My Two Cents About Passwords
TL;DR: I recommend using KeePass and MFA authentication.
In the last few months, maybe since Apple launched Passkeys, I've read a lot of blog posts about password management. I have my own opinion and, overall, I know there are a few best practices I read about when studying for IT certifications that I'd like to share.
Since I also read some misinformation (even if for good), I would like to write down my own thoughts.
1. Avoid the Cloud (When Possible)
A colleague of mine, when talking to customers, says: "The cloud is just someone else's data center".
It is an extremism, but in the end it's quite true. When you store your data on a Cloud service, of course, the (huge) advantage is to make it available everywhere (e.g., from your phone's apps)… but on the other end, you expose the data to a series of vulnerabilities that mostly depend on the Cloud Provider.
First, your data should be segregated from other customer's data, and inaccessible both from them and the Provider itself. Does it always happen? Experience gives us a more than clear answer: no. So, when putting anything on the Cloud, you must be aware that it could be compromised.
You could be upset if anything would happen to the pictures of your pet, therefore, one thing you should NOT want to place in the Cloud is your sensible passwords! I mean that you should not opt for a password manager that stores the data on the Cloud, and you should prefer one that lets you control your data – in a local file on your computer.
It doesn't matter if a company seems more secure and promises 100% safety: history repeats itself. Also, think about the way you often access the passwords: the browser extensions. Each one you install is a potential series of vulnerability you expose your data (and yourself): you extend the attack surface that can be exploited by an attacker.
One of the priorities with computers, in general, should be to keep the attack surface as reduced as possible.
So, in my opinion, a software that lets you keep an encrypted local file containing your passwords1 should be preferred.
2. Store Your Data in Multiple Locations
Of course, if you have a single file containing all your passwords, you have to be sure not to lose it! Make sure to copy it on several locations. My advice is to back it up regularly –once a month?– on an external disk to be kept detached from the computer.
A good option could be to copy this encrypted file to the Cloud, and then access it from other devices. Even if it should be compromised, an attacker couldn't do any harm if you…👇
3. Study a Good Master Password
By "Master Password" I mean the password used to protect the encrypted file. You have to make sure that this password is a well-studied one. Here are my suggestions:
The password must be long (14 characters minimum), so using a series of words is an easy way to obtain this goal. But.
Use Numbers and Special Characters
Words are not enough. Dictionary attacks can easily guess very long passwords. Use special characters to add some salt. Use them not only between the words, but also to replace some letters in them. Utilize numbers too, but avoid dates or simple sequences as 1234 or 0000.2
Bonus idea! Use mirror sequences, such as
Use Something You Really Like
In the text of the passphrase, put a reference to something that you love, and you know you'll always remember. For example, if you are a fan of Quentin Tarantino, a good password could be a reference to your favorite movie from him.
Keep It Simple
The password must be quite easy for you to remember.
After all those concepts, it could seem impossible, but let's wrap it up.
Do you really like Pulp Fiction?
Then your Master Password could be
It's 17 characters long, and it is quite simple to remember, if playing with sequences of character as
0= makes sense for you.
Do you love Paris? Then try something like
Note that just the first letter of each word is capitalized, and the last vowel is replaced with a number: it could be a simple mind trick to… create your own cypher!
Once your Master Password is quite complex, you can (almost) safely rely on your password manager to generate all the complex passwords of just random characters, perfect for most websites.
4. Multi-Factor Authentication? Yes, please.
Of course, an additional precaution does not harm: whenever possible, add MFA with an OTP, which is a random series of digits that appear on your personal device (smartphone). By doing so, if a potential attacker gets your password, she or he still needs the OTP code, which is quite impossible to hack. So, to access the website, they would also need something you have (the phone), other than something you know (the password).
For an even more secure scenario, I'd keep my OTPs and passwords separated. Most password managers can manage both, but in case of compromise, you lose all at once.
Also, make regular backups of the OTPS, too!
As you may have understood, I recommend KeePass: with a single encrypted local file, your passwords are potentially safe, you just need a good Master Password. Then, you can copy this file in any location and be cautiously serene.
And add MFA. Always!
P.S. I know that I sound very grumpy and faithless towards the Cloud, but working in cybersecurity made me realize that we should simplify our approach to technology.
🎧 Some post-rock, such as Pelican
📖 The City and the Stars by Arthur C. Clarke