2019-10-19-password-manager.html - oscarbenedito.com - Source code for my personal website.

2019-10-19-password-manager.html (5137B) - raw
      1 <!-- title: Switching to a password manager -->
      2 <!-- slug: password-manager -->
      3 <!-- categories: Cryptography -->
      4 <!-- date: 2019-10-19T00:00:00Z -->
      5 
      6 <p>
      7   Before I learned about password managers, less than a year ago, having all my passwords on the
      8   same place sounded like a really bad idea—if someone managed to get access to "that place", they
      9   could log in to all my accounts, to my <em>online identity</em>.</p>
     10 <!-- /p -->
     11 
     12 <p>
     13   As I learned about security (particularly when using the internet), it became a better idea, to
     14   the point that I now have used one for over half a year. I use <a
     15   href="https://keepassxc.org/">KeePassXC</a>, an offline password manager. I have also been
     16   recommended an online alternative (<a href="https://bitwarden.com/">Bitwarden</a>), although I
     17   haven't used it because I would much rather not have my passwords online.</p>
     18 <!-- /p -->
     19 
     20 <h2>Password requirements</h2>
     21 
     22 <p>
     23   Before considering whether having a password manager is worth it or not, it is necessary to expose
     24   what I require of my passwords.</p>
     25 <!-- /p -->
     26 
     27 <ul>
     28   <li>
     29     <strong>Unique passwords for each account</strong>: if one of the sites I use was to be hacked
     30     and my password compromised, that should not be a problem for any of my other accounts. I think
     31     it is a pretty reasonable requirement if I want to lower the chances of my accounts being
     32     accessed by unauthorised parties, however, it makes remembering all my passwords a lot
     33     harder.</li>
     34   <!-- /li -->
     35   <li>
     36     <strong>Complex passwords</strong>: my passwords should be hard to guess for a computer. You can
     37     imagine what type of password is easy to guess—or you can find examples on <a
     38     href="https://en.wikipedia.org/wiki/Password_strength#Examples_of_weak_passwords">Wikipedia</a>—,
     39     however, even if we complicate passwords a little more they are still pretty easy to guess. In
     40     the end, what I mean by "complex" is that they should be long [pseudo]randomly-generated
     41     passwords that contain letters, numbers and special characters (long being about 16 characters,
     42     although normally I use more since adding characters is nearly free of cost when using a
     43     password manager).</li>
     44   <!-- /li -->
     45 </ul>
     46 
     47 <h2>Dealing with complex passwords</h2>
     48 
     49 <p>
     50   Trying to remember passwords that fulfill my requirements gets incredibly hard very quickly (at
     51   least in my case). So I eventually realized I needed to rely on something different than my own
     52   memory if I wanted unique complex passwords. I had two options: have a physical notebook where I
     53   would write my passwords (avoiding the risk of my passwords gotten stolen if my computer was
     54   compromised) or use a password manager.</p>
     55 <!-- /p -->
     56 
     57 <p>
     58   The notebook option was quickly discarded since typing the passwords in would take too much time
     59   (as well as writing them down when originally generated). In my case, someone accessing the
     60   passwords in my notebook—which is a lot of people's concern—wouldn't be an issue, since the
     61   notebook could be kept safe somewhere at home, but this solution just isn't efficient enough for
     62   me.</p>
     63 <!-- /p -->
     64 
     65 <p>
     66   So using a password manager was a natural solution to manage my passwords. Although there are
     67   options to self-host an online password vault, I don't feel confident doing so, that's why I use
     68   an offline password manager. All my passwords are organized in folders on an encrypted database,
     69   but KeePassXC can do a lot more than that. It can create randomly generated passwords and has an
     70   auto-type feature that makes typing 30 character long passwords a breeze. It can also store extra
     71   information like <a href="https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm">TOTP</a>
     72   keys, but also miscellaneous information, both as an attribute-value pair or as plain-text notes.
     73   It has other features you might find useful, these are just the ones I use the most.</p>
     74 <!-- /p -->
     75 
     76 <p>
     77   On top of that, having a password manager enables me to track all my online accounts, making it
     78   easier to spot and remove old unused accounts.</p>
     79 <!-- /p -->
     80 
     81 <h2>Final comments</h2>
     82 
     83 <p>
     84   There is an option I haven't discussed yet:
     85   <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication">Multi-Factor Authentification</a>
     86   (or Two-Factor Authentification). Although it is very useful, a lot of online services still don't
     87   offer an option for it and it is easier for me to just use a password manager, however, 2FA might
     88   be better suited for you (because it allows you to be less strict on the password requirements
     89   while still keeping your accounts safe).</p>
     90 <!-- /p -->
     91 
     92 <p>
     93   On a different note, some might say that it would be unusual for someone to try and hack my
     94   accounts by brute-forcing them (after all, they don't contain anything useful to a random stranger
     95   or entity), and it is probably true, but that isn't a good enough argument to give up on my
     96   security.</p>
     97 <!-- /p -->
     98 
     99 <p>
    100   On the whole, I find that using a password manager grants me a lot of useful tools, while the
    101   drawbacks are nearly imperceptible.</p>
    102 <!-- /p -->