Privacy tools - Password Manager
Accounts and passwords
Accounts and passwords, you never seem to have enough of them. Discovered a new webshop? You get an account for free. Testing a new app on you phone? Create an account first.
On average, we collect about 100 to 150 accounts, of which we regularly use around 10 of them.
To be able to cope with such an amount mentally, a lot of people will use the same combination of email address (or username) and password for a lot of those accounts. Maybe, just maybe, the most important accounts (bank or primary email) get a different password. (But probably still not so different from that favorite password.)
Some people will think: "Not me, I have a system in place zo I can create different passwords, but still remember them all!"
As I describe in the article about privacy mindset, you give up control over the processing and storage of your information once you decide to hand it over to another party. Your account information, including the password, is no different.
There is a saying that goes: "There are 2 sorts of companies: the ones that have been hacked and the ones that are to be hacked."
You should assume that your data will end up on the digital streets. Not just the information that is in the accounts, but also the information necessary to get in the accounts. Not all organisations encrypt your data with the best possible algorithms or in the best possible way, so you can be sure that your email address and password will be part of some of those future breaches.
And what could happen if you use the same password everywhere? Or how well is your 'system' designed to have a 'different' password everywhere if an attacker can see one or multiple of your passwords in plain text? Are you sure your system is not decipherable by someone smart?
When your email address is part of the leaked data as well, you can be sure that will be the first account an attacker tries to gain access to. Once your email account is accessed, it can be used to gain access to your other accounts by using the 'forget my password' feature of those accounts. It is also the means to access those 'passwordless' accounts, where you're emailed a temporary magic link to access your account.
Do you recognize your relationship with accounts and passwords in what I describe above? Than we have work to do!
But don't worry, with this article I will help you get started!
Password manager
The solotium to help you manage your accounts better, is a password manager. As the name implies, this is a piece of software or 'an app' that creates a digital vault to help you manage your passwords and other sensitive data.
This vault is (you guessed it) protected with a password, the 'master password'. Starting today this is the most important (and soon hopefully the only or one of the few) password you will have to remember.
This means you should really put some effort in creating this password. No simple passwords. No relation to any existing passwords. No short, easy to enter little word.
Our 'master password' should protect our vault against 'brute force' attacks (computers that try 'every' possible combination at great speeds) and against people trying to guess it. But you should be able to remember it easily.
This needs to be something good.
"But what is a good password?", I hear you asking. While opinions on the matter differ, it is safe to say that the longer a password, the better. It is not strictly necessary to add lots of special characters to 'enhance' your password. Actually, the concept of a sentence or 'passphrase' should be considered.
When you combine some (preferably unrelated) words, you can quickly increase the length of the passphrase. If you link them together with a space, a hyphen or an underscore, you just added the special characters. Start the first (or every) word with a capital and you are combining 3 sorts of characters. To top it off, you can end with a number (or put it in front of one of the words).
The result is a long passphrase consisting of lower case characters, upper case characters, special characters and numbers, but most importantly: easy to remember.
An example could be: Kitchen-Overeager-Vehicle-Padlock-7Planes (5 words, total length: 41)
Do not use this passphrase!
Now it is your turn, make up your 'master passphrase'.
What is a good password manager?
Now you know how to secure your password vault. Next up is finding out what a good password manager is.
There are lots of password managers available and picking 'the best one' is almost impossible. Everyone has different needs and likes. In what follows, I will sum up some important points to look out for when selecting your password vault.
For starters, Open Source Software is always preferred. This is software that has the code available for anyone to see. This does not mean that we will start reading that code to see what happens. It does mean, however, that security researchers and enthousiasts can check the code. It requires the developers of the software to be honest, if they state something on their website that doesn't match the code, it is easy to find out.
Next, there is a clear difference between 'online' and 'offline' password managers. In other words, can you easily sync your passwords across multiple devices or would it take some effort?
Online password managers mostly use the infrastructure of the company that creates them to provide the ability to synchronize. This may come at some cost. Offline password managers are pieces of software that make your passwords available only on the machine itself. Synchronization of your passwords is possible as well, but you will have to take care of it yourself. In this case, you are not using someone else's infrastructure and you have very little or no extra cost.
Last, there are the different features that a certain password manager offers. Are integrations with browsers possible and is it easy to have the password manager autofill your account data? Does it offer to generate your 2FA (two factor authentication) codes? Does the password manager have a good password / passphrase generator built-in? Do you have to put in your 'master passphrase' every time to get access or can you make use of the biometrics on your smartphone (fingerprint, face scan)?
Online password manager
A reputable open source online password manager is Bitwarden. They offer different plans for both personal and business use cases. Each plan offer more features as the monthly fee increases. They also offer a free personal plan, which includes the most important features.
You will create an account on their servers (they offer EU and US options, to align with the different legislations) and download the application(s) you need: desktop, mobile, browser extension. In every one of those applications you will login with your account (remember to pick a good 'master passphrase'!) and you will have access to your passwords.
Your password vault is automatically synchronized between your devices and once synchronized, you don't need to be online to use it. Adding items to the vault does require a connection to the Bitwarden servers (ie. to be 'online') so the new items can be saved directly to your central vault.
To get started with Bitwarden, you can check out the following clips I made. The help you to create an account, install the browser extension and install the Android mobile app.
Bitwarden has a very streamlined user experience, so installation and configuration on iOS should be very similar.
Offline password manager
A good open source offline password manager is KeePassXC (for desktop and laptop), KeePassDX (for Android) and Strongbox (for iOS). Every one of these applications is able to open a password vault that is created by any of the other applications. They are all improved versions of the original KeePass.
As I said before, you only need to install the application and you can start creating a new vault. This vault is a secured file (again: remember to create a good 'master passphrase'!) that is stored on your computer or smartphone.
So, not in 'the cloud'.
No automatic backups.
No customer service when you lose access.
But also none of your data stored with a third party, at risk of being hacked.
No monthly fees and no financial details stored with a third party.
No third party that can decide if you get access to your own passwords.
No third party that knows when and from where you accessed your passwords.
By choosing for an offline password manager every aspect of using it becomes your own responsibility. You decide where you store it. You decide when and how many backups you have an where you store the backups. You decide which vault you have available of what device. And no-one is stopping you from creating multiple vaults.
For the daily usage, you can make use of the same components Bitwarden offers: a browser extension to autofill passwords on your desktop (the extension will link to the application on your computer) and a mobile app that is able to use the 'autofill' features of your smartphone.
Currently, I don't have any video clips for KeePassXC/DX and Strongbox, but I encourage you to search the internet a bit and to explore the software. It is easy enough to use!
How do we continue?
Now that you have a password vault ready, it is time to start using it.
I don't recommend to start going over every account you have and save the details to your vault. This is a highly unpleasant chore that requires a lot of patience (and time!).
Instead, I would encourage you to start with your most important accounts. Log in to the account, find your account settings and change your password. Have your password manager generate and store the new password and add the username and email address. Check out the other availble field and, if you feel like it, add some other important account information to the item in your password manager.
In the future, every time you login to an account that is not yet in your vault, repeat the same steps: change the password and save the information to your password manager.
This way you're spreading the time and effort and eventually all your accounts are becoming more secure.
Good luck!