Sebastinux.com

How to manage your passwords securely

Posted on May 11, 2023, by Sébastien
Updated on July 3, 2023, to mention Proton Pass.

———

Basic principles

Use unique passwords

Do not re-use the same password for multiple websites, services, or devices.
If you do, an attacker who manages to steal your password in one place would also gain access to your other accounts.

Of course, memorizing dozens of secure passwords is quite a challenge, and writing them all on paper is a terrible idea:

Use a password manager

Instead, I highly recommend using a password manager.
Password managers are specifically designed to store passwords securely.

Use hard-to-guess passwords

Password cracking is heavily automated these days, which means you need to choose passwords which are difficult to guess, not only for a human attacker, but also for a program able to make thousands of attempts per second (or even millions).

Unfortunately, humans are pretty bad at generating randomness.
A character sequence chosen by a person is generally much more predictable than a character sequence generated by a secure randomness source.

Therefore, I strongly advise you to let your password manager generate all of your passwords.
Aim for at least 20 characters, including upper-case letters, lower-case letters, digits and symbols.
You won't need to memorize them anyway 😉

Mathematically speaking, a fully random password consisting of 21 characters including upper-case letters, lower-case letters, digits and symbols, will have an entropy of approximately 128 bits, which is as much as some encryption keys still in use today.

Pros and cons of password managers

Pros:

Cons:

➡️ Be careful not to forget your master password.
➡️ Ensure you can access your password manager offline. Keep a backup copy.

Overall, the benefits of using a password manager outweigh the risks.

How to create a strong password

Even though the objective is to drastically reduce the number of passwords you need to memorize, you'll still need to remember a few:

Here's a technique you can use to create an easy-to-remember, but hard-to-guess password:

Use several sentences if necessary. It's even better if they're unrelated.

Example:

I like bananas! Also, the distance between the Sun and the Earth is 150 million kilometers. 
Ilb!A,tdbtSatEi150mk.

Avoid building your password from a single famous quote, as that would increase it's predictability.

Recommended password manager: Bitwarden

My favorite password manager is currently Bitwarden.

Screenshot of Bitwarden's Firefox extension
Screenshot of Bitwarden's Firefox extension

It has numerous advantages:

Security

All data you submit to Bitwarden is fully encrypted using AES-256 before it leaves your device, ensuring that neither the company, nor any potential attacker, can read it.
Some competing password managers don't go to such lengths, and only encrypt passwords, leaving website URLs unencrypted – which isn't a good thing, privacy-wise.

Because the encryption key is derived from your master password, you must not ever forget it, or you won't be able to recover your data.

Bitwarden has been audited for security multiple times by independent companies.

Open Source

The code is Open Source, which is a good thing, when it comes to security.

This is an application of Kerckhoffs's principle – which dates back to the 19th century:

A cryptosystem should be secure, even if everything about the system, except the key, is public knowledge.

It's basically the opposite of the "security through obscurity" strategy, which in itself cannot guarantee the security of a system.

Ease of use

Bitwarden is available on all platforms: there are apps for Windows, macOS, Linux, Android, iOS, as well as browser extensions, and a Web vault:

Your passwords automatically get synchronized between all of your devices.

All versions – except the web vault – can be used offline.

You can import your passwords from other password managers.

Password sharing

Even though sharing passwords is generally frowned upon, some of them are inherently shared between a few people, such as Wi-Fi passwords.
It turns out Bitwarden has a secure sharing feature.

You can either send a secure link to anyone (the recipient does not need a Bitwarden account), or share passwords between Bitwarden accounts.
The free version allows sharing items with one other Bitwarden user, while "Families" and "Business" plans offer more advanced sharing features.

Anyone with a paid account can also share files, in addition to passwords or text.

Alternatively, if you ever need to send passwords / text data to someone, you can use the free "kPaste" service from Infomaniak (a Swiss hosting company), without any registration:

It's also end-to-end encrypted, and Open Source.

Pricing

Bitwarden's free plan is very generous, allowing unlimited passwords, and unlimited devices.
In fact, it should be sufficient for the vast majority of individuals.

The premium version is so cheap ($10 per year), that you can subscribe to it even if you don't need the additional features, just to support Bitwarden.

There are also family plans ($40 per year, up to 6 users), and business plans for companies, ranging from $3 to $5 per month per user.

Drawbacks?

It's hard to find drawbacks to Bitwarden.

One could argue that the USA is not most privacy-friendly country, and Bitwarden is an American company, with servers in the US.
However, end-to-end encryption guarantees that your privacy is protected.

Alternatively, you could also resort to self-hosting – which would allow you to choose your hosting provider/location, and avoid centralization.
That being said, I don't recommend it, unless you belong to an organization with enough knowledge and resources to set it up properly, maintain your installation, and keep it secure.

Finally, some people might prefer the user interface (UI) of other password managers – although it's entirely subjective – or be interested in some niche features that Bitwarden doesn't offer.

Other secure password managers

The following password managers are also acceptable:

1Password

The UI and features are good.
It's not Open Source, though, and there's no free plan.
The paid plan starts at $2.99 per month (billed annually) for individuals.

Dashlane

Again, the interface and features are fine.
It's not Open Source either, and the free plan is limited to only 1 device.
In order to be able to use Dashlane on all of your devices, you need to opt for the “advanced” plan, at $2.75 per month (with a one-year subscription).

Proton Pass

Proton Pass is the new kid on the block, as it launched on June 28, 2023.

It’s developed by Proton AG, which is the company behind Proton Mail, founded in 2014 by a group of scientists who met at CERN (in Switzerland).

It may be too soon to fully evaluate whether it’s on the same level as Bitwarden, 1Password or Dashlane, but it does seem quite promising:

On the other hand, because it’s brand new, as of early July 2023, it doesn’t have as many features as other, more established password managers – such as password sharing, for instance – and is only available in English.

Besides, while the free plan is quite generous, the paid plan is relatively pricey (more than 1Password or Dashlane – and much more than Bitwarden).
People who subscribed before the end of July 2023 will get to keep their $1 / month pricing, but the regular price is $3.99 per month with a yearly subscription.

KeePass

Free and Open Source.
However, it's definitely not as user-friendly as the other options.
By default, the password database is stored 100% locally on your PC, and synchronizing it to other devices involves a bit more setup.

There are also a few variants, such as KeePassXC.

Alternatives to avoid

LastPass

LastPass is not up to par with the aforementioned password managers, security-wise.
Some data isn't encrypted, notably website URLs.

It also suffers from security issues fairly regularly.
In 2022, a serious breach resulted in attackers obtaining some user data, including billing addresses, emails, IP addresses, and vault data.

While the encrypted data (i.e. passwords) is protected by the user's master password – assuming it isn't too short or predictable – the leak of unencrypted data presents a privacy risk, and can be used to perform social engineering attacks, targeted phishing, etc.

Google Password Manager

Using your browser's built-in password manager locks you into its ecosystem, and is not as convenient as a full-fledged password manager for everything that isn't a website.
By contrast, Bitwarden, 1Password and Dashlane are also able to auto-fill password fields in mobile apps, and provide dedicated apps that do not depend on a browser.

Even more concerning: by default, Chrome encrypts your passwords using a key that is stored in your Google account, effectively giving Google access to all of your passwords…
A more secure mode of operation was introduced recently (on-device encryption), but you need to enable it manually.

Further reading