How I locked down my passwords
If you’re one of those people who uses the same password for everything, especially if it’s a simple password, you’re a fool and you need to stop. But if you’re going to maintain a zillion different passwords for a zillion different sites, how?
Password management software.
I’ve been using the free, open source KeePass, which is secure and it works, but it doesn’t integrate well with browsers, or let me save my password data securely in the cloud (or maybe better, on the blockchain). So I’m going to get a better password manager and set it up on all my devices. This is an essential to locking down my cyber-life.
One of the ways Facebook, LinkedIn, et al. insinuate themselves into our cyber-lives is by giving us an easy way to log in to other sites. But that makes it easier for them to track us everywhere. Well, if you install a decent password manager, then you don’t have to depend on social login services. Just skip them and use the omnipresent “log in with email” option every time. Your password manager will make it about as easy as social login systems did, but much more securely and privately.
You need a password manager
Password management software securely holds your passwords and brings them out, also securely, when you’re logging in to websites in your desktop and handheld browsers. Decent browsers (like Brave) make your passwords available for the same purposes, if you let them, but there are strong reasons you shouldn’t rely on your browser to act as a password manager.
Instead, for many years I’ve been using KeyPass, a free (open source) password manager that’s been around for quite a while. The problem with KeyPass, as with a lot of open source software, is that it’s a bit clunky. I never did get it to play nicely with browsers.
Password managers can, of course, automatically generate passwords and save them securely. They can also (but not all do) store your password database reasonably securely in the cloud (assuming you trust public clouds, which maybe you shouldn’t), so you don’t have to worry about losing it; you can export a copy if you like. You can use it on all your devices with equal ease. The software will even let you grab your passwords with a fingerprint (or whatever) on your phone.
A very nice feature is that they’ll securely store payment information, so your browser, websites, and operating system don’t have to hold that information. That means you don’t have to trust browsers, websites, and operating systems to manage this information securely. You only need to trust the password manager…
But can you trust password managers?
“Ah,” you say, “but can you trust password managers?” That’s not a bad or naive question at all; it’s an excellent question. Consumer Reports, of all things, weighs in:
By default, LastPass, 1Password, and Dashlane store your password vault on their servers, allowing you to easily sync your data across devices. As a second benefit, if your computer crashes you won’t lose your vault.
But some people just really hate the idea of storing all their passwords on one site in the cloud—no matter what the company promises about its security measures, there’s probably a bulls-eye painted on its encrypted back. If that sounds like you, it’s possible to store your passwords locally.
Dashlane lets you do this by disabling the “Sync” feature in Preferences. This will delete your vault and its contents from the company’s servers. Of course, any further changes you make to your vault on your computer won’t show up on your other devices.
So what’s my take? Hopefully there are layers of security protecting your password repository, not least of which is the (hopefully well-chosen) master password to your password database. While you do have to choose the professionalism and honesty of a cloud-based password manager, I think that’s their business, so I want to trust them. But, but!
I ask myself: what is more likely, that they become compromised (for whatever reason—let your imagination run wild) or instead that I lose my master password or all copies of my password database or somehow allow myself to be hacked? I think both are fairly unlikely, first of all. I am certainly inclined to distrust myself, especially over the long haul. And frankly, the idea that a security business is compromised seems unlikely, since security is their business. But could a password manager server be hacked? That is, again, a really good question, and you wouldn’t be the first to ask it. Password manager company OneLogin was actually hacked, and the hackers could actually “decrypt encrypted data,” the company said. Holy crap!
Also, which is most disastrous? Losing my password file would not be a disaster; I can easily generate new passwords; that’s just a pain, not a disaster. But a hacker getting hold of my passwords in the cloud (no matter how unlikely)? That could be pretty damn bad.
After all, especially as password manager companies grow in size (as successful companies are wont to do), they naturally can be expected to become a honeypot for hackers. Another example of a hacked password management company was LastPass, which was hacked in 2015, although without exposing their users’ passwords.
If you’re like me, you have libertarian concerns about having to trust external entities (and especially, giant corporations) with your entire digital lives. You might also not want to trust (future?) dangerous governments with the power to force those corporations to give access to your entire digital life, then we’re no longer talking about anti-crime cybersecurity. Then it looks like you shouldn’t (sensibly) put your password files in a corporate-managed cloud. Then I’m having to trust people a little too much for my comfort. So you should manage their location yourself.
Then there are two further problems. First, can you be sure that it is impossible for anyone at the password management software company to crack your password database, even if you host it yourself? (Do they have a copy? Can they get access to a copy? If they have access, are there any back doors?)
Second, there’s the practical issue: Without the cloud, how do you sync your passwords between all your devices? That feature is the main advantage of hosting your passwords in the cloud. So how can you do it automatically, quickly, and easily?
What self-hosted password manager is really secure?
Several password managers use the cloud, but what is stored in the cloud is only the encrypted data. All the login and decryption happens on your local device. This is called zero-knowledge security, and it might be a suitable compromise for many. I have one main issue with this: Especially if the software is proprietary, we must simply trust the company that that is, in fact, how it works. But that’s a lot to ask. So I’ll pass on these. I’ll manage the hosting of my own passwords, thanks very much.
Here are my notes on various password managers:
- These all feature zero-knowledge security but seem not to allow the user to turn off cloud sync (maybe they do, I just couldn’t find evidence that they do): 1Password, Keeper Password Manager, LastPass, LogMeOnce, Password Boss, Zoho Vault.
- Sticky Password Premium: Allows home wifi sync of passwords, which is just fine. Fills out forms, works on all your devices…except Linux devices. Linux does not seem to be supported. Next!
- RoboForm: Doesn’t have a sync feature without using their cloud service, but hey! It has a Linux version! Might work on Brave, since Brave is built on Chromium and there is a Chrome extension. This was enough for me to install it (and it worked!), but it seems to be rather clunky and there were a few different things that didn’t inspire confidence.
- Dashlane: This has zero-knowledge security, which isn’t a bad thing, but in addition, it allows you disable sync. Whenever you turn it off, the password data is wiped from their servers (so they say). You can turn it on again and sync your devices, then turn it off again. This is within my tolerance. Also, Dashlane has a Linux version. In other respects, Dashlane seems very good. I installed it and input a password. The UX is very inviting—even the Linux version. It’s expensive, though: it’s a subscription, and it’s $40 for the first year (if you use an affiliate link, I guess), and $60 if you buy it direct, which I’m guessing will be the yearly price going forward. That’s pretty steep for a password manager.
- EnPass: Here’s something unusual—a password manager that goes out of its way to support all platforms, including Linux and even Chromebook (not that I’d ever own one of those). Rather than an expensive subscription, like Dashlane, EnPass’s desktop app is free, while the mobile version costs $10, and that’s a one-time fee. They don’t store passwords in the cloud; passwords are stored locally, but EnPass has some built-in ways to sync the passwords (including by wi-fi, like Sticky Password). The autofill apparently doesn’t work too well, while more expensive options like Dashlane do this better, and lacks two-factor authentication, which would be nice, and other “luxury” features.
Installation and next steps
Dear reader, I went with EnPass.
So how did I get started? Well, the to do list was fairly substantial. I…
- Made a new master password. I read up on the strategy for making a password that is both strong, easy to remember, and easy to type. I ended up inventing my own strategy. (Do that! Be creative!) So my master password ended up being a bit of a compromise. While it’s very strong, it’s a bit of a pain to type; but it’s pretty easy to remember. Whatever master password you chose, just make sure you don’t forget it, or you’ll lose access to your password database.
- Installed EnPass on Windows and Linux and tested it to see if it worked well in both. It does (so far).
- Used EnPass to sync the two installations using a cloud service. (I’ll be replacing this with Resilio Sync soon enough, so it’ll be 100% cloudless.) I confirmed that if I change a password in one, it is synced in the other.
- Imported all my Keepass passwords, then tested a bit more on both platforms to make sure nothing surprising is happening. So far, so good. My only misgiving about EnPass so far is that there doesn’t seem to be a keyboard shortcut to automatically choose the login info. I actually have to double-click on the item I want, apparently.
- Deleted all passwords from all browsers, and ensure that the browser doesn’t offer to save new passwords. Let the password manager handle that from now on. (No need for the redundancy; that’s a bit of extra and unnecessary risk.)
- Installed on my cell phone, synced (without issue), and tested. (Annoyingly, the Enpass iOS app doesn’t do autofill, but I gather that’s in the plans.)
- Installed app and browser plugin on my (Mac) laptop. No issues there either.
- Deleted Keepass data in all locations. That’s now redundant and a needless risk as well.
I’m now enjoying the new, secure, and easy access to my passwords on all my devices. I’m also happy to be free of browser password managers.
This was installment four in my series on how I’m locking down my cyber-life.