Password Management for the paranoid

“Be Paranoid” is part of my job description, as an IT professional, so this article is going to be heavy on the paranoia settings.

There have been a lot of data compromises over the years, with millions of user accounts being compromised and leaked out onto the dark web. Odds are, if you have had an online account for a couple of years and haven’t changed the password for a couple of months of years, that account is compromised. This becomes more of a problem if you use the same password on multiple systems.

Say you have a Disqus account and a Google account that use the same password, you use the same password on both sites. Now Disqus had a major compromise some years ago, so it’s likely your Disqus password has been compromised. This in turn means your Google account is compromised. If you heard about the Disqus compromise, you may have changed you password there, but the old password is still out there so if you didn’t change your password on Google since that compromised it’s trivial for someone who has the Disqus compromise data to guess your Google account password. Think about this for a while… It’s likely you use your Gmail email address for all manner of important things, like bank communication or even communication with people like your doctor.

Still think password management is not something to take seriously?

The basic principles around password management are relatively simple:

  1. Be Paranoid
  2. Never use the same password at more than one place
  3. Change passwords often
  4. Use a good secure password manager
  5. Where a password must be used before you can get at your password manager (for example the password you have to supply to open your password manager), try to use a pass phrase. Something you can remember easily without writing it down, while not being easy to guess
  6. For passwords where you can access your password manager before needing them, use the password generator built in to your password manager to generate good passwords
  7. Be very careful about your password manager’s database and the unlocking key to open it, this is possibly the most sensitive piece of information you have

Which password manager?

There have been many password manager comparison articles, so this article doesn’t provide a comprehensive list. Personally, I use a combination of 1Password and KeePass2

Where to store your stuff

1Password takes care of storing your database as part of the service.

The really sensitive stuff I put in KeePass2, so let’s have a look at that setup. This is where things get a bit odd. Your password manager database must be stored where you, and only you, have access to it.

A pretty paranoid way to do this is to use a SFTP server that only you have access to, for this a little f1-micro VM on Google Cloud Platform does quite nicely. This VM type is free (for one per project) if hosted in the us-central region, but some people may feel the regulatory environment in the US doesn’t lend itself to protection of information quite as well as western Europe, the choice of where to host and what to pay is up to you.

When setting up this VM, you need to make some changes to the default configurations. It’s best to add a port to the sshd configuration and close down access to port 22 in the firewall configuration so that your password database doesn’t get accessed by the very popular target for bad guys that port 22 has become. I also always set up sshd to refuse password authentication and then manage the keys that can access the account my password manager database is in very carefully.

Let’s say your VM has a DNS name of mybox1.example.com pointed at it (notice how I don’t call it something like passwordstore.example.com? See point 1 above), your password database is a file called mydata.kdbx in the home folder of user mystuff and your sshd is configured to listen on port 26740. You also have the public part of an ssh key on your computer in the authorized_keys files for mystuff.

How do I access my passwords?

Well to start off with, in addition to KeePass2 (which you should have anyway, since you created mydata.kdbx, you will need to have the IOProtocolExt plugin installed in it and you need to have the Pageant program (part of Putty) installed. It’s likely you have this stuff installed already.

Before opening KeePass, you will need to run Pageant and load your ssh key into it. Ideally, looking at point 1 above, the act of loading the ssh key into Pageant should prompt you for the pass phrase to unlock the key.

Once Pageant is running and has your key loaded into it, you can start up KeePass and use the Open URL option to open your database. Using the example above, you would put sftp://mybox1.example.com:26740/mydata.kdbx in the URL field and mystuff in the User name field, leaving the Password field blank. Also select the option to remember user name only. When you click on OK the program will connect to your SFTP server, using the key loaded into Pageant to authenticate, and fetch your database.

Managing passwords

Now you have a password manager set up and storing a database securely, you need to keep the discipline up and actually use it. I’m not going to tell people what to do, but I will point out the basic principles above.

  • Change your passwords often, use the built-in password generator to create passwords.
  • Change your password manager database master pass phrase (used to unlock your password database) and your ssh key unlock pass phrase (used to unlock they key that fetches your password database) regularly, always to something you will remember but nobody will be able to guess.
  • Make secure backups of your passwords database and your ssh keys.
  • Keep an eye on your SFTP server to be sure it stays secure.

A note about mobile

1Password mobile app is a mature and secure product.

The Keepass2Android package works well with this setup, but it generates its own ssh key that you will need to add to your authorized_keys file on the SFTP server, you can’t use your own ssh key.