2019-10-19-password-manager.md (4853B) - raw

      1 <!-- title: Switching to a password manager -->
      2 <!-- slug: password-manager -->
      3 <!-- categories: Cryptography -->
      4 <!-- date: 2019-10-19T00:00:00Z -->
      6 Before I learned about password managers, less than a year ago, having all my
      7 passwords on the same place sounded like a really bad idea—if someone managed to
      8 get access to "that place", they could log in to all my accounts, to my *online
      9 identity*.
     11 As I learned about security (particularly when using the internet), it became a
     12 better idea, to the point that I now have used one for over half a year. I use
     13 [KeePassXC][kp], an offline password manager. I have also been recommended an
     14 online alternative ([Bitwarden][bw]), although I haven't used it because I would
     15 much rather not have my passwords online.
     17 ## Password requirements
     19 Before considering whether having a password manager is worth it or not, it is
     20 necessary to expose what I require of my passwords.
     22 - **Unique passwords for each account**: if one of the sites I use was to be
     23   hacked and my password compromised, that should not be a problem for any of
     24   my other accounts. I think it is a pretty reasonable requirement if I want to
     25   lower the chances of my accounts being accessed by unauthorised parties,
     26   however, it makes remembering all my passwords a lot harder.
     27 - **Complex passwords**: my passwords should be hard to guess for a computer.
     28   You can imagine what type of password is easy to guess—or you can find
     29   examples on [Wikipedia][wp]—, however, even if we complicate passwords a
     30   little more they are still pretty easy to guess. In the end, what I mean by
     31   "complex" is that they should be long [pseudo]randomly-generated passwords
     32   that contain letters, numbers and special characters (long being about 16
     33   characters, although normally I use more since adding characters is nearly
     34   free of cost when using a password manager).
     36 ## Dealing with complex passwords
     38 Trying to remember passwords that fulfill my requirements gets incredibly hard
     39 very quickly (at least in my case). So I eventually realized I needed to rely on
     40 something different than my own memory if I wanted unique complex passwords. I
     41 had two options: have a physical notebook where I would write my passwords
     42 (avoiding the risk of my passwords gotten stolen if my computer was compromised)
     43 or use a password manager.
     45 The notebook option was quickly discarded since typing the passwords in would
     46 take too much time (as well as writing them down when originally generated). In
     47 my case, someone accessing the passwords in my notebook—which is a lot of
     48 people's concern—wouldn't be an issue, since the notebook could be kept safe
     49 somewhere at home, but this solution just isn't efficient enough for me.
     51 So using a password manager was a natural solution to manage my passwords.
     52 Although there are options to self-host an online password vault, I don't feel
     53 confident doing so, that's why I use an offline password manager. All my
     54 passwords are organized in folders on an encrypted database, but KeePassXC can
     55 do a lot more than that. It can create randomly generated passwords and has an
     56 auto-type feature that makes typing 30 character long passwords a breeze. It can
     57 also store extra information like [TOTP][totp] keys, but also miscellaneous
     58 information, both as an attribute-value pair or as plain-text notes. It has
     59 other features you might find useful, these are just the ones I use the most.
     61 On top of that, having a password manager enables me to track all my online
     62 accounts, making it easier to spot and remove old unused accounts.
     64 ## Final comments
     66 There is an option I haven't discussed yet: [Multi-Factor Authentification][mfa]
     67 (or Two-Factor Authentification). Although it is very useful, a lot of online
     68 services still don't offer an option for it and it is easier for me to just use
     69 a password manager, however, 2FA might be better suited for you (because it
     70 allows you to be less strict on the password requirements while still keeping
     71 your accounts safe).
     73 On a different note, some might say that it would be unusual for someone to try
     74 and hack my accounts by brute-forcing them (after all, they don't contain
     75 anything useful to a random stranger or entity), and it is probably true, but
     76 that isn't a good enough argument to give up on my security.
     78 On the whole, I find that using a password manager grants me a lot of useful
     79 tools, while the drawbacks are nearly imperceptible.
     82 [kp]: <https://keepassxc.org/> "KeePassXC"
     83 [bw]: <https://bitwarden.com/> "Bitwarden"
     84 [wp]: <https://en.wikipedia.org/wiki/Password_strength#Examples_of_weak_passwords> "Examples of weak passwords — Wikipedia"
     85 [totp]: <https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm> "TOTP — Wikipedia"
     86 [mfa]: <https://en.wikipedia.org/wiki/Multi-factor_authentication> "Multi-Factor Authentification — Wikipedia"