2019-10-19-password-manager.md (4853B) - raw
1 <!-- title: Switching to a password manager --> 2 <!-- slug: password-manager --> 3 <!-- categories: Cryptography --> 4 <!-- date: 2019-10-19T00:00:00Z --> 5 6 Before I learned about password managers, less than a year ago, having all my 7 passwords on the same place sounded like a really bad idea—if someone managed to 8 get access to "that place", they could log in to all my accounts, to my *online 9 identity*. 10 11 As I learned about security (particularly when using the internet), it became a 12 better idea, to the point that I now have used one for over half a year. I use 13 [KeePassXC][kp], an offline password manager. I have also been recommended an 14 online alternative ([Bitwarden][bw]), although I haven't used it because I would 15 much rather not have my passwords online. 16 17 ## Password requirements 18 19 Before considering whether having a password manager is worth it or not, it is 20 necessary to expose what I require of my passwords. 21 22 - **Unique passwords for each account**: if one of the sites I use was to be 23 hacked and my password compromised, that should not be a problem for any of 24 my other accounts. I think it is a pretty reasonable requirement if I want to 25 lower the chances of my accounts being accessed by unauthorised parties, 26 however, it makes remembering all my passwords a lot harder. 27 - **Complex passwords**: my passwords should be hard to guess for a computer. 28 You can imagine what type of password is easy to guess—or you can find 29 examples on [Wikipedia][wp]—, however, even if we complicate passwords a 30 little more they are still pretty easy to guess. In the end, what I mean by 31 "complex" is that they should be long [pseudo]randomly-generated passwords 32 that contain letters, numbers and special characters (long being about 16 33 characters, although normally I use more since adding characters is nearly 34 free of cost when using a password manager). 35 36 ## Dealing with complex passwords 37 38 Trying to remember passwords that fulfill my requirements gets incredibly hard 39 very quickly (at least in my case). So I eventually realized I needed to rely on 40 something different than my own memory if I wanted unique complex passwords. I 41 had two options: have a physical notebook where I would write my passwords 42 (avoiding the risk of my passwords gotten stolen if my computer was compromised) 43 or use a password manager. 44 45 The notebook option was quickly discarded since typing the passwords in would 46 take too much time (as well as writing them down when originally generated). In 47 my case, someone accessing the passwords in my notebook—which is a lot of 48 people's concern—wouldn't be an issue, since the notebook could be kept safe 49 somewhere at home, but this solution just isn't efficient enough for me. 50 51 So using a password manager was a natural solution to manage my passwords. 52 Although there are options to self-host an online password vault, I don't feel 53 confident doing so, that's why I use an offline password manager. All my 54 passwords are organized in folders on an encrypted database, but KeePassXC can 55 do a lot more than that. It can create randomly generated passwords and has an 56 auto-type feature that makes typing 30 character long passwords a breeze. It can 57 also store extra information like [TOTP][totp] keys, but also miscellaneous 58 information, both as an attribute-value pair or as plain-text notes. It has 59 other features you might find useful, these are just the ones I use the most. 60 61 On top of that, having a password manager enables me to track all my online 62 accounts, making it easier to spot and remove old unused accounts. 63 64 ## Final comments 65 66 There is an option I haven't discussed yet: [Multi-Factor Authentification][mfa] 67 (or Two-Factor Authentification). Although it is very useful, a lot of online 68 services still don't offer an option for it and it is easier for me to just use 69 a password manager, however, 2FA might be better suited for you (because it 70 allows you to be less strict on the password requirements while still keeping 71 your accounts safe). 72 73 On a different note, some might say that it would be unusual for someone to try 74 and hack my accounts by brute-forcing them (after all, they don't contain 75 anything useful to a random stranger or entity), and it is probably true, but 76 that isn't a good enough argument to give up on my security. 77 78 On the whole, I find that using a password manager grants me a lot of useful 79 tools, while the drawbacks are nearly imperceptible. 80 81 82 [kp]: <https://keepassxc.org/> "KeePassXC" 83 [bw]: <https://bitwarden.com/> "Bitwarden" 84 [wp]: <https://en.wikipedia.org/wiki/Password_strength#Examples_of_weak_passwords> "Examples of weak passwords — Wikipedia" 85 [totp]: <https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm> "TOTP — Wikipedia" 86 [mfa]: <https://en.wikipedia.org/wiki/Multi-factor_authentication> "Multi-Factor Authentification — Wikipedia"