Thursday, December 11, 2014

Password Management - One solution

The Problem
I was reminded recently how important it is to manage passwords properly. One of my friends has a lot of trouble remembering their vast number of passwords and sets insecure passwords which they then immediately forget. They also re-use other people's passwords, and use those same passwords across multiple accounts none of which is particularly secure.
Below is a short instructional on how to manage passwords and your various options. I am providing one solution but as with lengths of string, password management solutions are many and varied. However I think that this is a good option and one that can give you a sense of security and is fairly easy to implement. The expert will most likely already have a solution in place but even so this may give you some additional ideas to improve password management.
The Requirements
These are the requirements for a good password manager.
  • Available on all platforms including portable devices, PC and MAC
  • Able to store multiple pieces of information including URLs notes and secret questions
  • Able to integrate so that you can automatically enter passwords (this option is not available on iOS due to the OS restrictions)
  • Able to access from anywhere in the universe (assuming a network connection of course)
  • Free
As I said above there are many solutions but not all are free and not all are particularly secure. The solution I suggest meets all of these requirements, although the Mac and iOS versions do cost.

The Solution

What I use is KeePass. It is in effect a tiny database manager The feature list is quite extensive but the more important features are,
  • Strong security. It has a master password with an optional key file. The key file is simply a very long bunch of random characters that unlocks the database along with an optional pass code (not the master password). This key file supplements, but does not replace your master password. You can store the key file independently on a memory stick, and/or Dropbox for instance and the database is inaccessible without that key file.So if any one cracks your master password they still need that key file to open the password database. (If you use Keepass on iOS the key file needs to be in dropbox along with your password database which sort of defeats the purpose of the key file.)
  • Multiple databases. For example you can store work and private passwords independently.
  • Password history. It can retain old passwords for you just in case.
  • You can run form your PC or even run it from a portable USB key. There are also iOS, and Android apps to access the database.
  • You can transport the database using USB or dropbox or any other mechanism so that you can have your passwords wherever you are.
  • Windows and Mac versions can auto type your username/password combo to make easy password entry to most web sites or applications.
  • It can auto generate strong passwords for you so that you do not have to remember your passwords. Just copy and past or auto type.
  • Flexible management. It can have folders and sub folders, You can store URL, notes, auto type options, custom fields, and  auto expiry notification for your passwords.
To set up Keypass you need to ...
  1. To be able to access the same password database on all devices you will need a cloud storage option and the one I like is Dropbox. If you do not already have an account go to Dropbox and set up a Dropbox account. They give you 2G free which is more than enough for your password database plus lots of other stuff. Because your database will be stored inside dropbox this should be extremely secure so choose a secure but easy to remember password for Dropbox. Make sure that this password is unique and especially not the same as your Keypass master password.
  2. Download Dropbox for your PC/Mac and set it up. This produces a shared folder on your PC or Mac. This will synchronise anything in your Dropbox with that folder. You can place things in that folder and its sub-folders and they will be synchronised across all of your devices that are using Dropbox.
  3. Download the iOS Dropbox app on your portable devices. This is not absolutely necessary but it does make managing Dropbox easier. 
  4. Download Keepass for youer PC/Mac and install it. The PC version is free but the Mac version I prefer is KyPass Companion which costs. You may download the stand alone version for PC that you can run off your USB device if you so wish. I also use an add-in called KPEnhancedEntryView. It is free and comes with install instructions. Once installed it adds an additional window that shows all of the selected entry's fields in a separate window that allows the user to easily add, delete and edit fields.
  5. Start up Keepass and create a database in the Dropbox shared folder under a sub-folder called crypted. You can give this database whatever name you wish but if you intend to create multiple databases give it a meaningful name such as Private.kdbx or Business.kdbx. If you so desire generate a key file and save it in crypted as well since you will require this file to open your Keypass database. Make the master password secure and easy to remember but different from your Dropbox password. If you use the optional key file it is a good idea to have good backups of your key file but make sure they are secure. A good idea is to give a copy of a USB stick with your key file to someone that you trust.
  6. Download the iOS version of Keepass (there are several options here (scroll down) but I use KyPass 3 since it is updated regularly and supports all of the Keepass functions. It is not free but all of the iOS Keepass apps I have researched are paid but it is a one off cost. Before purchasing an iOS app look at the regularity of the updates (check it in and the feature list. Also make sure it supports V2 of the database and Dropbox folders.
  7. Link the app to Dropbox and them open the Keepass database. Not all of the Keepass database fields may be supported in the iOS version but the critical fields of username and password should be there.
  8. Finally store all of your passwords in your Keepass database. Make sure to keep your Keepass folders nicely structured with subfolders. Some folder names you may use are Banking, Web Sites, Forums, Social Networking, Computers, &etc.
I suggest that you tell someone you trust your Dropbox and Keepass passwords in case of emergency. If you have given someone power of attorney then they should be given your key file and master passwords with instructions of how to respond in the case of your disability or death. Our digital presence is now becoming much more important so what happens to your accounts after you die is becoming more important but is by and large not a consideration. This whole discussion is for another time however.

Password Management Suggestions
With so many sites being hacked and user's passwords being stolen password management is more important than ever. Below are my top hints for password management.
  • Use secure passwords. Do NOT use Pa55word, John, Fido, M4r1 or similar. Make them look like nothing. People think character such as ^%$ make it more secure. They do not. $ for s is about as secure as no password. You can use your password app to generate random passwords for you which is as secure as you can get.
  • Do not use other peoples passwords. If Mary uses Af1a1fa do not use it yourself. Get your own stinkin passwords! Also do not re-use your passwords. If that Russian mafia group hacks your Apple password they will then try it out on Facebook, Google and even your banking site. Each login must use a separate password.
  • If 2 factor authentication exists - use it. Many sites now allow you to use such things as an pin sent to you via your SMS, fingerprint reader or an independent code generated in a separate app in addition to your password. If the options are there, use them since it will make it that much easier to crack your accounts.
  • Make your secret questions random. If it asks for your mother's maiden name make it Superman, or your favourite pet, QuincyJones then store these in your Keepass database. If you use real answers then people can usually find them out.
  • Do not click links in your email that direct you to your bank or online service. These are called Phishing emails and are scams that will steal your information then drain your bank account. Open a new window and then manually type in the site address. You can usually tell by hovering over the link with your mouns, not clicking on it - and observe the link in the footer of your browser window. If it looks like this -> then dead cert, it is a scam. If it looks genuine then it is probably dodgy.
  • Set a pass code on your phone. If you have fingerprint recognition - use it. 

Finally be wise. Think about what you are doing. We are all pretty smart so use your smarts when it comes to online security. Think of the worst case scenario  and imagine that it could happen to you, since it very well could.

No comments:

Post a Comment