Password management: how I managed to sort it once and for all

We all had our journey that led to the way we manage passwords and we all know that unfortunately is not an easy task: with time the security requirements are continuously increasing as well as the number of services we use. It's impossible to remember all of those codes, and using our own ideated patterns is not necessarily making them more secure.

Password management tools

How we all started

We started with our email password: what do we choose? Generally, the first choice is our pet's name, or our date of birth and so on, passwords easy to attack in different ways. Today's automatic security checks tell us if the password we are choosing is not secure enough, give you some hints (or even constraints) on how to edit it, making them suddenly become something complicated and difficult to remember.

In the meantime, more and more services come up: Facebook, your wifi at home, the bank with so many codes, the pin on our mobile phone and on our credit cards and so on. Also, don't forget all the passwords you need to use in your office, where it's your direct responsibility to have them safely stored and to change them periodically.

In this situation, using always the same password, something that was for sure not advisable, was not even possible. What did we do then? A list! So here we are with our paper notebook or text file full of passwords. A big issue arises: what if we lose that document, or even worse, what if it goes in the wrong hands? There are many ways in which this can go wrong. From the moment you create such a document, there are many ways for it to be read by others, and we want to avoid this to happen now and even in the future.

A simple way to improve this kind of approach is to password protect the document if this is on a digital copy. It could be fairly valid from a generic point of view but for a set of technical reasons, I strongly advise avoiding that, as there may be temporary files created without us knowing that could jeopardise our intentions.

So here we are with this big problem, and even if there are some tools that help you make feel those problems less (access via fingerprint, your browser savings your passwords for you and so on), what happens is that you can have a false feeling of security,  that is something we want to avoid.

Here it comes the password manager: this kind of tool is specifically created to allow you to manage your passwords in an organised and secure way.

Local password managers

My first proper password manager has been Keepass. This simple yet very versatile application (originally for MS windows but with equivalents for other platforms) allows to store any kind of password, login detail and any kind of information (even documents etc) in a secure way, encrypting everything with very safe standards and featuring a very useful search functionality, together with effective integration with OS and various browsers. In particular, I loved KeePassHttp to integrate it with Chrome. It will take some minutes to get used to it, but for sure is a very good way to store your passwords.

In order to ensure you have resiliency, and avoid to lose all your password in case of a failure, you will then need to save it in a place with an automatic back-up in place, such as Google Drive, Dropbox, or your personal backup setup.

What happens here is that the complexity of this whole process can easily take away all the enthusiasm and let users fall in the bad old habits. While this is still an option that I strongly advise for who has password management as a critical part of his work, I advise choosing cloud solutions to average users.

Cloud password managers

The solution to many of the issues that arise using a local password manager can be solved with a cloud-based one. With this solution, we are trusting an external company to store our passwords for us on their secure servers, and let us access them on our devices via the different web interfaces, apps or browser extensions.

Lastpass has been the first tool I have started using on the cloud. I am aware of the existence of many others, and after quite some time I decided to migrate to Bitwarden, as I generally prefer Open source platforms and I read very good reviews on the web.
They are fairly similar, Lastpass maybe a bit better looking, Bitwarden giving more of a professional look to the interface. They have similar features so I would avoid to strongly advise one over the other, but my intuition tells me that LastPass would be more user-friendly for most people. In addition, migrating from LastPass to Bitwarden is extremely simple and painless, so you would be always in time to switch in the future.

Here I list the necessary steps to properly set up your cloud password manager:

• As the first thing, you will need to create the account and set up a password (or better, passphrase) that you will need to remember. My advice here is to use a password that you know very well and repeat it 2-3 times to make it long enough to be very strong (at least 20 characters).

• Then comes the installation: install it as a desktop app, with an extension on every browser you use, and on every mobile device as well. This may mean several installations (for example 2 accounts on Google Chrome, Windows, mobile phone, tablet are already 5), but the good side is that once done, there is no need to work on it further.

• At this point it's a good idea to disable the embedded password manager in your browser, so that no more passwords are saved there (howto for Chrome here - settings link here) and whenever you will log on a website, you can use the new password manager prompt to save the one you just used into your new database.

• You may want to check that you transferred over all the passwords from your browser in your new database, and delete them from there.

• If there is a need to protect some files, you can safely encrypt them and store the password in the password manager.

• You can also add manually other entries - bank codes, physical locks combinations, passwords for unlocking TV content or how to disable the safety feature on your oven, you name it - the point is to use it as a place to unlock any of your virtual or physical devices. Also in the password notes put all the possible keywords that can help you find the password when you most need it: for the bank pin code you can also put in the notes the words credit card, ATM, debit card so that any of those searches will give you the card pin number in the results, very useful in a moment of rush.

• On Mobile, the fingerprint use can be extremely useful: this will allow you to skip entering the master password and basically access everything without the need of typing more

General notes

Password security

There are probably hundreds of articles on what's the best way to create a secure password, but here I'll just make some simple statements:

• Use automatically generated passwords whenever is possible - all password managers have such a feature. Minimum 20 characters long, with numbers and symbols included are the way to go.

• Use Passphrases for any password that you need to remember and manually type. A password like Chipmunk!Baobab!Mexico4 is way more secure than /&%$Ksd and much easier to remember. You can check its strength here.

• When you create a password that you know you'll need to type, use characters that are easily reachable from both PC and mobile device keyboard. In addition, some special characters can be confused and should be avoided.

• NEVER share your personal passwords. There are no exceptions to this statement.
  In case you will need to share a service of some kind with someone else, verify first of all its in-built features (for example if your secretary needs to manage your email account you can enable email delegation and so on).

• In case there is no workaround, you can use functions like the one that Lastpass offers where you can share a password without the user seeing the password that is shared. Pretty cool.

• If that isn't an alternative either or you need to handover this account, ensure to change the password beforehand and communicate account details and password with two different means (for example one part via email and another via texting).

Access to your passwords means access to your accounts, therefore acting on your behalf. The responsibility of keeping such passwords safe is yours, therefore you'd better be prepared.

Verify your current status of security

• Verify if your email address has been already exploited. You can do it on a website like Have I Been Pwned? If this is the case, change as soon as possible the password for all sites where you were registered that were using the same password.

• Password managers nowadays advise you whether there has been any known exploit on your credentials and if you have passwords that are repeating. That should help you change all the ones that need it.

Single sign-on and connected accounts

Several companies nowadays allow websites to use their secure sign-in system in order to make user access more immediate and secure at the same time.
Although this is a great feature and generally very secure, it can sometimes lead to issues and confusion: remembering what account is connected to what can get tricky, and sometimes it can happen to create multiple accounts because we forgot that we subscribed in the past, for example.
Once password management is set up correctly this is not necessary anymore, and I advise to create a dedicated user for each service.

Email aliases - a different username for each service

A practice that I found useful is to use a different email address for each service that I subscribe to. This is doable via the embedded function of some email providers (like Gmail) that allow you to create aliases for your email just adding additional "." or a "+" followed by other characters in the address - reference link. You will receive all emails to your usual inbox.
It's easier to make an example: if my email address is davide@gmail.com and what I want to do is to register an account on pocket.com, I can use davide+pocket@gmail.com. This will allow me to have a dedicated login address and also verify that emails that I receive on that address are sent from the correct sender, or even discover if someone sells out my email address without my consent.

PIN codes

Something particularly annoying are PIN codes (Personal Identification Number). They generally consist in 4 to 8 digits and often have defined lengths: memorising them can be a real nightmare.
For sure the first step will be to save them in our shiny new password manager, but as they are generally something that you need on the spot, it's a good idea to have some mental tactic to remember them. 
They are generally something that adds up to some other kind of security feature, therefore although it's important to keep its secrecy, I don't think it's too critical to have them all different. You can therefore pick a sequence of 8 numbers that you remember - don't use dates or numbers of things that are relative to you - and use a part of it for every occasion. Here some tips on how to choose your sequence.

Multi-factor authentication

The true key to properly secure an account is the multi-factor authentication (MFA), sometimes called 2-factor auth or multi-step verification. The concept is that in order to authenticate your access the system has to verify through multiple different means that it's really you trying to get access. It works by first asking you your normal username+password combination and then adding an extra step where a single-time code has to be provided, this could be through SMS, physical token, or mobile phone prompts, timed one time passwords (TOTP - OTP) or other means.

An application I use a lot for this purpose to generate OTP is the Google Authenticator (Android, iOS).
Be careful with this though, as if your phone breaks you'll lose the ability to create codes, therefore always remember to keep your back-up codes in your password manager as well. Back-up codes are single-use codes generated at the moment that you enable the MFA, and are meant to be used only when the second device fails, in order to set up the new one.
An alternative to local OTP apps is to use a cloud app too, and a highly rated cloud app that allows doing this is Authy. Bitwarden pro includes an integrated OTP service - link.

Businesses

Password management

If you are running a small business or are sorting the password management for one, the above advice is perfectly valid.  Such kind of structure if properly taught to employees can solve more than 90% of all most common threats that an average company faces.
One common issue in those businesses is password sharing. Both LastPass and Bitwarden, but also many other password managers, allow the creation of groups and the password sharing capabilities are sufficient to meet even fairly high levels of compliance and auditing. Doing it with Keepass or other local password managers is also possible, but not really practical.

Single sign-on and directory management

For growing and established businesses, systems of single sign-on and Identity as a Service like Okta or Onelogin and cloud directory services like Jumpcloud can greatly facilitate access management and compliance requirements. Considering early adoption of those tools can be an effective way to improve automatisation, reduce admin workload and avoid human errors and finally increase compliance and auditing capabilities.

I am available for consultancies on this matter and eventual set up of complete security architectures or short-time tactical implementations.

Advice summary:

• You will for sure at least remember 3-4 main passwords: the one to access your computer, the one to access your password database, the one to access your email (if your PC is broken) and your pin code. 
• Use passphrases instead of passwords especially for those situations where you need to manually type the password. Choose easy to reach and non-mistakable special characters. Passphrases are easier to remember and to eventually type, security is not compromised.
• Use email aliases to create separate usernames for each service.
• Using a cloud password manager can solve most issues at once and put you on a way better spot from day one of adoption.
• A local password manager could be a viable option to personally manage a big amount of passwords.
• MFA is the best way to keep your accounts truly secure, and they should be activated when available.
• If you run a business, have a Security Plan and dedicated training sessions for the staff regarding password management.

Useful references and links:

My favourite tools: Davide Biasco - tools