The Password is on the Cloud

Most adults learning English start from the iconic sentence “the pen is on the table”.

Well, let's start from the basics to learn a bit about personal (digital) security, a.k.a. how to manage passwords.

What I Know

I have a M.S. in Information Technology (Laurea in Ingegneria Informatica, in Italian) and I'm a professional software developer since a bunch of years, so I'm more aware of these things than the average Joe out there.

This does not mean I'm perfectly safe, and I know how to “defeat hackers”. There always someone that knows more than you, and all software contains bugs.

But I probably know how to reduce the possibility of being stolen of my accounts, passwords and so on. For most reasonable risks, at least.

First Step

When I was younger, I had, as probably many of you out there even right now, the same (easy) password for many sites, probably all of them. Not that in mid-nineties there were a lot of Internet sites, or at least I was not using many of them, but that's it.

This is bad: if you use the same email and the same password for all the sites you sign up on the Internet, any person that can grab the email/password pair (let me call this pair “credentials”), will be able to try it on many other sites, so being able to access your accounts and information.

Is your password password?

Second Step

I've started using a sort of fixed schema, few simple rules to create a reasonable and variable password depending on the site I was signing up to. I also was using different email addresses depending of the perceived level of usefulness+risk I saw in the site. I mean, I'd consider, say, Amazon safer than the forum of a hobby association out on a random instance of some (probably bad configured) CMS. So, while for Amazon I might use my reference email address, for such forum I might wanted to use a spare email address that could even be read over per month or even deleted.

The little problem here was that, using the sign up date as part of the password, means that you have to remember not only the (easy) rules to create the password, but also the exact date when you signed up to that site. Not so bad, actually, because this also helps you remember that you have to change your password, from time to time and at that point the date in the password became the new updated date.

It went well, for a while, then when the sites I was using became a more and more, well, it started being difficult remembering all the dates, so I started simplifying the rules.

Is your password Amz0n-19570325?

Third Step

I've basically started removing the sign up dates, and the passwords became simpler, with (another) fixed set of rules to build it, and a few patterns to reuse.

So, I didn't had same passwords for different sites, but they were easier to find out, since the set of rules were simpler, in order to remember those password.

This is, again, bad because a person that can find out a couple of my password could've been able to guess the others.

Are your passwords Amz0n.DogName and FacbO0k.DogName?

Enters Password Manager

According to Wikipedia, a Password Manager is a computer program that allows users to store, generate, and manage their passwords for local applications and online services. and also it assists in generating and retrieving complex passwords, storing such passwords in an encrypted database or calculating them on demand.

I already used a password manager, years ago, but I felt it was a bit strange, I didn't fully trust it because I felt my memory had to be better than that, I was not sure about its usage, ... but then I've started having too many accounts, here and there, so that I needed it. I had my password creation rules, but then some sites had expiring password policies so I had to create new passwords, I forgot some of them, ... it was time to go back to a password manager!

KeePass

Keepass is a Windows-only password manager that has a high level of security and encryption, being third-party tested and evaluated and considering also the fact that it's fully open source (free software) is generally considered one of the safest local password managers around, for Windows environments. KeePass Main Window

What does local means? It means that it saves a passwords database as an encrypted file in your computer and if you want to use it elsewhere (say at office or school), you need to bring such file with you and use KeePass to open that file on your other (office or school) computer. Considering the fact that KeePass also has a portable version that requires neither installation nor external configuration files, your can bring it on an USB key and you'll have your passwords with you.

There is even a very useful Diceware Password Generator plugin for KeePass that uses Arnold Reinhold Diceware method, with the EFF “Long” list of words for improved results. Remember:

Please refer to Keepass for download, usage details and a lot more information.

And Here Comes the Cloud

But as of these days, digital lives are moving on mobile devices, of not almost all there. How to cope with that? How to read and use your encrypted passwords on your mobile device?

There actually are a lot of contributed/unofficial porting of the said KeePass for different operating systems, starting from Android, iPhone, Windows Phone, even Blackberry and command line environments! But, they are not officially supported, verified and analyzed as the original KeePass so, in my opinion, are possibly less safe.

So, it's time to have a multi-platform password manager, with encrypted password “somewhere” in the cloud, with the option to be zero-knowledge and maybe even FOSS.

These helps in many ways: * being FOSS, means that everyone can read the code, review it, open bugs, verify the integrity and security of the application, perform penetration tests or hacking attempts. Making the application public, means that security issues are public and people are allowed to check how the application works. Also, the FOSS-ness of the application allows everyone to copy, configure, install and run the application by themselves, without the need to trust a third party that might modify the application before running it. * being zero-knowledge, means that once I put my credentials in this application, I'm the only person able to access those credentials in an unencrypted form: not even the server manager can read my data.

Bitwarden

Bitwarden is a cloud-based, open-source (free software, specifically), multi-platform password manager that allows me to have my passwords online, in a safe and technologically viewable place, being accessible from all-over the world, through different applications. Bitwarden UIs

Being on a desktop/laptop PC, on a USB key, on a mobile device or only on a browser in a third-party computer (not so safe, actually...), I am able to access my vault, change my passwords, use auto-completion to fill the login fields in web pages or other applications, ... It also has an interesting password generator feature that can help in creating complex passwords that you don't need to remember or even see at all: you only need to remember your master password to access Bitwarden, and the application/plugin/browser extension you've chosen will do the auto-completion magic for you.

Maybe the user interface is still a bit clunky and can be improved, but it works quite fine everywhere and the result is that I'm moving all my passwords from KeePass to Bitewarden, while also updating most of my passwords with more random one.

Final Points

What I suggest:


The Password is on the Cloud by Marco Bresciani is licensed under CC BY-SA 4.0