Why passwords security is important
We use many different services on a daily basis and much more from time to time. Some of them are not much important, but some are vital. You definitely don’t want lose your money because of break-in to your bank account. Sadly, Two Factor Authentication solves the problem only partially, because yes, it is harder to process financial operations, but mostly you get the token on your mobile. All recent mobiles connect to the Internet nowadays and they might be infected.
Most of people use the same set of passwords or construct different passwords using same algorithm and the same password base. This is because it’s hard to remember many passwords with high variety. I am not surprised that people do so. However, this is not safe and, according to recent database leakages from the biggest services, people are exposing themselves, as they mostly don’t even change all their passwords after the leakage is officially announced. Why? The answer is simple…
Try to count all services where you use passwords. Banking, mails, social media, online stores, forums, games and probably many more. You also use passwords at work. How many of them you might have? 20? 50? 100? Probably even more than 100 – I would not be surprised at all. Now imagine, that you have to change all of these accounts’ passwords. It is nearly impossible as you probably won’t remind yourself of all the services you have registered and should change your password. You might use some text file or a spreadsheet to store information of all services you use, but your database is in plain text and can be stolen. Especially if you want to share it among your devices.
What can I do?
Let’s put some summary in points:
- You use a lot of services with similar passwords
- You probably don’t remember all services you use
- More and more services are being compromised – you probably don’t even know if they do
- You use a few devices to access your services
As you see, it is risky to use similar passwords. But what can you do? There are few things. First, use different password in every service. Next, make the passwords random. Cool, but here’s the first problem – you won’t remember all of them. You need a database. Fine, let’s make a spreadsheet. You put all your services, logins and passwords there. When you need to log in, you check the spreadsheet and use the credentials.
You have solved the problem! I’m sorry, but you have created another one. A bigger one. Now all your passwords are in single place. You can manage them easier now and keep them random, but it is easier to steal your file than a database from popular services, which use high security standard to avoid that. And your spreadsheet is dangerous because it is plain text. Trying to make passwords safe in spreadsheet is not an option at all – it’s not the purpose of spreadsheets so you will never make your passwords secure in it. Let’s think of something better.
Password manager is a program or a service that stores your passwords. It stores your passwords in a secure way – encrypting them. You just use master password. Of course, the database is as secure as your master password is, so make sure you make complicated password, that you can remember. Don’t store it anywhere! Yes, you will lose your database if you forget the password. But it is safer to lose the database, use “forgot password” in all the services and create a new one from scratch. You don’t have to do it for all services immediately – just do it when you need to access them.
Which password manager to choose?
This is your own choice, you should consider aspects that fit the best for your needs. There are 2 main types of passwords managers.
File passwords managers
These are the passwords managers that you install on your operating system and use them offline. You store your databases locally so, in my opinion, the passwords are safer. But we already said that we want to use passwords on more devices than just one. This is not a problem, as you can use any cloud storage with sync client, like Dropbox, Mega, etc. You can keep the passwords databases in your mailbox. And I advise to do so, because you also have a backup of your databases then, in case you accidentally delete them or your hard disk gets corrupted.
There are free, open source passwords managers of this type, so you don’t have to worry about costs in this case.
Online passwords managers
They are provided mostly in SaaS (Software as a Service) mode. You don’t have to install anything, you just sign up and store your passwords. This has one big security concern – you have to decide if you can trust the provider of the service. And there is no way to confirm it for 100% – it’s all about your trust or the common trust – opinions of the users. And you are never sure if your passwords are encrypted – even if the provider says they are. It’s your choice if you trust in that.
The worse is when these passwords are not encrypted – if your provider gets compromised, you’re screwed the most of all. This case is even worse than plain text file, as such services are valuable targets for hackers. Let’s assume we believe the provider that the passwords are encrypted. If he doesn’t explicitly say so, don’t even consider this particular provider – for your own safety.
Yet online passwords managers are probably easier to use and more comfortable. They can also have desktop/mobile applications. Some of them are also collaborative, with access control lists, so you can share it with your family or co workers. But I don’t remember if I have seen any free solution – most of them are subscription based, so they have their drawbacks. I would rather not consider using them for family collaboration.
Additionally, there are some open source projects where you can host your own, collaborative passwords manager. But this is the solution mostly for companies or IT professionals, who can install, maintain and backup them in case of any failures. And from all solutions I have seen recently, only Teampass is really worth considering. However, I will appreciate if you tell me other software in comments, that are worth considering. It’s not that I don’t know other solutions, it’s more that they offer less than Teampass. Rattic DB might be probably better if not one, but the biggest drawback – the database is not encrypted. It makes Rattic not an option.
So what is my personal choice? KeePassX. It is file passwords manager. You can have multiple databases, so you can separate your personal or corporate passwords. KeePassX is available for Linux, Windows and Mac OSX. It is free, open source software. I will skip the installation process, as it differs on Windows, on Mac OSX and among the Linux distributions. I will also not describe (or skip screenshot) for less important featuers – you can find out them for yourself.
You can also use KeePass 2 if you like it more, it uses the same database format. I might create a tutorial for it once, if I try it for myself. I have chosen KeePassX because of being multiplatform.
When you start KeePassX for the first time, you have to create new database. Click Database > New database.
During database creation you will be prompted for your master password. Consider it being a complicated password, consisting of capital and small letters, numbers and symbols, and at least 13 characters long, but possible easy to you and hard to guess even for your closets family. I don’t want to suggest you any way of constructing the password. Just keep in mind that you should not write down the master password anywhere, neither in your computer, nor on the paper. If you do so, the risk of the password being intercepted is increased, so do everything you can to avoid that.
Now you should save the database to some file using the Database > Save database, CTRL+S or Save database icon. Then choose the location for the database and the name for the file. And click Save.
Group your passwords
Now you’re ready to start. Create some groups first. Make them logical for you, like mails, finances, social, etc. To create new group you can click Groups > Add new group or right-click in groups tree and click Add new group.
And then you can pick up a name and description for the group, set auto-type sequence for this group, if you need to alter it (auto-type will be explained later), choose an icon for the group and few other parameters. Click OK when you’re ready.
Create passwords entries
When you have some groups created, you can start putting your passwords into them. Click on the group you want to add new password to, then Entries > Add new entry, right-click in entries window and Add new entry, CTRL+N or Add new entry icon.
Name your entry so you can recognize it. If the title matches the part of the window name (of the browser in this case), it will be found and offered to use when you hit Global Auto-Type shortcut (will be explained later).
When you start creating your entry, the password field is empty. You can type your own password there. At start you can put your current password here, so you can test how KeePassX works. You don’t have to change the password in the service immediately. However, I recommend changing the password as soon as possible for a random one.
To generate random password click on Gen. button. Now you have a random password proposed. Customize the length of the password (it’s up to you how long password you choose but the longer – the better), but keep in mind that particular service has it’s own limitation. 32 characters long password should fit most of the services, but if it doesn’t, you can generate shorter one for particular service. You can also ask the service provider to allow longer passwords. If the service doesn’t forbid particular characters or groups, use all Character Types groups and tick Ensure that the password contains characters from every group.
When you click the eye icon next to the dropdown menu, you will be able to see a list of proposed passwords. You can use the first one or pick a different one from the list. After you do so, click Accept.
On the Advanced tab you can add additional attributes (assigned e-mail, security question and answer, whatever you find related to the entry that you’d like to protect). You can also put attachments. They may be related documents for some services (like contract scan) or GPG keys for email accounts.
I’ve mentioned before that you can match password entries to currently active window with Auto-Type feature. You can customize the Auto-Type sequence globally, per group or per entry.
As a note – to customize global Auto-Type sequence you have to set it at group called Root (if you didn’t alter it’s name).
You can also set custom Window title to match using Auto-Type feature. Why would you want to do that? It’s simple. Some services doesn’t have a recognizable word in window title, so they won’t match automatically. You can then use the actual window title to match. When you click on the dropdown menu, you will get a list of currently opened windows. And it distinguishes every single browser’s tab as a separate window. Choose the one that matches and all will be cool.
You can also customize icon and other stuff if you like. Click OK when you’re ready. I suggest saving database after every entry you add or alter. You won’t lose the changes then if you accidentally close the database or your computer crashes in meantime.
KeePassX has some general rules. You can customize them at Tools > Settings.
On General tab you can customize related to general usage. I recommend the settings as you can see below. Alter Global Auto-Type shortcut to your own preferences. However, I recommend you using CTRL+ALT+SHIFT+<your key> so you don’t interfere with any shortcuts from operating system or other applications. I previously said that you should save your database after every edit. Here’s an option to do this automatically, but I think it’s safer not to use it – if you accidentally alter your database and you don’t know what exactly happened or how to revert the change, you can just lock your database without saving. If it saves automatically after every change, you will have to find out what did you accidentally change and revert it on your own.
On Security tab you can alter some security related options. Clear clipboard after is the option which removes login or password you copied from your entry, so you don’t paste it somewhere else accidentally. In advance to Auto-Type feature, you can just copy your login (CTRL+B) or password (CTRL+C) from currently highlighted password entry and manually paste it where you need. Sometimes Auto-Type feature may not work properly – under some specific circumstances.
Lock databases after inactivity of is an option which you should set for the specific needs. For example you can use longer time if you always lock your computer when leaving it. You don’t have to unlock the database too often then. Especially if you use the database quite often. It’s good option for work to set it for longer time – just remember to lock your computer. For home use I recommend shortening the time – in home you may not care of locking your PC or you may share it with someone, so the sooner the database locks, the safer your passwords are.
Show passwords in cleartext by default – you don’t want this as this won’t obfuscate your passwords with dots by default so someone might see your password from your back.
Always ask before performing auto-type will throw you a pop-up window with passwords to choose for particular service even if there is only one entry matching. It’s up to you if you want that – I like that, you may not.
How the Auto-Type exactly works
Now you have your passwords in the database. You have also set your Global Auto-Type shortcut. You can use the power of KeePassX then.
Go to the service you want to log in. Click in the login field. Hit your global shortcut. Now you see the pop-up so you can choose the entry you wish to use. Choose the entry and press ENTER. KeePassX types your credentials for you.
Now you can easily generate long and random passwords and not care about leakages from services. If there is a leakage, you just change password for a single service. All other passwords remain secure. You only have to remember your master password. Isn’t it much easier?
All the screenshots were taken under Ubuntu 16.10 which I currently work on. I assume that KeePassX is similar on Windows and Mac OSX. Hope you like it.
If you already use a password manager, but never had time to explain the case to your friends – show them this tutorial. Also share it if you like it – let more people manage their passwords securely!