Password management, KeePassXC & Diceware

Why is password management important?

The majority of people use weak passwords and reuse them on different websites. This is problematic, as you should use strong and unique passwords for each website. The best solution is using a password manager.

A password manager stores login information of all websites you use (including email) and help you log into them automatically. The password database is encrypted with a master passphrase, which is easier to memorize than a complex and unique password. That master passphrase is the only thing you have to remember.

Password reuse is a serious problem because of the many password leaks that occur each year. When your password leaks malicious individuals often have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts. If someone gains access to your email account in this way, they could use password-reset links to access other websites like your email or PayPal account. This is especially problematic if you have not set another means of authentication, which you do with something called two-factor authentication, or 2FA.

Personal information in passwords

While it is not recommended, internet users tend to include personal information in their passwords for easy memorization. The trouble with using personal information to construct passwords is that it gives hackers a leg up in the task of cracking them. If they can simply find out more about the person, then they can take educated guesses about their passwords.

And how do they find out more about a person? Same as the rest of us – a Google search,  a lookup on Facebook, LinkedIn, Twitter, Pinterest, etc. At the same time they will note a person’s interests in case they are presented with other security questions when they attempt to gain access to the systems on their hit list. Social media sites are fountains of information for even the most inexpert of hackers.

In the tutorial I’m walking you through the steps of creating a Diceware passphrase and installing KeePassXC. The Diceware passphrase is used as the key to the castle, so to speak. You use it to open the vault.

Tutorial was kindly and beautifully produced by my friend Seán Hannan – thank you!

KeePassXC

KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bug fixes to provide a feature-rich, fully cross-platform and modern open-source password manager.

Huge improvements have been made and usability is definitely at the forefront. You can even generate passphrases in the tool itself, although I personally enjoy using the old-school analogue dice method to create real, tangible entropy.

KeePassXC documentation, screenshots and database security

KeePassXC’s documentation is extensive, so it will be easy to set it up: https://keepassxc.org/docs/

Screenshots: https://keepassxc.org/screenshots/

Information on the security of your password database (.kdbx file) as per the native cross-platform port of Keepass Password Safe: https://keepass.info/help/base/security.html

There are browser plug-in integrations available and the database can also be used in mobile applications for both Android and iOS. The browser plug-ins should be safe to use, but keeping KeePassXC open and copying your passwords from there is a tad safer, because you remove one in-between step that could potentially be another attack vector. It all depends on your threat model.

Mobile password manager

I’m using Strongbox with KeePassXC on my phone. Strongbox is open source and offers several ways of transferring your KeePassXC database (.kdbx file), including e.g. Dropbox and Google Drive. I’d personally pick the option of transferring the database using the local network option, as this is a bit more secure. Having your password database in ‘the cloud’ is mostly tricky for organizations and users with an elevated threat level, such as journalists and NGO’s working on defending human rights and fighting censorship. The .kdbx file is encrypted and protected with the master passphrase.

Please be mindful that using work email and other work-related things on your phone can be dangerous. This is especially the case if you don’t have proper security measures, such as strong passcode to unlock your phone and applying timely updates. If you are unsure if you can use work-related things on your phone please ask your manager, or check your organization’s policies.

Strongbox has extensive user guides, which will help you set it up.

Diceware

Below you can find the information to the best Diceware resources.

https://www.eff.org/dice

https://en.wikipedia.org/wiki/Diceware

https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

Other links

For those who are curious what the so called “brute-forcing” means, here more information.

And the Wikipedia password cracking entry is here.