March 26, 2020

Set up a password manager - a nice COVID-19 project

You might have some extra time on your hands right now given that COVID-19 thing going around. You could watch another streaming movie -- or you could do something you've been putting off for a long time: setting up and starting to use a password manager.  It's a key part of security hygiene, and a nice complement to hand-washing and elbow-coughing.

You may have heard that reusing passwords is bad, but you probably don't know why and you don't know how you'd manage a unique password per account anyway. You've definitely heard about phishing but don't know how best to save yourself from it. And although you may have heard about password managers, you may not fully understand why using one is so important to your cybersecurity.

There are two main reasons, one you can see and one you can't:
  1. If you receive a phishing email/SMS that sends you to a web page that looks just like your bank's, and without noticing you enter your userid and password, your account may be taken over and drained – a password manager can save you from that.
  2. If you reuse your favorite password on a dozen websites (online services) and one of them gets hacked, resulting in a "credential spill" of users' userids and passwords, attackers will try the stolen credentials on a variety of sites, and they'll be able to break into your 11 other accounts – a password manager can save you from that too. (This attack is called credential stuffing.  If you doubt how often online services get hacked, check for hacks affecting your email addresses using https://haveibeenpwned.com.  And register your email addressees there too, to get notifications when hacks happen in the future.)
To protect you from both phishing and credential stuffing, respectively, you need the following for your passwords:
  1. your passwords are not in your head, so you cannot type them into login pages, and
  2. every account has a long, random, and unique password. (Long means, say, 20+ characters.)

So how do you manage passwords for your (hundred?) accounts if you don't know them and if every one is unique? You use a password manager: it will generate a random password for you for a new account and will store the userid, password, and URL for each account, and later will autofill the userid and password into that account's login page.

Because the password manager carefully examines the login page's URL (domain name, actually), it won't be fooled by phishing pages. And because all your passwords will be unique, any hack of an online service means that only your account on that service is at risk, not a dozen or more other accounts too.

There are two other benefits of moving your accounts to a password manager:
  1. you can log into your accounts from any of your devices, whether you're at home or away (and you can manage your password manager's vault on all your devices); and
  2. you are setting yourself up nicely for moving to two-factor/two-step authentication (2FA/2SV), which will help to make you even more resistant to account takeover.
Now that you know the why of a password manager, the which and how are not that complicated.

For which one, I suggest you look at one of these two well-respected password managers:
For the how, there are lots of tutorials on the Internet, but here is a great page to get you started: https://thewirecutter.com/blog/why-you-need-a-password-manager-yes-you/

And these how-to notes will point you in the right direction:
  • If you are a family, check out instead these family tiers, which provide manageability of the individual accounts in the family:
  • And if you are a business, look instead at these business tiers, which provide manageability of the individual accounts in the business:
  • Don't mix personal userid/passwords in the same password manager account as business ones: use two separate accounts.  Both the suggested password managers allow you to access both sets of userids/passwords all the time.
  • ---
  • You'll need to create a strong and memorable "master password" to unlock your password manager.
  • It's much easier if you set up your password manager account using your computer and their web page (instead of starting with a mobile client). After you get it working, download and install the password manager's apps and browser extensions on all your computers, tablets, and phones, and log into these apps (using your master password) so they are all syncing to the password manager's online service.
  • You'll need to store each of your online accounts, one by one, into your password manager. Your password manager will help by automatically recording the details whenever you login to an online account in a computer browser.
  • Once a login (userid and password) is stored for an account, use the account's password change feature to set a new password; your password manager will general a long random string for you (choose 20+ characters) and will then record it.
  • Start that recording and changing with your most important accounts. Your most important account is not your bank; it's the main email address that you use to create new online accounts. Why? If an attacker gets control of that one email account, they can take over most of your other accounts using their password recovery mechanisms.
  • If you're concerned about trusting the cloud with your passwords, know that high-quality password managers are "zero knowledge" services. That means that all your data (userids, passwords, URLs, and associated notes) is encrypted before it leaves your device for the cloud, using an encryption key that never leaves your device (and is based on your master password). As a result, if an attacker manages to break into a zero knowledge service and steal every bit of data (including yours), they wont be able to decrypt any of it.  You can do a web search on "zero knowledge" and "end-to-end encryption".
  • You can export the contents of your password manager as a spreadsheet file anytime you want, but don't store this anywhere that is not encrypted.  In particular, if you're on Windows Home (and not a Microsoft Surface or similar device), your main drive is not encrypted, and anyone who gets access to your computer can remove the drive and read its contents. 
  • It's a good idea to back up the contents of your password manager occasionally, say, every three months.  If your main drive is not encrypted (see the previous bullet), you could store the export in a VeraCrypt container, protected with a strong password.  (Don't reuse your password manager's master password for this -- password reuse is always bad.).  Bonus points if you store a copy of this VeraCrypt container somewhere outside your computer, such as a USB thumb drive.
  • If you're an Apple-only user, I suggest you not use the Apple keychain as your password manager, for two reasons: (1) if you ever decide to do something outside the Apple ecosystem, like buy a cheap android tablet, you can't get your passwords on it; and (2) you probably back up your keychain to iCloud, which means your passwords would be stored in the cloud in a non-zero knowledge service.
Setting up a password manager does take a little bit of learning and time, but once you start using a password manager, you'll wonder how you ever lived without one. And it's an ideal project for a bit of COVID-19 down time.

I'll cover two-step authentication (2SV) and two-factor authentication (2FA) in a future post.