qqkb

password manager

Sep 01, 20249 min read

recommendations to family re: passwords and online security

see also: password security

Overview

  • turn on two-factor authentication
    • print and save recovery codes
  • use strong passwords
    • use a password generator – it needs to be random
    • don’t reuse passwords for different sites – it needs to be unique
    • 72 bits of entropy is a “good enough” authentication password for almost anything
      • sometimes less is ok but it depends on specifics
      • but… no reason not to go higher if you use a password manager
      • password
        • min length 12 characters
        • pick from: upper case, lower case, numbers, symbols
        • example: 7z*GUoEQog#p
      • passphrase
        • alternative to password
        • randomly chosen words
        • min 6 words from a standard list of 7776 words
        • example: concrete take surgical balmy connector flashily
  • use a password manager
    • there’s no way to memorize 100+ unique strong passwords
    • I use Bitwarden and recommend it
    • choose a strong master password
      • if you lose the password there’s no way to recover it
    • security design
      • the encryption happens on your computer
      • Bitwarden never has your password
      • encrypted vault is synced to the cloud
    • usage
      • browser plugin and mobile app will auto-type the password for you
  • backups
    • make sure you have backups for anything that might happen
    • password manager
      • master password
      • 2fa recovery codes
      • backup of vault
    • other accounts
      • have a recovery email set
      • 2fa recovery codes
  • emergency
    • various ways of allowing access in an emergency if desired

Basics

  • important accounts: banks, email, social media
    • very important: the email used as the recovery email for other accounts
  • consider: risk of getting locked out
    • banks will generally authenticate by other means
    • with Gmail and social media you may be out of luck
  • turn on 2fa (two-factor authentication)
    • you get an SMS text message with login code sent to your phone number
    • what if you lose access to your phone?
      • must also print single-use 2fa recovery codes
    • (optional) TOTP authenticator app or FIDO2 security key (Yubikey) or passkey
      • easier than typing in codes
      • SMS is susceptible to SIM-jacking attack
  • turn on email notifications for login attempts
    • if someone is trying to log in to you’re account, you’ll know

Passwords

  • what is a password?

    • old idea: remember a hard-to-guess combination of letters, numbers, symbols
      • but now attackers can try billions of combinations per second
      • people pick bad passwords no matter how much you tell them not to
      • nobody can remember 100+ unique, strong passwords
    • new idea: use a password manager, don’t try to remember
      • 2fa as the first factor, and the password is an extra factor
      • bad passwords and phishing aren’t as big a deal
    • so… use a password manager!

  • what is a password for?

    • encryption - protecting a secret, even if the attacker has the file and can try billions of combinations per second
      • AES-128 is recommended & requires many times the current age of the universe to try all combinations
    • authentication - verifying you are who you say you are
      • e.g., logging in to a web site
      • this is generally what we’re concerned with
      • easier to protect
        • you can always change the password
        • you can limit the number of guesses

  • types of attacks

    • brute force - trying combinations of letters, numbers, symbols until a match
      • dictionary attack - trying dictionary words and other common patterns
    • phishing - you type your password into a convincing fake web site
      • now they have your password!
    • data breach - they break into the web site and download the whole database
      • passwords are protected in the database by hashing
      • but it may be worth brute forcing if a poor hash algorithm was used or the passwords are unsalted
    • password reuse - they get your password by breaking into an unimportant site
      • then they try it with important sites to see if you reused it

  • best practices

    • never reuse passwords on different sites!
      • not even with small variations
    • never click links in emails! it may be a phishing site
      • instead, type in the web address yourself and log in normally
    • never give your password or 2fa code to anyone by phone, text, or email
      • only enter it on the web site
      • they will never ask for it

  • what’s a good password

    • unique and randomly generated
    • must be strong enough
      • short answer: 12-character long password of upper case, lower case, numbers, symbols
    entropyexampledifficulty to crack
    maxed128 bitsT*H9&2Qpp9rRH42^LeXU~longer than age of universe
    strong72 bits7z*GUoEQog#p$10 trillion in GPU time
    good60 bitscLJF9%!MnE$3.4 billion in GPU time
    typical40 bitst9gfD3m$3200 in GPU time
    weak24 bitsozjph15 minutes
    • maxed: as strong as AES-128 key
      strong: recommended minimum password strength
      good: fine now, but future?
      typical: likely to be cracked in an unsalted data breach
      weak: quickly cracked in minutes offline… but still > 10 years* to crack if web site is properly rate-limited and 100% secure (big if!)

  • passphrases

    • alternative to passwords
    • randomly chosen words from a list of 7776 words
    • easier to remember, easier to type on phones
    • most password managers can generate random passphrases
    • short answer: 6 random words
    entropypassphraseexample
    maxed128 bits10 wordscoveted porous elk barista grub rule subsiding purebred pants debit
    strong72 bits6 wordsconcrete take surgical balmy connector flashily
    good60 bits5 wordsunbaked reload catalog requisite employer

Password managers

  • password managers

    • Bitwarden - free, secure, does everything you need, synced automatically
      • I use this one and this is my recommendation
    • 1password - $36/year, secure, somewhat nicer to use, synced automatically
    • KeePassXC - free & open-source software, for technical users, not synced to cloud, you manage your backups yourself

  • Bitwarden usage

    • set a strong master password which encrypts the vault
    • vault is automatically synced to the cloud
    • clever architecture… your password never leaves your device and BitWarden has no way to decrypt your passwords
      • make sure you back up your master password!
    • you can use web app, browser plugin, native app, and mobile app
      • all roughly equivalent
      • plugin can auto-type the password

  • Bitwarden security architecture

    • master password encrypts a longer encryption key; that key encrypts the vault
    • cloud server stores hashed password (hashed), account encryption key (encrypted), and vault (encrypted)
    • to log in and download, the cloud server checks the master password hash and (optional) 2fa
    • account encryption key (encrypted) and vault (encrypted) are also stored locally
    • to unlock vault, master password is used to decrypt account encryption key, which is used to decrypt the vault
    • part of what makes the design secure is that the encryption process happens on your computer so your password is never transmitted to BitWarden

  • Bitwarden setup

    • decide: will spouses use the same account or each have their own?
      • Bitwarden premium/family plan has nice features to share groups of passwords between family accounts
    • sign up at bitwarden.com
    • choose a good master password
      • how long? recommend 6 word passphrase
        • 5 word may be ok if 2fa turned on
        • 4 word may be ok if only storing less-important passwords (no banks)
      • use password generator: https://bitwarden.com/password-generator/
        • set type to passphrase, words to 6, word separator to space
      • immediately write down and save the master password
        • if you lose it there is no way to recover it!
    • decide: turn on 2fa for password manager?
      • benefit: even if someone gets your password (via phishing attack, logging in on a public computer, keylogger malware infection, etc.) they probably won’t be able to log in and download your vault
      • risk: if you lose your 2fa method (lost phone, lost access to email address) then you lose access to log in to the account (though you can still decrypt your local copy of the vault)
      • my opinion:
        • it’s definitely a good idea and significantly improves security
        • maybe ok to turn off if you only use Bitwarden on your own computer and laptop
        • if you turn it on, you should also add a backup 2fa and keep the 2fa recovery code in a safe place, plus a copy offsite!
    • add a test entry
    • install browser plugin if desired
      • update settings to adjust auto-lock
    • install mobile app if desired
      • update settings to adjust auto-lock
      • configure phone settings to use Bitwarden for auto-typing passwords
    • start using it
      • ok to start with less important passwords at first while getting used to it
      • ok to write down master password at first and keep in your wallet/purse until you have it memorized

  • Bitwarden usage

    • use the built-in password generator for new passwords
      • since you’re using the password manager to remember your passwords, you can use very strong passwords
    • password manager should auto-lock after ~few minutes without being used
      • can configure to unlock again with fingerprint or short PIN code for less inconvenience

Backups

  • Bitwarden backup plan
    • what if…
      • what if you forget / lose your master password?
      • what if you lose your phone?
      • what if you lose access to your email?
      • what if there’s a fire and you lose everything at home?
        • need backups somewhere offsite
      • what if the BitWarden cloud shuts down or corrupts your data?
        • very unlikely, but you should keep your own backups of the vault data
        • you also have the local copy of the vault kept on your device
    • what you need to recover
      • email address
      • master password
      • 2fa method or 2fa recovery code
    • what to do
      • write down or print an “emergency kit” with email address, master password, 2fa recovery code
        • keep it in a secure place like a fireproof safe or safety deposit box
      • back up the local copy of the (encrypted) vault and (encrypted) account encryption key
      • Bitwarden lets you export an unencrypted plaintext copy of the vault data
        • export it, encrypt it yourself, and save it wherever you keep your backups
  • Bitwarden emergency access
    • option 1: shared account or shared passwords with spouse
    • option 2: keep master password and 2fa recovery code in a secure location with other documents, maybe a fireproof safe
    • option 3: give half the the password to one trusted person and half to another, also 2fa recovery code in a safe place
    • option 4: Bitwarden emergency access (premium feature)
      • designate someone as emergency contact
      • in an emergency they request access to your vault
      • you can reject the request
      • after a wait of several days they are given access

Scams

  • if someone calls you and says they are from your bank, assume it’s a scammer
    • don’t give them your account information
    • ask them to tell you something only your bank would know about you
    • ask if you can call back via the 1-800- number on the bank’s web site
    • that said, many companies have bad security practices and call customers, then ask them to verify name, DOB, SSN, acct no, etc.! they shouldn’t!
  • if someone you know calls and says it’s an emergency and they need you to transfer money to them, assume it’s a scammer
    • even if it sounds just like someone you know and care about!
    • AI deepfakes can convincingly simulate audio (and video) of anyone you know
    • ask them to tell you something only the real person would know

Further reading:

Graph View

Backlinks