Online Privacy and Security Using a Password Manager

der.hans

Issue #273, January 2017

Password managers make it easy to have unique user names, unique email addresses and unique passwords for each account. They also provide a secure store for extra account details. Additional features like notes and attachments allow you to use password managers as secure escrow files like digital safety deposit boxes.

Internet and cloud companies do not have perfect security. You're all familiar with large-scale data theft from big corporations. Although most enterprises do a great job considering the attacks against them, you can do your part by protecting your own accounts.

It's common wisdom to use a different password for each account. Better yet is using a unique email address as well. Doing so quickly becomes unwieldy, however, so you find you need an external brain.

Password managers function well as this external brain and can help with more than just passwords. They make it easy to have unique entries for user names, email addresses, security-question answers and much more.

Password managers securely encrypt data before storing it. In addition to passwords, they should have fields for record name, user name, website and notes.

Figure 1. Password managers should have fields for record name, user name, website and notes.

The following example uses the apg (Automated Password Generator) command to create a random string of text:

$ apg -n1 -Mnl
vucapob7

Now you have a unique user name for your bank. The next social-media site thieves will have to figure out both your user name and your password to attack your bank account.

Use a unique email address. Rather than creating a whole new email account, you can likely take advantage of sub-addressing.

Some email providers have sub-addressing, which allows a separator character and then a token. When delivered, the email provider ignores the separator character and the text after it. For example, you+vucapob7-mybank@example.com would be delivered to you@example.com. See the Email Sub-addressing sidebar for more information.

Unique email addresses make it harder for thieves to social-engineer companies, as they won't have your user name, whether or not it's an email address.

Since you're storing credentials in a password manager, you don't need to memorize or even see them. In fact, now you've turned your password manager into a credential manager holding unique passwords, unique user names and unique email addresses. Just a few paragraphs in, and you're already powering up!

But, as the infomercials say, there's more.

The notes field allows you to store multi-factor emergency codes, shoe size and anything else that might be useful for the account. You could store customer-service phone numbers, cheat codes for getting to an actual person and notes from the last call.

Some sites have undocumented password requirements, such as not allowing % in a password. The notes field is a good place for a reminder for you. If you use NoScript and a cookie blocker, you also might want to add notes about required JavaScript and cookie domains to use the site.

One key to having unique security questions is to lie. The company doesn't need to know your grandma's favorite first high school mascot. It just needs a response only you can give. Random text to the rescue:

$ apg -n1 -m15 -Mnl
icunyedgicekoco

That's a fun one, but it'll be challenging if you have to say it over the phone. apg can help with that. The -t option says to give pronunciation guides:

$ apg -n1 -m15 -Mnl -t
icunyedgicekoco (ic-un-yed-gic-ek-oc-o)

It still sounds like a foreign language, but it's hardly guessable. The credential manager doesn't care—it's just data.

KeePassX Credential Manager

I recommend using KeePassX combined with KeePassDroid. This article uses KeePassX 2.x. Most of it applies also to the KeePassX 1.x versions, but there are some differences.

Figure 2. KeePassX Opening Screen

Select Database→New Database to create a new credential database.

Figure 3. Creating a New Database

This password you have to memorize. If you forget the password for your KeePass file, you can't open it. See the Creating Good Passwords sidebar for how to choose wisely.

You also can use a key file. The key file holds the key used to unlock the database, and your password opens the key file. An advantage is that the keyfile can be stored separately from the credential database.

Once you've entered your password, I recommend you save the file and close it, then open the file again to make sure you can type in your new password. Open and close it three or four times to help you memorize the password. After 15 minutes, do the close and open dance again, then make sure you test it the next morning as well. Forgetting that password is the same as losing the file—the data is unavailable.

To add a new entry, either click the key icon with the green arrow or the Entries→Add New Entry drop-down menu. The drop-down shows a third option, the Ctrl-n shortcut.

KeePassX can autogenerate passwords. In addition to specifying character groups like upper and lowercase letters, numbers and special characters, you can choose length and exclude look-alike characters, such as O and 0 and 1 and l.

Figure 4. Autogenerating a Password

Choose a long length like 42 characters since you're not memorizing the passwords. The eye button will let you view the random text if you need to (which is useful if a site discourages good passwords by blocking password pasting). Click the accept button to get KeePassX to store the new entry, then save the file.

In addition to the notes field, KeePassX 2.x has fields for additional attributes. The latter is a better place for storing security questions and answers. Although both fields display the values in plain text, the default screen does not show additional attributes, and there's a drop-down menu to use them.

Additional attributes can be found in the Advanced section for an entry. To copy them, use the Entries drop-down, select Copy Attribute to Clipboard, then select the attribute you want.

For securely copying a secret, it's important to keep it hidden and keep it safe. The password stays hidden because it isn't displayed. It's kept safe because it expires out of the clipboard. By default, the clipboard is cleared after ten seconds.

Figure 5. Clear Clipboard Setting

KeePassX provides handy keyboard shortcuts. Ctrl-b copies the user name into the clipboard for pasting, and Ctrl-c copies the password. Review the drop-down menus to find more shortcuts.

Credential Manager Features

You should require the following features in a credential manager:

  • Clipboard clearing.

  • Password generation.

  • Pronounceable password option.

  • Encrypted data with operating-system-independent storage.

  • Backups and data liberation.

The clipboard should be cleared automagically after a short time. There's no need for it to stick around and get pasted somewhere accidentally.

A credential manager should have a password generator. Even better is a random text generator available from anywhere in the application that simplifies creating random values for security questions and responses, sub-addressing tokens and birthdates.

The random text generator should have an option for pronounceable passwords. KeePassX 1.x does, but KeePassX 2.x does not. Hopefully the feature will be added back in. apg's pronunciation guide is quite useful. Neither version of KeePassX has that.

The data file must be encrypted and interoperable. In order to be trusted, the encryption software and algorithm need to be free and open so they can be audited independently. KeePassX is GPLv2 or later, and KeePassDroid is GPLv3. Both incorporate code under other free software licenses.

Interoperability means usable by multiple applications. KeePassX and KeePassDroid use free and open KeePass file formats. KeePass, kpcli and other applications also can use the files. None can open the file without the master password. They are your passwords; you should have exclusive access.

Being operating-system-independent is important for secure data. KeePassX runs on GNU/Linux, BSD, Mac and Windows. KeePassDroid will put both user name and password into the notification drawer for easy selection on the phone.

You need to have backups and data liberation. Since KeePass files are encrypted, copying them elsewhere is sufficient for backups. Keep old master passwords secure as they can be used on old backups of the file.

Data liberation means you can access your data even if the original application or service provider stops working. A standard format like KeePass works since many applications can read it. Additionally, KeePassX exports to a plain-text file. Make sure to protect it with an encryption tool, such as GnuPG.

For online password managers, data liberation means you can get your data back out of the service provider in an open format. If you use a proprietary service, you are dependent on that service allowing you access. Make regular exports to an open format in case the provider goes offline, decides you haven't paid recently or jumbles your data.

I recommend separate files for personal and work. No need for a subpoena about some work contract to have access to all of your personal credentials. Just like email, keep personal and work in separate accounts.

For traveling or mobile use, you don't need all of your credentials. You can drop the whole file on some file-sharing service and unlock the entire file from your phone, but then a compromise on your phone has access to all of your accounts as well.

Keep an updated file with a subset on the mobile device. I recommend the minimum essentials to connect to your file-sharing service and operate if you have voice, but not data.

KeePassX does not provide a way to sync data to another location securely`, but kpcli can export a group to a new KeePass 1.x file. For instance, create a “mobile” group in your KeePass file, then use kpcli to export that group. kpcli is available under the same licensing as Perl.

Other Useful Features

A credential manager also can be used to escrow data like family social security numbers, important private dates, insurance account information and anything else your family might need should you no longer be available. KeePassX also can store attachments. Now you have a data escrow manager. Power up.

A credential manager should liberally allow text for the master password. KeepPass files do. As expected, KeePass accepts special characters. In fact, when I give presentations on KeePassX, I often demo unlocking a KeePass file with cut and paste of Perl and shell script snippets.

KeePassX has an Auto-Type feature that will log you in to a website with one hot key: Ctrl-v. Although other people like Auto-Type features, I find it too easy to mis-click and paste my credentials in the wrong place. Eventually I do get it right, usually long before “user+twyimCij5-fsf@example.com zFsZ5ZwEh5FHRgYf474MCRQ8pW4YNDXT87wrsQhkyL” starts trending in Google searches.

KeePass files also support an expiration date for passwords, and KeePassX provides preset time periods like three and six months. Once the entry expires, KeePassX marks it when viewing the group as a reminder to change the password.

KeePass allows you to access previous versions of an entry via its history feature. It's not quite revision control, but it's still handy.

It's also handy to provide a means of live security and authenticity testing.

For instance, LastPass is an online commercial password manager with a history of quickly responding to needs. For example, shortly after Heartbleed was announced, LastPass integrated a check to verify the destination website did not have the Heartbleed bug before sending credentials. It also does some verification to make sure you're connecting to the actual site rather than some phishing site.

LastPass is mostly browser-based. The company also provides a command-line tool with source available, and a perusal of several files yielded GPLv2 or later licensing.

LastPass does encryption and password creation on the client side, so the company never has access to your unencrypted data. It shares credentials by encrypting on the client side with the recipient's public key. Again, LastPass doesn't see unencrypted credentials.

LastPass also advertises a feature that allows the other person to use the credentials without seeing them. Although LastPass can't view the unencrypted data, it's fairly easy for the recipient to capture the hidden plain-text password.

See the Password Managers sidebar for a list of free software password managers.

If you prefer password generation and password storage to come from different applications, the Generating Random Text sidebar has some ideas for creating your own random strings.

der.hans is a free software, technology and entrepreneurial veteran. His roles have included director of engineering, engineering manager, IS manager, community college instructor, developer, DBA and his favorite, system administrator. He is also now a repeat author for Linux Journal. In his free time, der.hans endeavors to help build the Free Software community through user group and conference leadership. He is chairman of the Phoenix Linux User Group (PLUG), BoF organizer for the Southern California Linux Expo (SCaLE) and founder of the Free Software Stammtisch. He's currently supprting manufacturing in the US as a senior engineer at Shutterfly.