We suck at security. At least, that’s what I notice whenever there’s word of another breach. Not only do we keep re-using passwords across websites, we keep sticking to easy to remember or just plain stupid ones too. If we have a look at the top password in the LinkedIn breach, the most used passwords are 123456 with linkedin taking up second place and password close behind (source). Seriously? I hope everyone realizes there’s not even a need for breaches to get access to those accounts. Now that we know this, what can you do to better manage your online presence?
Before I used to work in IT, I had a formula that allowed me to create distinct passwords per website. I never had to remember the password, I was able to re-recreate the password using the formula with the site or service as context. While I still consider this an acceptable approach, it’s not really future proof. Some services send you a password reset after a few too many retries which results in having more than 1 formula. After a few years you can’t remember which formula goes where, which is incredibly annoying. So there has to be a better way.
Not wanting to have to deal with having to remember passwords, I moved to services like LastPass or 1Password. They have strong random password generators and browser plugins that allow you to log in to sites without having to enter the password yourself. This work really well and reduces the hassle of having to remember anything. But, there’s 1 problem. I don’t trust anyone in IT. Here I am, having to rely on their security to manage mine. On top of that, most of these services aren’t free either. Bummer.
So where am I today? I use a KeePass database to manage my passwords (no link due to no https ¯_(ツ)_/¯). You can have the same benefits of using LastPass or 1Password using a ton of plugins, but you host it yourself. A few weeks ago there was a bit of commotion about the lack of https when polling for updates in KeePass. If you decide to go for this, make sure you are on version 2.34 or higher. But, given the lack of decent UI, I am using KeeWeb as the software to manage the .kdbx databases. I really dislike that old crappy OSS look and feel of KeePass.
My KeePass database is secured with a password and key file. To sync the databases between the devices I use, I added it to a cloud service. And to make sure that people do not get access to my database when the hosting service gets breached, I added the key file to another cloud service. The two only meet on my devices, never online. Paranoia? Not really, just making sure.
The passwords I generate are > 12 characters and contain completely random stuff. I couldn’t even remember them if I wanted to. And that’s the point entirely. Don’t remember your passwords, make sure you don’t have to by using the tools at your disposal.
And please enable 2 factor authentication (2FA) where possible. It’s easy to setup and can save you ass in case breaches do happen. I use a Yubikey to secure my access to Google, Github and Dropbox. I can only hope others follow shortly as it does away with the hassle of traditional 2FA systems.
In the end you can never prevent breaches. But you can make sure your ass is covered as much as possible.