Secure password management with availability in mind for mere mortal beings

So let’s presume you have several accounts for different services over the internet which require authentication to access and control, ranging from sensitive (government gateways, internet & phone banking, email accounts, etc.) to “less” sensitive accounts (social platforms, networking, etc.).
Suppose you own or manage a business, now you have double of all the accounts mentioned.
Suppose you are a developer (even worse, a system administrator), now you have a centuple amount of usernames and passwords or keys to manage.
If you use the same username-password combination, or just even the same password across all of your accounts, don’t be surprised if you will eventually get hacked. Besides password strength, password diversity is one of the main aspects of a secure password management strategy.

First step, choose a master password for yourself, make it at least 15-20 characters long, with a few capital letters and numbers and maybe a punctuation mark. Don’t write this down anywhere, just remember it. Now choose another one, and remember this one as well. Let’s call these masterPassword1, and masterPassword2.

The critical, secure(!) services that you need to access on a day-to-day basis, like your email, your internet banking, and your cloud storage service account are going to use your masterPassword1. Where possible, set up a two-factor authentication on these accounts as well. Remember, try to reduce the number of services where you use masterPassword1 as much as you can, optimally to 3-4 critical services at most.

Secure password management with KeePass

Now download a password manager program, we are going to use KeePass2 here. It is available for Linux/Mac/Windows, and it is free.
You will store all the other sensitive account credentials here. These will be passwords even you don’t remember.
So open up KeePass, and create a new KeePass database file.
When you create a new database, KeePass will prompt you for a master password, add your previously chosen masterPassword2 here. You must not forget this one, as this will give you access to all of your other sensitive accounts stored in this password database file.
So just to give you an of overview on how it works:

“KeePass database files are encrypted. KeePass encrypts the complete database, i.e. not only your passwords. The user names, notes, etc. are encrypted, too …
These algorithms are well-known, analysed thoroughly and considered to be very secure (see [1] for comments by the NIST on AES for example). AES e.g. became effective as a U.S. Federal government standard and is approved by the National Security Agency (NSA) for top secret information.”

Now add all your other sensitive account credentials in the KeePass database file (KeePass allows you to add usernames and even relating notes to each entry as well).
Choose a different long random string with numbers for each of your password entries (20-30 characters), and set them for your accounts.
When done, save the KeePass database.

Now you are worried, what if you loose this KeePass database file, and you won’t be able to access any of your accounts anymore. True. First of all, let’s make this KeePass database file even more secure. Let’s make it as secure, that even a super computer at Nasa or the NSA would need a few hours to crack it (that’s a big thing!).
Click on File > Database Settings > Security. Here you can see an input field “Number of key transformation rounds”. Set this to 6 million (6000000)

“By default, KeePass sets N to 6000 encryption rounds (full encryptions are meant; N has nothing to do with the internal encryption rounds of AES). This number has been chosen in order to provide compatibility with portable device versions (PocketPC processors are slower, therefore the key computation takes longer)
…If you are using KeePass on PC only, it is highly recommended to increase the number of key transformation rounds.”

So by setting this value to 6,000,000, you can be sure (for a while, maybe 10 more years?) that only someone with a supercomputer is able to crack your password database file without knowing your masterPassword2, using brute force password guessing. Save your password database again.

Now upload your password database file to a secure and trusted cloud service, to be accessible for you from any point of the world, even in case of personal hardware failure. Google Drive would do it for now, as you can access it with the same password as your email account (masterPassword1), but I would recommend using multiple secure cloud services (for example Google Drive & Dropbox), and include these cloud service accounts in your “critical services” where you use masterPassword1 – as you need to access this cloud service to recover your password database file at anytime. Remember to re-upload your password database file to the cloud whenever you make changes to it.
If you are reading this in the future, this technique will be probably outdated, so take this with a grain of salt. But for the next coming years, you probably will be secure using this technique, but if you can find time, replace all your passwords every year or so – especially the masterPassword1!

So by only having to remember two complex and long passwords you could achieve a highly secure password diversity and strength across your sensitive accounts.

Author: Nandor Persanyi

Leave a Reply

Your email address will not be published. Required fields are marked *