Password Managers - A Follow-Up ...

3 years ago …

Back in 2014 (2014!) I wrote a blog post about starting to use a password manager.

It’s long been one of my more popular posts, so I thought it was high time for a follow-up about how things have gone.

TL;DR

Are you still using a password manager?

Yes, and it's still KeePass.

Would you ever go back?

No, I can't see it.

What have you learnt since?

Read on ...

What I’ve Learnt

This isn’t intended to be an intensive post, just a few observations and conclusions I’ve come to whilst using KeePass for the last few years.

Cloud Sync

I use Dropbox* for syncing my KeePass database between my main laptop and my mobile phone.

This makes it even more important to lock down your Dropbox*.

• Ensure you have a PIN setup on your Dropbox* account.
• Enable two-factor authentication+.
• Use a nonce in your Dropbox* password.

And whilst we’re talking about mobile devices, some additional precautions I’d recommend:

• If you haven’t already, add an Unlock PIN or Pattern.
• Encrypt your device.
• Add a SIM Lock PIN too, because … bad guys.

Two-Factor Authentication +

Whilst SMS is better than not having two-factor authentication, it’s not without issues.

I’d advise using a third-party app like Google Authenticator which doesn’t require a phone reception or even an internet connection to verify you are the account holder. This is an option on Dropbox, and many other websites too.

Of course you’ll want to use two-factor authentication on other important accounts. Any accounts with financial data, and of course your Google account!

Use Multiple Databases

Since the beginning I’ve used a single database for all my passwords. The single database is then synched to my mobile via Dropbox*.

This all works great, however using a cloud provider does increase your risk of a breach to a certain extent.

To mitigate this I’m moving towards using multiple password databases. Well two in fact; Online and offline.

Online and Offline Accounts

As outlined, syncing your database to Dropbox introduces the risk of your password database being compromised. And remember if your KeePass database is compromised its pretty much game over.

KeePass fully supports using multiple databases, and you can have different [master] passwords for each database. Each database just appears as another window in the application.

Offline

I have one database for accounts I don’t access anywhere but at home, on my laptop, using a Wi-Fi point I mostly trust.

Yes, I could grab and network cable and connect using a wire - it’s always a compromise between security and convenience - in this instance, convenience wins .

1. Financials - I don’t tend to check my bank account on my phone, nor on a Wi-Fi point that I don’t trust (though there are ways around that risk to).

2. Toepoke accounts - I only do releases or fixes at home, so there’s little point increasing the risk by having these accounts synced in the cloud.

It’s pretty straightforward to tell Dropbox* to not sync your offline password database.

A quick note about backups. You need them! If your hard drive fails at home you'll lose your password database and all the passwords in it. This is pain we don't want. Store a backup off your main machine, somewhere safe; perhaps in a VeraCrypt volume.

Online (Synced via Dropbox*)

Pretty much everything else! Everything from Facebook and Twitter to the microchip account for our dog!

A massive benefit of using KeePass over a long period of time is it becomes a really useful bookmark manager.

Using a Nonce for Important Accounts

Remember back in the bad old days when you’d use the same password for everything? Maybe you’d even use some combination with the domain name of the website too?

Well, this can actually be quite useful when used with a password manager.

For critical accounts (banking websites, Dropbox*, etc.) I use a combination of a long random password generated by KeePass and a nonce that only I know. I like to think of it as two-factor authentication, but using my head rather than an app .

Frankly I’m amazed that in this day and age the banks still haven’t woken up to the advantage two-factor authentication brings :sad:.

And yes, I’m completely aware I’m using the word nonce out of context but it’s the best word I could come up with .

Saving Passwords

Yes, that little Remember me tick-box is very useful. Personally I don’t like knowing my passwords are stored in my browser.

I like to know it’s only being entered by me, when I want it to be entered. And of course, there’s this.

Signing Off

Remember a password manager isn’t a silver bullet it’s just better than the alternative. Hopefully some of the above can mitigate some of the risks.

I hope this article has been useful to you, and if so please share using the buttons below.

* Yes, that’s a referral link to Dropbox, I get some extra space if you sign-up using that link.

Posted in : security, tips