Password managers3 min read
Posted on October 22nd, 2018
Let me ask you a question. How do you store your passwords? 59-62% of people use the same password for every account they have. Furthermore, according to the statistics of haveibeenpwned, 86% of passwords are terrible (and are also easy to crack even if they were encrypted by a website). Shocking, right? Does any of your passwords contain phone numbers, dates, names, simple combinations, or is any of these? Even if you do use a strong password, the odds are you use it everywhere, because it is physically impossible to remember every password for every website, if it is indeed strong. So what is the solution? Please, don’t write them down on a piece of paper or any other accessible to anyone place.
Password managers is one of the most important security measures you should take. Not only you will never have to remember any difficult combination, but you will prevent your passwords from being cracked using rainbow tables and dictionary attacks. At most, even if someone gets a plaintext password, they could compromise only one account. Of course, you should always use multi-factor authentication if possible, to protect your online identity even if your password gets compromised (shout out to Gentoo devs). When setting up MFA, mobile applications and tokens are preferable to sms, because there have been cases of sim-card cloning and hijacking.
There are a lot of password managers to choose from, but I will cover most popular and leave out the others to avoid creating the paradox of choice.
1) KeePass2 – free, opensource, cross-platform, easy to use. This is the password manager I personally use starting from 2013 and I’m not going to ditch it for anything else anytime soon. Keepass2 supports tons of plugins for backup and synchronization, improved security, 1-click checks for leaked credentials, etc. It is available for every platform and for every mobile device: iOS, Android, Windows, Linux, Mac.
2) LastPass – a freemium cross-platform password manager, which was released back in 2008. All the passwords are stored encrypted in the cloud by default, and even LastPass staff don’t have access to it (at least they claim so). LastPass has been hacked in the past, email addresses and authentication hashes were compromised, but the “encrypted user vault data had not been affected”. Nothing is unhackable, so there is no reason to avoid using this password manager.
3) 1Password – another freemium cross-platform PM, but this one was released 2 years earlier than LastPass, in 2006. I’m sure you’ve seen it in the App store or the Play market at least once. 1Password integrates with your browser and stores not only passwords, but also software licenses and other sensitive information.
What is a good password?
A good password is a combination of uppercase and lowercase characters, numbers, special symbols (@ * / ^ & …), and is at least 8-14 characters long. To be more precise, you can calculate your password strength in bits: the formula for all possible combinations is pswd^strength in bits. Let’s say, your password strength is 42bits: there are 242 (4,398,046,511,104) possible combinations, but it’s not that many for a dedicated hacker! I recommend using passwords with a strength of at least 60 bits.
For example, my Twitter password is 512 characters long and the quality is 3735 bits. My password database is protected with 50+ alphanumeric characters and a randomly generated key, both of which are stored inside a Veracrypt container, which is encrypted using 3 encryption algorithms (AES-Twofish-Serpent). This Veracrypt container is stored on a LUKS encrypted partition, which is protected by a LUKS encrypted grub loader partition, which is *protected* by a BIOS password.
Were your passwords leaked?
There is no system in the world that can’t be hacked, it’s just a matter of time.
Check if your credentials were leaked in a security breach – Have I been Pwned