The Password is on the Cloud

4 maggio 2021

Most adults learning English start from the iconic sentence “the pen is on the table”.

Well, let's start from the basics to learn a bit about personal (digital) security, a.k.a. how to manage passwords.

What I Know

I have a M.S. in Information Technology (Laurea in Ingegneria Informatica, in Italian) and I'm a professional software developer since a bunch of years, so I'm more aware of these things than the average Joe out there.

This does mean neither I'm perfectly safe, nor I know how to “defeat hackers”. There always someone that knows more than you, and all software contains bugs.

But I probably know how to reduce the possibility of being stolen of my accounts, passwords and so on. For most reasonable risks, at least.

First Step

When I was younger, I had, as probably many of you out there even right now, the same (easy) password for many sites, probably all of them. Not that in mid-nineties there were a lot of Internet sites, or at least I was not using many of them, but that's it.

This is bad: if you use the same email and the same password for all the sites you sign up on the Internet, any person that can grab the email/password pair (let me call this pair “credentials”), will be able to try it on many other sites, so being able to access your accounts and information.

Is your password password?

Second Step

I've started using a sort of fixed schema, few simple rules to create a reasonable and variable password depending on the site I was signing up to. I also was using different email addresses depending of the perceived level of usefulness+risk I saw in the site. I mean, I'd consider, say, Amazon safer than the forum of a hobby association out there on a random instance of some (probably bad configured) CMS. So, while for Amazon I might use my reference email address, for such forum I might want to use a spare email address that could even be read once per month or even deleted.

The little problem here was that, using the sign up date as part of the password, means that you have to remember not only the (easy) rules to create the password, but also the exact date when you signed up to that site. Not so bad, actually, because this also helps you remember that you have to change your password, from time to time and at that point the date in the password became the new updated date.

It went well, for a while, then when the sites I was using became more and more, well, it started being difficult remembering all the dates, so I started simplifying the rules.

Is your password Amz0n-19570325?

Third Step

I've basically started removing the sign up dates, and the passwords became simpler, with (another) fixed set of rules to build them, and a few patterns to reuse.

So, I didn't had same passwords for different sites, but they were easier to find out, since the set of rules were simpler, in order to remember those password.

This is, again, bad because a person that can find out a couple of my password could've been able to (probably easily) guess the others.

Are your passwords Amz0n.DogName and FacbO0k.DogName?

Enters Password Manager

According to Wikipedia, a Password Manager is a computer program that allows users to store, generate, and manage their passwords for local applications and online services. and also it assists in generating and retrieving complex passwords, storing such passwords in an encrypted database or calculating them on demand.

I already used a password manager, years ago, but I felt it was a bit strange, I didn't fully trust it because I felt my memory had to be better than that, I was not sure about its usage, ... but then I've started having too many accounts, here and there (both personal and work-related), so that I needed it. I had my password creation rules, but then some sites had expiring password policies so I had to create new passwords, I forgot some of them, ... it was time to go back to a password manager!

KeePass

Keepass is a Windows-only password manager that has a high level of security and encryption, being third-party tested and evaluated and considering also the fact that it's fully open source (free software) is generally considered one of the safest local password managers around, for Windows environments. KeePass Main Window

What does local means? It means that it saves a passwords database as an encrypted file in your computer and if you want to use it elsewhere (say at office or school), you need to bring such file with you and use KeePass to open that file on your other (office or school) computer. Considering the fact that KeePass also has a portable version that requires neither installation nor external configuration files, your can bring it on an USB key and you'll have your passwords with you.

There is even a very useful Diceware Password Generator plugin for KeePass that uses Arnold Reinhold Diceware method, with the EFF “Long” list of words for improved results. Remember: xkcd: Password Strength

Please refer to Keepass for download, usage details and a lot more information.

And Here Comes the Cloud

But as of these days, digital lives are moving on mobile devices, if not almost all there. How to cope with that? How to read and use your encrypted passwords on your mobile device?

There actually are a lot of contributed/unofficial porting of the said KeePass for different operating systems, starting from Android, iPhone, Windows Phone, even Blackberry and command line environments! But, they are not officially supported, verified and analyzed as the original KeePass so, in my opinion, are possibly less safe. Also, I'm not actually sure they are 100% compatible each other.

So, it's time to have a multi-platform password manager, with encrypted password “somewhere” in the cloud, with the option to be zero-knowledge and maybe even FOSS.

These helps in many ways:

being FOSS, means that everyone can read the code, review it, open bugs, verify the integrity and security of the application, perform penetration tests or hacking attempts. Making the application public, means that security issues are public and people are allowed to check how the application works. Also, the FOSS-ness of the application allows everyone to copy, configure, install and run the application by themselves, without the need to trust a third party that might modify the application before running it.
being zero-knowledge, means that once I put my credentials in this application, I'm the only person able to access those credentials in an unencrypted form: not even the server manager can read my data.

Bitwarden

Bitwarden is a cloud-based, open-source (free software, specifically), multi-platform password manager that allows me to have my passwords online, in a safe and technologically viewable place, being accessible from all-over the world, through different applications. Bitwarden UIs

Being on a desktop/laptop PC, on a USB key, on a mobile device or only on a browser in a third-party computer (not so safe, actually...), I am able to access my vault, change my passwords, use auto-completion to fill the login fields in web pages or other applications, ... It also has an interesting password generator feature that can help in creating complex passwords that you don't need to remember or even see at all: you only need to remember your master password to access Bitwarden, and the application/plugin/browser extension you've chosen will do the auto-completion magic for you.

Maybe the user interface is still a bit clunky and can be improved, but it works quite fine everywhere and the result is that I'm moving all my passwords from KeePass to Bitewarden, while also updating most of my passwords with more random one.

Final Points

What I suggest:

do not store your passwords. Neither in browsers nor in unencrypted text files or in other ways. Use a proper password manager, instead.
use Diceware method (with actual dices!) to generate passwords that are at least 6-7 words long. You can refer to the EFF “long list” that is generally considered a more updated and valid list of words. Do not use your own custom-created list of words: randomness could not be guaranteed. Being paranoic, you could even use properly balanced casino dice to guarantee better randomness.
Try this on all the sites you're registered in: click on the “forgot password” (or equivalent) link. If you receive your exact password in clear text through email or SMS (or other means), please DO remove your account from that site, since they store your credentials in clear text!
Using the Diceware method, with 6-7 words, it might happen that some sites will limit the length of your password to 8-12-16-some characters length, so that you won't be able to use the password you've created but you need to truncate it. For me, also those sites are not so trustable: why should you limit the length of my password?
refer to https://haveibeenpwned.com/ to verify if you're email addresses or websites/applications you use have been compromised. If so, change your passwords for those sites and for all the sites where you used your compromised email addresses. Possibly find more secure alternatives for your compromised websites and applications.

The Password is on the Cloud by Marco Bresciani is licensed under CC BY-SA 4.0