Thursday, November 3, 2016

Password Managers

In my last post on password managers I detailed how to use KeePass to manage your passwords. In this post I will explain the differing types of password managers and their relative benefits and issues.

The various password manages may have one or more of the following features.
  • Encryption. This is essential and the level of encryption is one detirmination of the level of security.
  • Cloud storage. This makes the solution more feature rich and flexible but will reduce the security of the solution.
  • Integration with your web browser. This makes the solution much more convinient in that you can login to web sites automatically but there are trade offs. Tou can use more complex passwords since you do not need to type them but it does reduce the security.
  • Integration with apps. 
  • Integration with mobile devices. (Mobile app typically.)
  • Free, add supported, one off coast or subscription. 
There are basically two general types of password manager. Off line and online.

Off line is where the password database is stored on your local computer. This is by far the more secure password manager. Of these the go-to application is the open source project KeePass which I mentioned in my previous post. For the full detail of how to use KeePass and to integrate with iOS see my previous post linked at the top of this blog entry. You can use very secure encryption for KeePass with multi factor encryption. Obviously the higher the encryption the harder it is to get to your file and the more likely that you can lock yourself out. Swings and roundabouts. So if you are a security freak and you are paranoid about your security the offline is for you. The other advantage is that you do not need to be connected to open your password database. Some give you the option such as 1Passowrd which will allow you to store the database off line but if you pay for a 1Passowrd account you can store the database online.

Online is where the password database is stored on a site of the application owner's choosing. LastPass for instance stores your password database online so whenever you retrieve a password it comes over the internet to your computer or device. Now any good password manager such as 1Password or LastPass will use secure encryption so that your passwords or details for that matter cannot be sniffed. You are however trusting that the company is using the security that they claim.

For any password manager, but more so for online managers there is a huge question of trust. We know from recent revelations that many companies, particularly US based companies, have build into their encryption algorithms back doors to allow such TLAs such as the NSA to spy on your activity at will and some of the spying has been done (take Yahoo for instance) without due process. This leads us to the next topic, how secure is secure?

Any encryption method which is proprietary has inherent risks because it cannot be scrutinised. An open source program such as KeePass can be scrutinised and analysed to see if there are any flaws. This makes it potentially more secure since it can be subject to review by security and code experts. On the other hand proprietary systems such as 1Password and LastPass which are closed requires a level of trust that the coders know their stuff and have not been compromised with back doors.

To be honest this level of paranoia is maybe overkill for most of us. However there are situations where you need to be overly cautious. For instance if you are living under an oppressive government and you are a dissident. If you are a whistle-blower. If you deal with highly secure information. All of these are situations where you can never be too cautious. On the other hand most of us would be perfectly fine using any of these managers so long as we take proper precautions.

Finally let me give you some pointers to keeping  your information secure.
  • Do not use the browser's inbuilt password manager, always use a separate third party manager.
  • Use a complex but easy to remember password as your password manager's master password.
  • Use multi factor authentication where possible.
  • Use complex auto-generated passwords from your password manager. Ie. let the password manager generate passwords for you.
  • Never never never use the secret questions, they are never secret. If you have to, provide random nonsense answers and store the answers in your password manager
  • Make sure that the password manager is reputable, if necessary google them to make sure there are no known issues.
  • Share your master password with a trusted friend or family member just in case.
  • Never run a program install unless you are sure that it is safe and from a safe source.
  • Never open an email unless you know who it is from and who sent it.
  • Never tell anyone who rings you your password or give out a caller any identifying information.
  • If an email wants you to follow a ling from that email to their web site - never do it. Always get to the web site some other way by using a stored bookmark, typing in the site manually or googling the company, bank etc.
  • Never use apps on a social network site.
  • Never use a social network site to automatically login to another account, for instance using Facebook to login to Spotify.
  • Regularly check your social network app permissions to verify that no unwanted apps are using your social network account.
  • And finally educate your children on the safe use of social networks before they are allowed to get a login and monitor their usage. A chain is only as strong as the weakest link.