3 years ago …
Back in 2014 (2014!) I wrote a blog post about starting to use a password manager.
It’s long been one of my more popular posts, so I thought it was high time for a follow-up about how things have gone.
- Are you still using a password manager?
- Yes, and it's still KeePass.
- Would you ever go back?
- No, I can't see it.
- What have you learnt since?
- Read on ...
What I’ve Learnt
This isn’t intended to be an intensive post, just a few observations and conclusions I’ve come to whilst using KeePass for the last few years.
This makes it even more important to lock down your Dropbox*.
- Ensure you have a PIN setup on your Dropbox* account.
- Enable two-factor authentication+.
- Use a nonce in your Dropbox* password.
And whilst we’re talking about mobile devices, some additional precautions I’d recommend:
- If you haven’t already, add an Unlock PIN or Pattern.
- Encrypt your device.
- Add a SIM Lock PIN too, because … bad guys.
Two-Factor Authentication +
Whilst SMS is better than not having two-factor authentication, it’s not without issues.
I’d advise using a third-party app like Google Authenticator which doesn’t require a phone reception or even an internet connection to verify you are the account holder. This is an option on Dropbox, and many other websites too.
Of course you’ll want to use two-factor authentication on other important accounts. Any accounts with financial data, and of course your Google account!
Use Multiple Databases
Since the beginning I’ve used a single database for all my passwords. The single database is then synched to my mobile via Dropbox*.
This all works great, however using a cloud provider does increase your risk of a breach to a certain extent.
To mitigate this I’m moving towards using multiple password databases. Well two in fact; Online and offline.
Online and Offline Accounts
KeePass fully supports using multiple databases, and you can have different [master] passwords for each database. Each database just appears as another window in the application.
I have one database for accounts I don’t access anywhere but at home, on my laptop, using a Wi-Fi point I mostly trust.
Yes, I could grab and network cable and connect using a wire - it’s always a compromise between security and convenience - in this instance, convenience wins .
Financials - I don’t tend to check my bank account on my phone, nor on a Wi-Fi point that I don’t trust (though there are ways around that risk to).
Toepoke accounts - I only do releases or fixes at home, so there’s little point increasing the risk by having these accounts synced in the cloud.
A quick note about backups. You need them! If your hard drive fails at home you'll lose your password database and all the passwords in it. This is pain we don't want. Store a backup off your main machine, somewhere safe; perhaps in a VeraCrypt volume.
Online (Synced via Dropbox*)
A massive benefit of using KeePass over a long period of time is it becomes a really useful bookmark manager.
Remember back in the bad old days when you’d use the same password for everything? Maybe you’d even use some combination with the domain name of the website too?
Well, this can actually be quite useful when used with a password manager.
For critical accounts (banking websites, Dropbox*, etc.) I use a combination of a long random password generated by KeePass and a nonce that only I know. I like to think of it as two-factor authentication, but using my head rather than an app .
Frankly I’m amazed that in this day and age the banks still haven’t woken up to the advantage two-factor authentication brings :sad:.
And yes, I’m completely aware I’m using the word nonce out of context but it’s the best word I could come up with .
Yes, that little Remember me tick-box is very useful. Personally I don’t like knowing my passwords are stored in my browser.
I like to know it’s only being entered by me, when I want it to be entered. And of course, there’s this.
Remember a password manager isn’t a silver bullet it’s just better than the alternative. Hopefully some of the above can mitigate some of the risks.
I hope this article has been useful to you, and if so please share using the buttons below.
* Yes, that’s a referral link to Dropbox, I get some extra space if you sign-up using that link.