Have you ever counted how many online accounts you have? Online accounts are used for almost everything in our lives:
- Social networking
- Finance & credit
And more. How do you manage all of the passwords? With so many accounts, it's easy to be lazy by writing passwords in plain text file, reusing passwords across sites, using very weak passwords, or even depending exclusively on security questions to get into an account because it's used rarely (e.g., biannual payments to a service). After examining my accounts, I even found that the password to one account was a username of another. I also found out that I had over 20 online accounts.
Perhaps you think it's not a big deal. Perhaps. But have you ever read about how a bunch of internal documents from Twitter were released 2 years ago? It's intriguing. The hacker didn't use complex technical exploits at all; he simply broke into one weak account and used it to work up the chain of more valuable accounts.
Luckily, there are mature tools out there to help manage password-authenticated accounts. I use KeePass, an easy-to-use password manager that achieves the following:
- Confidentiality: all stored passwords and account information are stored in an encrypted file.
- Strength: the program can generate long and complex passwords for you (less vulnerable to someone guessing or cracking the password).
KeePass is also multi-platform as it can run on Windows as well as Linux (I've actually tested this). In short, you remember one master password that is used to derive a key to encrypt a password database file. Provide the master password to access and modify the password database. When you need to use a password, use the program to copy the password from the database and then paste it into the web browser. When coming up with a master password, consider using a long but simple password like a sentence or a quote. You must be able to remember it but prevent others from simply guessing it. My master password is over 30 characters long.
When converting passwords from old to new KeePass-generated ones, consider the following:
- After changing your password, test it! You might have accidentally pasted the wrong password, or the site did not accept the password. Some sites will not accept the generated password generated using KeePass default settings. For example, some sites have maximum password lengths like 8 characters (WTF?), but KeePass generates 20-character passwords by default. Even worse, you might not realize this until you change the password, log out, and then fail to log in. If you copy a password into a field with a maximum length restriction, the password will be truncated to the maximum length without notice. Do a quick check on the password rules for the site when changing the account password. Then modify the password generation rules to shorten the password as appropriate for that specific password (stick with defaults otherwise).
- For some reason that I didn't look into deeply, I couldn't paste my password into a terminal prompt in GNOME on Ubuntu when creating a SSH key pair with passphrase. I had to use the key creation tools in Ubuntu 10.10: System >> Passwords and Encryption Keys >> My Personal Keys.
Great, say you've changed your passwords on many of the accounts to stronger KeePass-generated passwords. But now there is a new problem: backup the password file or risk losing the passwords to every online account. I use Dropbox to backup my password file. The free plan has plenty of space and can be accessed and updated from multiple machines cross-platform.
Now what if you want to secure the Dropbox account with a strong KeePass-generated password? Make the password database a public file in Dropbox. Then you can access it from anywhere without barriers and still retain password confidentiality. I also keep a copy of the KeePass binary zip as a public file so that I can easily set up any machine to access my passwords. Grab the password file, the binary zip, and go! The only catch is that you have to remember the master password (obviously) and the URLs to the public Dropbox files. The URL is in the following format:
One can figure out a good way to remember the URLs: note it down in your phone, use a copy of the password database to get to the latest password database, etc.
But what about mobile? KeePassDroid works too for Android smartphones. You can put a copy of the password database on the smartphone (for simplicity if rarely authenticating as I do) or use Dropbox on your Android smartphone to always use the latest password database (haven't tested this).
Using this setup for several months now, it has been quite easy and definitely more secure than my previous password mismanagement. Comments on improving the setup are welcome!