Let’s face it, most people use the same password over and over again for ease of use, but with all the breaches over the last few years this practice is getting more and more risky. Taking this approach means if someone gains or cracks your password for one account, they could log into any of your accounts using the same password, stealing data and jeopardising your security and privacy. Having a separate well-crafted password for every site is considered the best way to secure data – but how the hell are we supposed to remember them all ?
As Security professionals we’re often asked about Password Managers. NCSC wrote a good blog about their thoughts on Password Managers which is well worth the read. I don’t want to repeat the content in the NCSC Blog, therefore this is going to be more direct and summarise the approach that we adopt, to help our Clients and Readers to manage the problem of password overload!
So Browser based Password Managers v Cloud Based v locally installed Password Managers – for a number of reasons we have chosen to use a locally installed Password Manager.
We use Password Managers for three main ‘use cases’:
- Creating random ‘throw away’ passwords for less important Websites
- Storing login credentials for non-critical Applications
- Storing API Keys for Cloud platforms such as AWS and Azure
There are a few decent Password Managers out there but this blog is going to look at KeePass – as it is open source and therefore free for all to use. KeePass is available on Windows, Linux, Mac OS X with ports available for Android and Iphone/IPad.
KeePass keeps every username and password pair in an encrypted database, protected by a single master password or key – meaning in essence that you only need to remember one password, the password for KeePass. Other options for strengthening KeePass authentication include locking the database to a Windows account and Key Files. The complete password database is encrypted with AES-256, not only the password fields, your user names, notes, etc. are all encrypted, too. Once logged into KeePass you can copy passwords from KeePass into the target Applications, Websites and Terminals.
So if your laptop is configured to best practice (e.g. CIS Benchmark or NCSC EUD Guidance) and the Password Manager configured accordingly there is little additional risk to using one such as KeePass for storing passwords and secrets for your less important accounts. You will still need to use your old noggin for remembering your critical passwords, but this can only be helped by reducing the total number that you do need to remember!
And finally don’t forget to enable MFA whenever it is available – have a look at one of our earlier Blogs to read why!