March 26, 2020

Set up a password manager - a nice COVID-19 project

You might have some extra time on your hands right now given that COVID-19 thing going around. You could watch another streaming movie -- or you could do something you've been putting off for a long time: setting up and starting to use a password manager.  It's a key part of security hygiene, and a nice complement to hand-washing and elbow-coughing.

Why your passwords are so bad

You may have heard that reusing passwords is bad, but you probably don't know why and you don't know how you'd manage a unique password per account anyway. You've definitely heard about phishing but don't know how best to save yourself from it. And although you may have heard about password managers, you may not fully understand why using one is so important to your cybersecurity.

There are two main reasons, one you can see and one you can't:

  1. If you receive a phishing email/SMS that sends you to a web page that looks just like your bank's, and without noticing you enter your userid and password, your account may be taken over and drained – a password manager can save you from that.
  2. If you reuse your favorite password on a dozen websites (online services) and one of them gets hacked, resulting in a "credential spill" of users' userids and passwords, attackers will try the stolen credentials on a variety of sites, and they'll be able to break into your 11 other accounts – a password manager can save you from that too. (This attack is called credential stuffing.  If you doubt how often online services get hacked, check for hacks affecting your email addresses using https://haveibeenpwned.com.  And register your email addressees there too, to get notifications when hacks happen in the future.)

Update 2021-06-04: A much better description of the risks of bad passwords:

How to fix them

To protect you from both phishing and credential stuffing, respectively, you need the following for your passwords:

  1. your passwords are not in your head, so you cannot type them into login pages, and
  2. every account has a long, random, and unique password. (Long means, say, 20+ characters.)

Enter the password manager

So how do you manage passwords for your (hundred?) accounts if you don't know them and if every one is unique? You use a password manager: it will generate a random password for you for a new account and will store the userid, password, and URL for each account, and later will autofill the userid and password into that account's login page.

Because the password manager carefully examines the login page's URL (domain name, actually), it won't be fooled by phishing pages. And because all your passwords will be unique, any hack of an online service means that only your account on that service is at risk, not a dozen or more other accounts too.

And there are at least three other benefits of moving your accounts to a password manager:

  1. all the pain of remembering your passwords, and resetting them when you forget, goes away as your password manager is doing all the remembering for you; 
  2. you can log into your accounts from any of your devices, whether you're at home or away (and you can manage your password manager's vault on all your devices); and
  3. you are setting yourself up nicely for moving to two-factor/two-step authentication (2FA/2SV), which will help to make you even more resistant to account takeover.

What will it do for me?

At a very high level, this is what a password manager does:
  • It provides apps that you install on your computer(s) and mobile devices(s), to access the password manager service.  It also provides a website that you can use to directly access the password manager service, without using an app. 
  • It maintains a database (aka vault) of entries, one for each of your accounts, with each entry having a website URL and the associated userid and password for your account on that website.
  • It stores the database in the cloud (on the password manager's servers) and syncs the database automatically to/from your devices.  So any changes you make to the database in the cloud or on one devices are reflected in the cloud and your other devices.
  • It automatically records your logins to websites that are not yet in your database, storing the website URL, userid, and password.
  • It lets you play back any entry from your database to quickly log you into a website you previously recorded. 
  • It lets you manually create, edit, and delete entries in your database.
  • It lets you import the database from some other password manager.
  • It lets you export the database so that you can import it to some other password manager, 
  • You can all the above using the password manager computer app.
  • You can do all the above -- except for recording, import, and export -- on the password manager mobile app.

Which one to use?

Now that you know the why of a password manager, the which and how are not that complicated.

For which one, I suggest you look at one of these two well-respected password managers:

And how to do it?

For the how, there are lots of tutorials on the Internet, but here is a great page to get you started: https://thewirecutter.com/blog/why-you-need-a-password-manager-yes-you/

First, some thoughts for certain types of users:

  • If you are a family, check out these family tiers, which provide manageability of the individual accounts in the family:
  • If you are a business:
    • Look at these business tiers, which provide manageability of the individual accounts in the business:
    • Don't mix personal userid/passwords in the same password manager account as business ones: use two separate accounts.  Both the suggested password managers allow you to access both sets of userids/passwords all the time.
  • And if you're an Apple-only user tempted by Apple's built-in password manager, I suggest you not use it for three reasons: 
    1. if you ever decide to do something outside the Apple ecosystem -- like buy an Android phone or tablet, a Chromebook, or a Windows machine -- you won't be able get your passwords on it;
    2. you probably back up your Apples devices (and their keychain) to iCloud -- which is not an end-to-end encrypted service; and
    3. independent security researchers tend to pay more attention to the big third-party password managers (like LastPass and 1Password), which means their vulnerabilities tend to get identified quicker.
These how-to notes will point you in the right direction: 
  • You'll need to create a strong and memorable "master password" to unlock your password manager.
  • It's much easier if you set up your password manager account using your computer and their web page (instead of starting with a mobile client). 
    • After you get it working, download and install the password manager's apps and browser extensions on all your computers, tablets, and phones, and log into these apps (using your master password) so they are all syncing to the password manager's online service.
  • You'll need to store each of your online accounts, one by one, into your password manager. 
    • Your password manager will help by automatically recording the details whenever you login to an online account in a computer browser.
  • Once a login (userid and password) is stored for an account, use the account's password change feature to set a new password; your password manager will general a long random string for you (choose 20+ characters) and will then record it.
  • Start that recording and changing with your most important accounts. 
    • Your most important account is not your bank; it's the main email address that you use to create new online accounts. Why? If an attacker gets control of that one email account, they can take over most of your other accounts using their password recovery mechanisms.
  • You can export the contents of your password manager as a spreadsheet file anytime you want
    • But don't store this anywhere that is not encrypted!  
    • In particular, if you're on Windows Home (and not a Microsoft Surface or similar device), your main drive is not encrypted, and anyone who gets access to your computer can remove the drive and read its contents.
  • It's a good idea to back up the contents of your password manager occasionally, say, every three months.  
    • If your main drive is not encrypted (see the previous bullet), you could store the export in a VeraCrypt container, protected with a strong password.  (Don't reuse your password manager's master password for this -- password reuse is always bad.).  
    • Bonus points if you store a copy of this VeraCrypt container somewhere outside your computer, such as a USB thumb drive.

Why should I trust it?

If you're (rightfully) concerned about trusting the cloud with your passwords:

  • Know that high-quality password managers (like LastPass and 1Password) are end-to-end encrypted (E2EE) services (a.k.a. "zero knowledge"). 
  • That means that all your data (userids, passwords, URLs, and associated notes) is encrypted before it leaves your device for the cloud, using an encryption key that never leaves your device (and is based on your master password). 
  • As a result, if an attacker manages to break into an E2EE service and steal every bit of data (including yours), they won't be able to decrypt any of it.  
  • You can do a web search on "end-to-end encryption" for more information.
Setting up a password manager does take a little bit of learning and time, but once you start using a password manager, you'll wonder how you ever lived without one. And it's an ideal project for a bit of COVID-19 down time.

I'll cover two-step authentication (2SV) and two-factor authentication (2FA) in my next post.

---
Update 2021-04-08: Bitwarden is an excellent password manager choice as well.

Update 2021-05-31: 
There are 3 steps to changing a password to long and random:

    1. Generate a long and random password: LP will do this for you
    2. Go to the service's password change page and change to the new password: you have to do this, using the password generated by LP.
    3. Update your LP vault entry with the new password: LP will do this for you most of the time (there will be a pop-up dialog box asking if you want to update the vault). If you don's see the pop-up, you have to manually edit the LP vault entry with the new password.
After you're comfortable with LP, I encourage you to review all LP settings everywhere:

    1. mobile app > Settings
    2. browser extension: Web browser > LastPass extension icon > Account Options > Extension Preferences
    3. lastpass.com Vault: Web browser > LastPass extension icon > Open My Vault > Account Settings > Show Advanced Settings (and notice this is a dialog with multiple tabs)