A Recommendation for Password Managers

The Intro

You have separate keys for your house, your desk at work, your safe, your car, your bike lock…right?

Why?

Clearly, it’s so that when you hand over your car keys to your mechanic for an oil change, you are reasonably assured you won’t find him, or someone who tricked him, at home in your den perusing your tax returns.

But so many people are effectively doing just that by reusing one or just a few passwords over and over again every time they are prompted to create a username and password.

Doing it wrong

Maybe you’ve learned from other’s mistakes, and you’ve stopped repeating your passwords so egregiously. But you can’t keep track of them all in your head! So you have a file (on your computer, or even a piece of paper in a safe place) with your passwords in it. You have a feeling that’s not ideal and want to use something “more secure” or otherwise “better” for storing your passwords. Good for you!

That’s almost OK

A file containing your passwords (or other sensitive data) is basically what I recommend to you, but with a layer of encryption on top of it.

The old-school approach is to use a program to apply encryption to this password-containing file — or any other sensitive file. That can be rather fiddly. It requires a lot more discipline than most users are willing to demonstrate; if you make a mistake on any of the five steps below, your stuff could be lost or exposed to nefarious types.

  1. put all your username/password combinations into a file
  2. secure it with encryption for storage when it’s not in active use
  3. decrypt it when it’s time to read or update the file
  4. encrypt it again after saving (if there were any changes)
  5. (securely?) delete the decrypted version of the file

How about something more user-friendly?

Enter password management applications: they handle the last four of those five steps above for you every time, and all you have to do is remember one master password to start the password manager program.

I have been using Password Safe for many years, since my employer recommended it for use on their computers. It works on Windows and there are clones of it for the Mac and Linux operating systems. It’s free software on Windows and costs a little on Macs and iPhones. It’s not very usable on Linux, unfortunately, but that doesn’t bother most people (just me, I guess). The original version was written by Bruce Schneier, an industry expert on cryptography.

Link to Password Safe for Windows:
https://www.pwsafe.org/

App Store link to the Mac version of it:
https://itunes.apple.com/de/app/pwsafe-password-safe-compatible-password-manager/id520993579?l=en&mt=12

iOS App Store link to the iOS version of it:
https://itunes.apple.com/de/app/pwsafe-2-password-safe/id938922963?l=en&mt=8

If you only had one computing device and you always had it with you, you could stop reading here and be pretty well covered. But that’s not realistic for most of us anymore: with smartphones, tablets, and computers, and some or all of those devices duplicated between home and business use, you cannot expect to maintain your list of passwords in triplicate or beyond.

Multi-device support

The iOS version of Password Safe, pwSafe, includes a Dropbox synchronization feature, which is nice. It means you can change or add a new entry for a password on your Windows computer and iPhone and Mac computer will get the updates synchronized automatically. This works because changing a record in Password Safe means changing your file, and Dropbox is in the business of replicating updated files among the computers you own. And it requires two additional things:

  1. a Dropbox account (don’t have one? Use my referral link to get one and they’ll give me a little extra storage space for referring you), which is free.

  2. a Dropbox program installation on your Mac or Windows computers to receive the updates to your Password Safe (Windows) / pwSafe (Mac) files.

Those programs all work quite well for me, and have done so for many years. I am transitioning, however to another program called KeePassXC, that does the same thing, but with better Linux support in addition to Windows and Mac computers. It is also free, versus the payware pwSafe programs on Mac and iOS.

KeePassXC’s homepage is here: https://keepassxc.org/

The iOS app I use to view/manage my KeePassXC file is called KeePassTouch, and here is its App Store page:
https://itunes.apple.com/de/app/keepass-touch/id966759076?l=en&mt=8

It also offers synchronization via Dropbox.

Other password managers, which I don’t recommend:

  • LastPass — recent security hole problems.
  • 1Password — recently switched to a monthly subscription model. They want to get paid, natch.
  • Passwords kept in your browser — browsers come and go; Firefox, Chrome, Safari, Vivaldi, Brave, even the dreaded Microsoft Internet Explorer and its suck-cessor, Edge. Your passwords should not depend on any browser, or any one computer. Besides, the risk of someone sitting down at your computer and gaining access to your stuff is higher than you think, unless you lock your screen religiously.

Password generation

All password-managing programs I have ever seen are able to generate passwords for you upon demand, but I rarely use them. They often look like this:

2^u$Y;grtWDF>nCE
d>?a^?A%m)Q^8.!f
U=Ps!^+Ke/!L4TbC

… which is pretty good for

  • satisfying those arcane requirements from your employer or bank or whatever about at least one capital letter, lower-case letter, number, and typographical mark
  • making sure you’ll never remember it, and therefore
  • eliminating the temptation to re-use your password on more than one site (and we all know how one should never EVER do that, right?), and
  • preventing anyone (even you!) from reading it off of one device’s screen and typing it into another. Imagine you’re reading one of those strings of characters into a crappy mobile phone connection with a sense of urgency — it could get very frustrating quickly.

Instead, inspired by “correct horse battery staple” I wrote a password-generating website that I use. It has what I consider an acceptable compromise between entropy and readability in that large chunks of the generated passwords are human-readable words punctuated by numbers and, well, punctuation. https://ssl.cliff1976.net/pw2 is the site if you’d like to use it. It’s also just kind of fun to see what random combinations of words come out of that thing.

Assembling the pieces

When I need a new password, I

  1. go to my password-generating site,
  2. generate one and save it into my password app, and
  3. let that new entry replicate onto all my devices.

Some password generators offer more reader-friendly passwords, but these trade human readability for less randomness, and the overall result is much longer than a purely random string generated from the set of all possible characters. Those longer results from the generator (still!) don’t fit into many websites, which still expect you to cap your passwords at 16 or 20 characters in length.

Conclusion

If you aren’t aware that reusing your passwords among services is a bad idea, this post isn’t going to help you. But I hoped to have shown that it’s quite feasible to mitigate the risk by never reusing passwords, whether you’re using one device or many, on the go or at home.

Post-Script: Extra Geekery

GPG

If you are feeling game for it, give GPG a go. It is an old standby in the realm of public key cryptography.1 It’s got some powerful features on the command-line, for those who like to tap away at the keyboard and script stuff. There are some pretty nice, modern, user-friendly applications built on top of it for Macs http://GPGTools.org or anyone using Thunderbird Email (via the Enigmail plugin). Not only will you be able to securely save stuff for yourself, but you’ll be able to encrypt stuff for others, as well.

ProtonMail

GPG isn’t the only (or even most) secure way of sending stuff to other parties. Consider ProtonMail. From ProtonMail user to ProtonMail user, it’s very secure, in that no meta data (sender, recipients, subject line) leak out in transit. But there is a convenient secure option you can use to send messages (including file attachments) to a non-ProtonMail-using contact person, provided you have agreed upon a shared password with that person in advance. Example: I want to send a secret contract document via my ProtonMail email address to the non-ProtonMail user MaxMustermann@gmail.com. I can check a box in the ProtonMail composing screen and set a password on my message. I then communicate that password to Max out-of-band (like calling him on the phone or sending it via instant messenger2 ), and then Max has to enter that password before he gets access to that message containing my secret contract document.

Watch a TED Talk about it here if you like.

  1. Try Wikipedia’s explanation of it, if the term is unclear. []
  2. Try Threema or Signal — I’ve written about them before. []

What's your take on it?

This site uses Akismet to reduce spam. Learn how your comment data is processed.