π

Password Management

Show Sidebar

The average person has dozens or even hundreds credentials (which is a more general term that includes passwords) from various services and software products.

This blog article explains the most important things to take into account when using and managing credentials.

How to steal a password?

Knowing and understanding how passwords get stolen is very important to understand the importance on handling passwords.

Here is a selection:

Password Strength

The strength of a password is measured in entropy and the availability within rainbow tables. Rainbow tables are used to break passwords. They are basically very large databases with pre-encrypted (pre-hashed) known password candidates that include all kinds of words and phrases. Billions of it.

Entropy is mostly influenced by password length and character variety: letters, digits, special characters. The more, the better.

Weak Passwords That Are Easy to Break

It is also necessary to know what weak passwords are:

Most people don't know how ineffective certain password obfuscating methods are. You can crack 98.8 percent of all passwords using the top 10,000 passwords. Usually, this means an effort of a few seconds maximum. You have to be aware that passwords get stolen by many different methods. The list above mentions some ineffective measurements to obfuscate passwords against being cracked.

Strong Passwords

But how to come up with a good password then? Following simple method got famous by a xkcd comic:

Such passwords are easy to remember, easy and fast to type, and hard to crack using the most common methods due to sheer password length (big entropy) and high unlikeliness for being part of any rainbow table (global uniqueness).

For deviating password restriction policies, please add corresponding characters to your strong password:

"You #password needs to be at least eleven and a half characters long, including upper-case characters, some nice digits, exactly three special characters of our choice we won't tell you, a tenth of your DNA spelled backwards, and your youngest son."#security #fail

— Karl Voit (@n0v0id) August 12, 2018

With two-factor authentication (2FA) like OTP using FreeOTP you can add an effective additional layer of security if the service supports it. I personally will not give away my personal mobile number to cloud vendors for that purpose. With FreeOTP, there is a really cool alternative.

Handling Credentials

Never ever give away your passwords to anybody.

Simple as that. Please do remember that rule.

Default Credentials

A large portion of security incidents is caused by not changing default passwords to a new, strong one.

Default passwords are insecure by definition.

For example, WiFi routers are sold with pre-configured default passwords that may look random and secure. Unfortunately, this is also a known password. Usually, there is an algorithm which derives the default password from the so called MAC-address, the hardware address of the network interface. This algorithm gets public quite easily. Therefore, most private WiFi networks are a very easy target to be hacked.

Same holds for any other digital equipment that gets shipped with any default password.

Change default passwords to a secure one right from the start.

Do Not Re-Use Passwords

Credentials should not be re-used. That means that a password you have used for, let's say, Google should not be used for Amazon. Or a password you once have used anywhere should not be re-used as a new password for a different purpose. If one service gets compromised, your whole digital identity could be stolen very easily.

It is also a common attack to offer a free service to people which will use their email address and "their" password for this free service. The owner of this service (or a hacker that hacked that web service) does now have your email address and your password.

Passwords get hacked or leaked. There are huge databases that contain billions of passwords bad guys are able to try out on your account. So when you are using a weak password, you account get hacked quite easily.

Password-Managers

When following the rules above, you end up with dozens or hundreds of different passwords. You can't possibly remember them. Therefore, everybody needs to use a password manager.

A password manager is a piece of software (or a service) where you can store your passwords, PINs, TANs, lock combinations, credit card secrets, and so forth. This highly sensitive database is then encrypted using a hopefully very good passphrase. This way, you only need to remember this single passphrase in order to get to the clear text versions of your other passwords.

Choosing a Secure Software

I did not use the section title "Choosing a Password Manager Software" because the following rules apply to any kind of software whose main purpose is to offer a decent level of security.

Secure Software Needs To Be Open Source

Closed source software (or proprietary software) can not be inspected by security experts all over the world. This is often done in academia. The more experts take a closer look, the better.

Audit results should be made public for that software.

This is no guarantee that everything is okay but it is a prerequisite.

Closed software may contain anything. The vendor might deliver one version for a closed inspection (to one party only) and use a different version to deliver to its customers. You can never check.

Commercial companies have to follow their stakeholders. This is more important than to follow the requirements of their customers.

Secure Software from Trustworthy Sources

Software from countries where officials may force them to add backdoors or other features that compromises the security by law.

The USA is known to deliver backdoor-equipped software with all major companies. And those companies are not allowed to talk about it either.

Secure Software Needs to Be Under Your Control

You can't control your data in the cloud]]. Therefore, you can't also control who has access to your cloud-based passwords, what the level of security is for such a cloud-service and so forth. You basically give up any control on your most secret data. Very bad idea in my opinion.

Imagine how large the pressure or desire is for bad guys to hack a centralized cloud-based service that holds millions or billions of credentials from people all over the globe. If it is interesting, any service gets hacked. It's just a matter of time. And most hacks don't get noticed or published.

You will not find any decent and independent security expert who will tell you to use a closed source or cloud-based password manager.

The Software Needs to Have a Substantial Community

The majority of open source projects are used by only a handful of people. Most open source projects are crafted on a very low level of quality. Only the big projects get "famous", have a large installation basis and reach a level of maturity that is required for a community and security audits. And only those big projects that are well addressed by experts of all kind deliver a better software than proprietary software.

Usability Versus Security

Some password managers offer a nice feature that automatically writes your credentials in log-in pages.

Some of those mechanisms are really easy to hack by mimicking typical log-in pages in hidden frames. Some password managers open up unnecessary side-channels which might result in a hacked password manager.

I strongly recommend not to disable such features. I also disabled keeping (low priority) passwords in my web browser.

Unfortunately, security is the opposite of usability in most cases. You might not want to optimize for usability when dealing with your most precious credentials.

Summary

This is a long article on a topic that most people do take too lightly. You should be aware of consequences when credentials gets compromised. Worst case scenarios include identity theft, bankruptcy, going to jail for being wrongly accused of espionage or providing child porn (which the attacker did and you did not notice), and so forth.

After all, when you have learned the basics, it's not that hard to reach a decent level of security:

  1. Choose unique and strong passwords
  2. Do not share or re-use passwords
  3. Store credentials in a trustworthy password manager on trustworthy computers
  4. Be skeptical and keep your common sense awake

If you are interested in what software I am using, you might want to visit this page.

Comments

Since I can't log-in to Disqus for a couple of months, I have to answer Disqus-comments in-line.

2018-08-13: Disqus-comment by joopdorresteijn:

I see you use keepass, how do you sync to phone? I migrated to pass, plain gnu gpg files syncs with my android with the same tool you implemented already.

I don't sync my passwords to my Android phone. I don't trust my phone because I can't control what apps are doing. Therefore I don't use my phone for anything really sensitive like passwords or financial stuff.

If I wanted to share my KeePassX-database with my phone, I'd use Syncthing.

Comment via email or via Disqus comments below: