Safe and Convenient Password Management

For better or worse, passwords are central to the safety of almost all our online accounts. 2-factor authentication systems are meant to protect users from compromise of their passwords. However, not all services support it. Also, several online services (including banks), use OTP sent over SMS as the second factor. This has several vulnerabilities and has been deprecated by NIST. That leaves password as a critical piece of these accounts’ security.

Threats

Before we can choose a password management system, we need to understand the threats that lead to their compromise. This is a non-exhaustive list of threats.

  1. Guessing - Passwords leaked in various past breaches contain several common terms and patterns. If our password is one of these, an attacker can compromise it trivially by trying them. If we use widely known personal information like name or date of birth as password, an attacker specifically targeting us will be able to guess them easily.

  2. Phishing - An attacker may pose as a legitimate service provider and try to make us give them the password. For example, we may receive an email that looks almost exactly like the ones sent from our bank with a link to a login page that looks like our bank’s but belongs to the attacker.

  3. Compromising Services - Not all services on the internet are built with the same level of focus on security. Several online services (including some major names like Yahoo, LinkedIn and Dropbox) have been compromised in the past, revealing the passwords of at least a subset of their users. If our password was compromised and we use the same password in another otherwise secure service, it can be broken into using the password stolen from the compromised service’s database.

  4. Malware - A malware running on our device can steal passwords as we enter them. A good 2-FA system like TOTPs generated with an app like Google Authenticator can protect against this as multiple devices will need to be compromised together. However since such malware will also be able to steal our browser cookies, it is best to avoid getting malware on our devices in the first place.

Any tool we choose to manage passwords must help defend against these threats. It should be able to,

Convenience

In addition to holding our secrets securely, the tool must also provide some convenience features to be practical. These are few things I want in mine.

My Scheme

I prefer using open-source tools to manage my passwords. While it doesn’t guarantee security, I have looked at the source code of my password manager to verify implementation of a security feature and am not willing to give up that luxury.

I use KeePassXC to generate and store all my passwords. It allows generating random passwords combining multiples classes of characters (including extended ASCII!). It supports auto-typing username and password with customizable delays and key sequences. This comes very handy on websites throwing in a checkbox between login text fields and those with multi-page login forms.

On Android, I use Keepass2Android. It provides a custom keyboard to enter username and password without having to copy them to the OS clipboard.

While supported, I DO NOT store TOTP secrets in my KeePass database file. It defeats the whole point of 2-FA, if both secrets are available at the same place.

Syncing the Database

I store work and personal passwords in 2 separate files and sync the personal one using Google Drive. My Google account uses a password I remember and has 2-FA enabled. Having to manually upload the file every time I add or change a password is a hassle, but that happens infrequently and I can live with it.

The .kdbx file format was known to be susceptible to tampering and for this reason, I guard access to the database file closely, even though it is encrypted. Being reasonably careful with the database file will also avoid offline brute force attacks against it.

Browser Extensions

I DO NOT recommend installing any browser extension that helps with auto-filling login forms. They open up a whole new class of vulnerabilities and the additional convenience is not worth it, when the password manager can already auto-type credentials with a keyboard shortcut.

Protection from Phishing

Always verify that the login page was loaded using HTTPS and the domain or the organization name in EV certificate is what you expect.

For critical services which require frequent logging in (like banks), store the URL of the login page in password manager along with the password and use it rather than typing in the URL on each login.

Stateless Password Managers

The fundamental idea behind these is that they take the website’s address, our username on the website and a master password to derive a site-specific password without any additional information. Some of them allow specifying allowed characters, length and a counter at the time of generation. Theoretically this helps us avoid re-using passwords or using easily crackable password patterns generated by human mind without having to sync files across devices. However, these come with certain limitations which make them impractical.

  1. We need to remember the password rules of each service.
  2. We need to remember the number of times we changed the password for a website.
  3. We cannot managed shared passwords (like those shared within a team) using these.

Some of these can be overcome by storing and syncing a small amount of state for each password like allowed characters, length and count of password changes. However, it is far better to use tools that generate fully random passwords for each sites. We won’t have deal with discovery of vulnerabilities in the derivation scheme that may allow attackers to derive passwords for one site using the password leaked by another or derive future passwords when we change passwords after a breach.

09 Oct, 2017 security / password