Password management, KeePassXC & Diceware

Why is password management so important?

The majority of people use weak passwords and reuse them on different websites. This is problematic, as everyone should use strong and unique passwords for each website. The best solution is using a password manager.

A password manager stores login information of all websites you use (including email) and help you log into them automatically. Your password database is encrypted with a master passphrase (which is easier to memorize than a complex and unique password). That master passphrase is the only thing you have to remember.

Password reuse is a serious problem because of the many password leaks that occur each year. When your password leaks, malicious individuals often have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts. If someone gains access to your email account in this way, they could use password-reset links to access other websites, like your online banking or PayPal account.

Personal information in passwords

While it is not recommended, internet users tend to include personal information in their passwords for easy memorization. The trouble with using personal information to construct passwords, is that it gives hackers a leg up in the task of cracking them: if they can simply find out more about the person, then they can take educated guesses about their passwords.

And how do they find out more about a person? Same as the rest of us – a Google search,  a lookup on Facebook, LinkedIn, Twitter, Pinterest, etc. At the same time, they will note a person’s interests in case they are presented with other security questions when they attempt to gain access to the systems on their hit list. Social media sites are fountains – or, geysers, actually – of information for even the most inexpert of hackers.

In the tutorial I’m walking you through the steps of creating a Diceware passphrase and installing KeePassXC. The Diceware passphrase will be used as the key to the castle, so to speak. You use it to open the vault.

Tutorial was kindly and beautifully produced by my friend Seán Hannan – thank you!

KeePassXC

KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.

Huge improvements have been made, and usability is definitely at the forefront now. You can even generate passphrases in the tool itself, although I personally enjoy using the old-school analogue dice method to create real, tangible entropy.

KeePassXC’s documentation is extensive, and combined with the supporting screenshots you will be able to set up KeePassXC without issues.

KeePassXC documentation, screenshots and database security

Documentation: https://keepassxc.org/docs/

Screenshots: https://keepassxc.org/screenshots/

Information on the security of your passworde database (.kdbx file) as per the native cross-platform port of Keepass Password Safe: https://keepass.info/help/base/security.html

There are browser plug-in integrations available as well, and the database can also be used in mobile applications for both Android and iOS. The browser plug-ins should be safe to use, and are definitely handy as well, but keeping KeePassXC open and copying your passwords from there is a tad safer, as you remove one in-between step that could potentially be another attack vector. It all depends on your threat model.

Mobile password manager

I’m using Strongbox with KeePassXC on my phone. Strongbox is open source and offers several ways of transferring your KeePassXC database (.kdbx file), including e.g. Dropbox and Google Drive. I’d personally pick the option of transferring the database using the local network option, as this is a bit more secure, although having your password database in ‘the cloud’ is mostly tricky for organisations and people that rattle secret service cages, not so much for regular users.

Please be mindful that using work email and other work-related things on your phone can be dangerous, especially if you don’t have proper security measures set up, e.g. a strong passcode to unlock your phone and applying timely updates. If you are unsure if you can use work-related things on your phone, please ask your manager, or check your organisation’s policies to be sure.

Strongbox has extensive user guides, which will help you set it up.

Diceware

Below you can find the information to the best Diceware resources.

https://www.eff.org/dice

https://en.wikipedia.org/wiki/Diceware

https://theintercept.com/2015/03/26/passphrases-can-memorize-attackers-cant-guess/

Other links

For those who are curious what the so called “brute-forcing” means, here more information.

And the Wikipedia password cracking entry is here.