I have about 180 passwords for different websites and web services. They are all stored in one single password protected Excel document. As the list gets longer I am more and more concerned about its security.
Just how secure, or should I say insecure, is a password protected Excel document? What's the best practice for storing this many passwords in a secure and easy manageable way?
I find the Excel method to be easy enough, but I am concerned about the security aspect.
My favorite password storage tool is KeePass [1]:
What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page [2].
Only in theory. You can put as many entries into the database as you want, but at some point your USB key or HDD will be full.
No, not like you expect it.
You'll want to make that a regular, manual process. This can not and should not be automated.
I like to set up expiration dates for all my password entries:
Then I remember to change my passwords regularly. I store the URL of the website with the password entry, so it's a quick process.
No, not automatically either (at least to my knowledge). But this is where Auto-Type comes into play. For example, for Facebook, this is my Auto-Type setup:
As you can see, I've created 3 configurations for different browser titles. This allows me to simply go to facebook.com
, press Ctrl+Alt+A, and the username and password will be automatically entered and I will be logged in.
If you have multiple username/password combinations for the same window title, you'll get a popup window asking you which password entry should be used.
There are apps that support the KeePass container format on mobile devices. But I stay away from those. I just don't like the thought of my KeePass database on my phone.
I prefer to only transfer single passwords using the QR Code Generator [3] plugin. It lets you generate a QR Code [4] from a password, which you can then scan with your phone. It helps to have an app [5] that can copy the scanned content to clipboard.
[1] http://keepass.info/There appear to be several easy to use Excel password crackers around.
I would use a password management system like 1password [1] or LastPass [2] which work on several OSs including mobiles.
These have plugins for most browsers which can fill in passwords and other information to the web form. 1password can also set up a bookmark in the browser which will automatically login (All uses of the app require use of a master password first)
1password can also store notes, account (e.g. email, ftp) and templates to help store credit card, bank account and other information. Although it is commercial you can get a free demo that allows entry of up to 20 items.
One difference between the two is that 1password only stores the data locally (although you can sync the encrpted data using dropbox or similar) , Lastpass can (must? someone please correct this) store the data on its web site which allows web access to the data and no need for dropbox etc.
[1] https://agilebits.com/onepasswordI have used Lastpass [1] for a while now and recommend it highly. It has some wonderful browser plugins and a bunch of features that make it easier to have more secure passwords.
The browser plugin will automatically fill-in login information (when logged into the plugin). It also has an export function, so you can retrieve your database and import it into KeePass [2] for example. It also uses two-step authentication for extra security.
Desktop client:
Browser plugin:
[1] https://www.lastpass.comPassword Hasher [1] plugin (for Firefox) is what I personally use.
How Password Hasher helps:
- Automatically generates strong passwords.
- One master key produces different passwords at many sites.
- Quickly upgrade passwords by "bumping" the site tag.
- Upgrade a master key without updating all sites at once.
- Supports different length passwords.
- Supports special requirements, such as digits and punctuation.
- Supports restricting a hash word to not use special characters. (New!)
- Saves all data to the browser's secure password database.
- Generates a portable HTML page with your site tags and option settings that allows you to generate your hash words in any browser on any machine without the extension installed. (New!)
- Can add marker buttons to unmask passwords on any web site. (New!)
- Extremely simple to use!
(source:
mozilla.net
[2])
I personally use PasswordMaker [1] to generate passwords from a master password and the site's URL. The project is fairly mature, open-source and stable. It is available for Firefox (as an extension), Linux CLI, Android etc.
How it works:
[1] http://passwordmaker.org/Warning - technical jargon in this section! You provide PasswordMaker two pieces of information: a "master password" -- that one, single password you like -- and the URL of the website requiring a password. Through the magic of one-way hash algorithms, PasswordMaker calculates a message digest, also known as a digital fingerprint, which can be used as your password for the website. Although one-way hash algorithms have a number of interesting characteristics, the one capitalized by PasswordMaker is that the resulting fingerprint (password) does "not reveal anything about the input that was used to generate it.". In other words, if someone has one or more of your generated passwords, it is computationally infeasible for him to derive your master password or to calculate your other passwords. Computationally infeasible means even computers like this won't help!
It is risky to trust a third-party application to store your important passwords especially those applications that are potentially able to connect online or those you authorize them to access the processes of other program; and more importantly to trust non-open source ones.
A more secure way, in my opinion, is to store your important passwords in a text file (.TXT) and then encrypt the file with AES algorithm by dsCrypt.exe [1]. You are required to enter your main password into dsCrypt only once and you will be able to encrypt/decrypt you password text file many times without asking you re-enter the main password every time as long as dsCrypt is running. You can auto-run dsCrypt with your Windows start and enter your main password once; and what you need then is just to drag and drop your password file (.txt) onto dsCrypt to de/encrypt it when you need your passwords.
[1] http://www.softpedia.com/get/Security/Encrypting/dsCrypt.shtmlI recommend KeePassXC [1] which is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
This client is also recommended by Surveillance Self-Defense [2].
Main Features KeePassXC: