2019-10-24

"Be Paranoid" is part of my job description, as an IT professional, so this article is going to be heavy on the paranoia settings.

There have been a lot of data compromises over the years, with millions of user accounts being compromised and leaked out onto the dark web. Odds are, if you have had an online account for a couple of years and haven't changed the password for a couple of months of years, that account is compromised. This becomes more of a problem if you use the same password on multiple systems.

Say you have a Disqus account and a Google account that use the same password, you use the same password on both sites. Now Disqus had a major compromise some years ago, so it's likely your Disqus password has been compromised. This in turn means your Google account is compromised. If you heard about the Disqus compromise, you may have changed you password there, but the old password is still out there so if you didn't change your password on Google since that compromised it's trivial for someone who has the Disqus compromise data to guess your Google account password. Think about this for a while... It's likely you use your Gmail email address for all manner of important things, like bank communication or even communication with people like your doctor.

Still think password management is not something to take seriously?

The basic principles around password management are relatively simple:
  1. Be Paranoid
  2. Never use the same password at more than one place
  3. Change passwords often
  4. Use a good secure password manager
  5. Where a password must be used before you can get at your password manager (for example the password you have to supply to open your password manager), try to use a pass phrase. Something you can remember easily without writing it down, while not being easy to guess
  6. For passwords where you can access your password manager before needing them, use the password generator built in to your password manager to generate good passwords
  7. Be very careful about your password manager's database and the unlocking key to open it, this is possibly the most sensitive piece of information you have

Which password manager?

There have been many password manager comparison articles, but for this article we want to be as paranoid as possible. This means password managers where the database is stored on a system you don't control are right out. Having said that, we still want to be able to access the password manager in a cross-platform way without having multiple copies of your database on multiple devices.

The best fit I have found for this odd combination is KeePass2 with the IOProtocolExt Plugin installed, along with Keepass2Android on mobile devices. KeePass2 works with a password database you control entirely and the IOProtocolExt plugin allows you to store that database in a central location (we'll look at the paranoid settings for that shortly). Keepass2Android has the functionality from IOProtocolExt that we will be using baked right in to it, making mobile life a little easier and safer.

Where to store your stuff

This is where things get a bit odd. Your password manager database must be stored where you, and only you, have access to it.

A pretty paranoid way to do this is to use a SFTP server that only you have access to, for this a little f1-micro VM on Google Cloud Platform does quite nicely. This VM type is free (for one per project) if hosted in the us-central region, but some people may feel the regulatory environment in the US doesn't lend itself to protection of information quite as well as western Europe, the choice of where to host and what to pay is up to you.

When setting up this VM, you need to make some changes to the default configurations. It's best to add a port to the sshd configuration and close down access to port 22 in the firewall configuration so that your password database doesn't get accessed by the very popular target for bad guys that port 22 has become. I also always set up sshd to refuse password authentication and then manage the keys that can access the account my password manager database is in very carefully.

Let's say your VM has a DNS name of mybox1.example.com pointed at it (notice how I don't call it something like passwordstore.example.com? See point 1 above), your password database is a file called mydata.kdbx in the home folder of user mystuff and your sshd is configured to listen on port 26740. You also have the public part of an ssh key on your computer in the authorized_keys files for mystuff.

How do I access my passwords?

Well to start off with, in addition to KeePass2 (which you should have anyway, since you created mydata.kdbx, you will need to have the IOProtocolExt plugin installed in it an you need to have the Pageant program (part of Putty) installed. It's likely you have this stuff installed already.

Before opening KeePass, you will need to run Pageant and load your ssh key into it. Ideally, looking at point 1 above, the act of loading the ssh key into Pageant should prompt you for the pass phrase to unlock the key.

Once Pageant is running and has your key loaded into it, you can start up KeePass and use the Open URL option to open your database. Using the example above, you would put sftp://mybox1.example.com:26740/mydata.kdbx in the URL field and mystuff in the User name field, leaving the Password field blank. Also select the option to remember user name only. When you click on OK the program will connect to your SFTP server, using the key loaded into Pageant to authenticate, and fetch your database.

Managing passwords

Now you have a password manager set up and storing a database securely, you need to keep the discipline up and actually use it. I'm not going to tell people what to do, but I will point out the basic principles above.

A note about mobile

The Keepass2Android package works well with this setup, but it generates its own ssh key that you will need to add to your authorized_keys file on the SFTP server, you can't use your own ssh key.