Happiness and Misadventures

My Two Cents About Passwords

TL;DR: I recommend using KeePass and MFA authentication.

In the last few months, maybe since Apple launched Passkeys, I've read a lot of blog posts about password management. I have my own opinion and, overall, I know there are a few best practices I read about when studying for IT certifications that I'd like to share.

Since I also read some misinformation (even if for good), I would like to write down my own thoughts.

1. Avoid the Cloud (When Possible)

A colleague of mine, when talking to customers, says: "The cloud is just someone else's data center".

It is an extremism, but in the end it's quite true. When you store your data on a Cloud service, of course, the (huge) advantage is to make it available everywhere (e.g., from your phone's apps)… but on the other end, you expose the data to a series of vulnerabilities that mostly depend on the Cloud Provider.

First, your data should be segregated from other customer's data, and inaccessible both from them and the Provider itself. Does it always happen? Experience gives us a more than clear answer: no. So, when putting anything on the Cloud, you must be aware that it could be compromised.

You could be upset if anything would happen to the pictures of your pet, therefore, one thing you should NOT want to place in the Cloud is your sensible passwords! I mean that you should not opt for a password manager that stores the data on the Cloud, and you should prefer one that lets you control your data – in a local file on your computer.

It doesn't matter if a company seems more secure and promises 100% safety: history repeats itself. Also, think about the way you often access the passwords: the browser extensions. Each one you install is a potential series of vulnerability you expose your data (and yourself): you extend the attack surface that can be exploited by an attacker.

One of the priorities with computers, in general, should be to keep the attack surface as reduced as possible.

So, in my opinion, a software that lets you keep an encrypted local file containing your passwords1 should be preferred.

Screenshot of the Simpsons, the scene where Abraham yells at a cloud.
I can totally relate. Totally.

2. Store Your Data in Multiple Locations

Of course, if you have a single file containing all your passwords, you have to be sure not to lose it! Make sure to copy it on several locations. My advice is to back it up regularly –once a month?– on an external disk to be kept detached from the computer.

A good option could be to copy this encrypted file to the Cloud, and then access it from other devices. Even if it should be compromised, an attacker couldn't do any harm if you…👇

3. Study a Good Master Password

By "Master Password" I mean the password used to protect the encrypted file. You have to make sure that this password is a well-studied one. Here are my suggestions:

Use Passphrases

The password must be long (14 characters minimum), so using a series of words is an easy way to obtain this goal. But.

Use Numbers and Special Characters

Words are not enough. Dictionary attacks can easily guess very long passwords. Use special characters to add some salt. Use them not only between the words, but also to replace some letters in them. Utilize numbers too, but avoid dates or simple sequences as 1234 or 0000.2

Bonus idea! Use mirror sequences, such as 0?!_something_!?0.

Use Something You Really Like

In the text of the passphrase, put a reference to something that you love, and you know you'll always remember. For example, if you are a fan of Quentin Tarantino, a good password could be a reference to your favorite movie from him.

Keep It Simple

The password must be quite easy for you to remember. After all those concepts, it could seem impossible, but let's wrap it up. Do you really like Pulp Fiction? Then your Master Password could be 0=Ez3kiel-25;17=0.

It's 17 characters long, and it is quite simple to remember, if playing with sequences of character as 0= makes sense for you.

Do you love Paris? Then try something like -=-Eiffel$Tow3r-=-. Note that just the first letter of each word is capitalized, and the last vowel is replaced with a number: it could be a simple mind trick to… create your own cypher!

Once your Master Password is quite complex, you can (almost) safely rely on your password manager to generate all the complex passwords of just random characters, perfect for most websites.

4. Multi-Factor Authentication? Yes, please.

Of course, an additional precaution does not harm: whenever possible, add MFA with an OTP, which is a random series of digits that appear on your personal device (smartphone). By doing so, if a potential attacker gets your password, she or he still needs the OTP code, which is quite impossible to hack. So, to access the website, they would also need something you have (the phone), other than something you know (the password).

For Android, I'd suggest Aegis; for iOS, Raivo.

For an even more secure scenario, I'd keep my OTPs and passwords separated. Most password managers can manage both, but in case of compromise, you lose all at once.

Also, make regular backups of the OTPS, too!

Conclusion

As you may have understood, I recommend KeePass: with a single encrypted local file, your passwords are potentially safe, you just need a good Master Password. Then, you can copy this file in any location and be cautiously serene.

And add MFA. Always!

P.S. I know that I sound very grumpy and faithless towards the Cloud, but working in cybersecurity made me realize that we should simplify our approach to technology.

🎮 Trek to Yomi

🎧 Some post-rock, such as Pelican

📖 The City and the Stars by Arthur C. Clarke

  1. Real geeks could even encrypt a plain text file using OpenSSL –or, even better, age– containing the passwords. It is a bit of an extreme example, but for me, it is safer than a cloud SaaS application.↩

  2. I bet everyone used one of these as unlock codes for some device. 👀↩

#best practices #cybersecurity