed source software (or proprietary software) can not be inspected by security experts all over the world. This is often done in academia. The more experts take a closer look, the better.

Audit results should be made public for that software.

This is no guarantee that everything is okay but it is a prerequisite.

Closed software may contain anything. The vendor might deliver one version for a closed inspection (to one party only) and use a different version to deliver to its customers. You can never check.

Commercial companies have to follow their stakeholders. This is more important than to follow the requirements of their customers.

Software from countries where officials may force them to add backdoors or other features that compromises the security by law.

The USA is known to deliver backdoor-equipped software with all major companies. And those companies are not allowed to talk about it either.

You can't control your data in the cloud. Therefore, you can't also control who has access to your cloud-based passwords, what the level of security is for such a cloud-service and so forth. You basically give up any control on your most secret data. Very bad idea in my opinion.

Imagine how large the pressure or desire is for bad guys to hack a centralized cloud-based service that holds millions or billions of credentials from people all over the globe. If it is interesting, any service gets hacked. It's just a matter of time. And most hacks don't get noticed or published.

You will not find any decent and independent security expert who will tell you to use a closed source or cloud-based password manager.

The majority of open source projects are used by only a handful of people. Most open source projects are crafted on a very low level of quality. Only the big projects get "famous", have a large installation basis and reach a level of maturity that is required for a community and security audits. And only those big projects that are well addressed by experts of all kind deliver a better software than proprietary software.

Some password managers offer a nice feature that automatically writes your credentials in log-in pages.

Some of those mechanisms are really easy to hack by mimicking typical log-in pages in hidden frames. Some password managers open up unnecessary side-channels which might result in a hacked password manager.

I strongly recommend to disable such features. I also disabled keeping (low priority) passwords in my web browser.

Unfortunately, security is the opposite of usability in most cases. You might not want to optimize for usability when dealing with your most precious credentials.

This is a long article on a topic that most people do take too lightly. You should be aware of consequences when credentials gets compromised. Worst case scenarios include identity theft, bankruptcy, going to jail for being wrongly accused of espionage or providing child porn (which the attacker did and you did not notice), and so forth.

After all, when you have learned the basics, it's not that hard to reach a decent level of security:

1. Choose unique and strong passwords
2. Do not share or re-use passwords
3. Store credentials in a trustworthy password manager on trustworthy computers
4. Be skeptical and keep your common sense awake

If you are interested in what software I am using, you might want to visit this page.

Since I can't log-in to Disqus for a couple of months, I have to answer Disqus-comments in-line.

2018-08-13: Disqus-comment by joopdorresteijn:

I see you use keepass, how do you sync to phone? I migrated to pass, plain gnu gpg files syncs with my android with the same tool you implemented already.

I don't sync my passwords to my Android phone. I don't trust my phone because I can't control what apps are doing. Therefore I don't use my phone for anything really sensitive like passwords or financial stuff.

If I wanted to share my KeePassX-database with my phone, I'd use Syncthing.