Password Managers in the real world

TL;DR

• They’re a good thing.
• It’s often quicker than logging into websites manually.
• You should use one.

Introduction

Passwords. Not a very interesting subject, until your accounts get hacked, then all of a sudden they’re very interesting … for all the wrong reasons.

Passwords are the bane of the modern internet. A necessity, but annoying:

• They need to be complex, but memorable, so you don’t write them down.
• They need to be different for every website, but hey, still memorable.
• Oh, and don’t forget they can’t be predictable either.

Like most people I don’t have the time (and let’s be honest, the inclination) to remember 100+ different passwords. So we use bad alternative methods, for instance:

Not too bad

• 3 different passwords.
• Level 1 - For websites with limited personal data capture, e.g. bbc.co.uk just request a username and password.
• Level 2 - For websites with personal data capture, but not financial, e.g. most shopping websites.
• Level 3 - Banks and those pesky shopping websites that insist on saving your credit card details.

Too bad

• 1 password … used for everything.

Now whilst the method of using 3 passwords is better, we’re still sharing passwords. If one of those websites gets hacked I have to change the password on every single other website in level 3.

With the victims of hacking becoming more and more prominent I felt I could no longer put off looking at a password manager.

For those unfamiliar, a password manager is akin to a safe into which you place all your valuables (i.e. passwords in this instance), close the door and protect all your passwords with one all encompasing master password. To gain access to a website in the future you only ever have to remember your master password.

The Two Week Challenge!

So despite the dread at the mind-numbing-banalty of sorting my passwords out, I set myself a little challenge:

• Start using a password manager.
• Use it religiously for 2 weeks.
• After 2 weeks, decide whether to continue (I did).

I had a look around the market and decided I’d run my little challenge with KeePass, because:

1. It’s open source and OSI certified … whatever that means
2. It’s free.
3. If you read it wrong, it sounds a little rude

I’ve also written posts about installing KeePass on the Windows and Android platforms.

Being pragmatic

I’m set. I’m fully committed to trying KeePass for 2 weeks. I’ve got it installed on my PC and my mobile.

Am I going to go through over 10 years of e-mails tracking down all the websites I’ve used? No chance! I need to be realistic about what can be achieved, so the two week challenge will be run with the following considerations:

1. No actively looking to add historical websites.
2. No manual logging-in
   Any new or existing websites I need to log into in the next fortnight, I’ll do it through KeePass.
3. No new passwords
   I’m keeping the existing passwords. If I decide after 2 weeks that KeePass isn’t for me, I can back out easily.

So how did it go?

All in all things went well and I didn’t encounter anything I was particularly concerned about … certaintly no deal breakers. The elements that stand out are:

• The biggest challenge was forcing myself to use the tool rather than logging in manually. Ultimately it’s quicker to use the tool once you’ve trained yourself with the keyboard short-cuts.
• The mobile application doesn’t have the best experience as you’re limited to copying and pasting your credentials - I guess Android doesn’t allow the KeePass Auto-Type feature. This isn’t really a concern for me as I don’t really use my phone in that way.
• If you forget your Master password you’re in a big heap of … You lose access to every password on every website, there’s no send reminder option here. That’s a lot of password resets to process.
• Ensure your KeePass password database is backed up. Again, if the file becomes corrupted, or your hard disk fails, you lose all your credentials.

I’m actually quite impressed with KeePass; It’s one of those tools where you come across something that seems a bit weird and a quick search reveals there’s a perfectly good reason why some feature works the way it does, and often a way of changing the behaviour to what you’d prefer.

So what’s next …

Well; I still have 10 years of websites in my Inbox, so I’d best get started moving them over to KeePass … NO CHANCE. That’s never going to happen.

Again this calls for a more pragmatic approach, so I’m going to improve my existing passwords based on how bad it would were a website I’m registered with become compromised.

1. My bank - most importmant for obvious reasons.
2. Any other websites with financial data, e.g. PayPal, eBay and Quidco – why a cashback website you may ask? Did you register your Direct Debit details with them?
3. Web based email services like gmail, hotmail, etc
4. Google account – how many services are tied across that one password?
5. Any shopping site where you’ve saved your credit card details (including those naughty ones that don’t let you opt out!)
6. Social services like twitter, facebook and google+ - often used for logging into other websites, and expose personal data that can be used to attack other websites.
7. Anything else I’ll change as and when required. If I haven’t used a website in a couple of years I’ll need to reset the password anyway (I’ll have forgotten what it was setup with).

Are you still using KeePass?

How do you think I logged into my blog to post this article?

Related articles

• KeePass Windows installation
• KeyPass Android Mobile installation
• Website security questions & social media

Posted in : security, security, tips