Passwords...aren't they a pain? I used to think it was difficult and time consuming to safely create and remember really strong, unique passwords. Then came the task of storing them securely while guarding against hardware failures and/or corruption. A bunch of years ago I came up with a good way to solve these issues for myself so I figured I'd share how I tackle this challenge.
I settled on LastPass a long time ago and I've been very happy with it. Some people might argue that storing this kind of data in a third party's cloud service is more risky which is true to an extent. I've talked to other people that use KeePass where the challenge for them is keeping the database (and key file) safe. Safe can mean different things to different people but for this case I'm assuming it means that the data is secure (not just encrypted but encrypted with the right cipher and mode), resilient to events where data loss occurs, and is resilient to silent failures such as corruption. There are pros and cons to each situation but one of the reasons why I trust LastPass a little more than some random service is because I have been able to read and understand how their overall system works. They've been pretty good at being open with how they do things and have had some crypto experts audit them over the years. There is too much to write about all the measures LastPass takes in this article so if you're interested you'll be able to find the resources detailing their architecture and internals pretty easily. This is a good tl;dr.
My master password is 20 characters long and contains all possible character sets. It's also completely random gibberish and is in no way a word or abbreviation for something. I made sure to focus on these aspects up front since having a really strong master password is incredibly important. The password is hashed via PBKDF2 (implemented using SHA-256 and NOT SHA-1) using 10k rounds. PBKDF2 basically turns your password into an encryption key. More importantly, it's designed to be very slow which makes brute force attacks a waste of time. After this process, one more round of PBKDF2 is applied to create another hash. This hash is then sent over to LastPass via a strong TLS connection. This means that my master password or the real key itself never goes over the wire in its original form. Since the hash applied to the key generated via PBKDF2 is a one-way hash this means that even if someone was somehow able to break through the TLS layer all they'd get is the hash, not the password or the actual key itself. To me this is a great example of a layered approach to security. The downside to all of this is if I forget my master password then I'm toast.
All data in my "vault" is encrypted with AES-256 and is only decrypted with the key that's generated from my master password via PBKDF2. Like earlier, the drawback to this is if I can't get my key to unlock my vault then it's game over. I prefer it this way instead of a company holding the power to somehow unlock your data or recover your password for you. I think if those kinds of measures are in place then the system is designed wrong.
A while back I hadn't enabled two factor authentication since I was so used to the convenience of how I had everything set up at the time. It was only a few years ago that I decided to enable it since I found working with tools like Google Authenticator or LastPass Authenticator to ease some of the pain.
I'll come right out and say it: I don't know any of my passwords. Here's an idea of what most of my
passwords look like.
The trade-off here is that my passwords are incredibly more secure than what they would be if I picked
ones I could remember. I have 100+ passwords that I need to keep track of so there is no way I would be
able to manage or remember that many strong passwords on my own.
I think password managers are great and I see the pros far outweighing the cons for almost all use cases. I highly recommend anyone that doesn't use this method to switch over, whether it's with a service like LastPass or something less cloud-based like KeePass.
VMware
Verizon Labs
CVS Health
VE Industries
FSU
Spirinet Technology Services
East Coast
Publications
Port
Authority
Period
Killer
Character Counter
Hash
Generator
MesosCon 2017
GitHub
Twitter
LinkedIn