Password Management 101
Password management is a complex topic with lots of nuance, especially with the recent changes to recommended password procedures. In this article I intend to inform readers of the best method of ensuring your passwords are safe as well as a contingency plan incase your passwords are included in a breach that is outside of your control.
You're Still Using A Password?
With technologies like SSO and one time passwords becoming more common there is less and less need for traditional passwords. These methods are more secure and in the case of SSO can provide significant quality of life improvements. But there are a lot of cases where you will still need passwords, not every login accepts SSO, especially if you are dealing with with system configuration. This guide will go through basic procedures for protecting the passwords that you still have to deal with.
The Great Password Manager Debate
I've seen a lot of discussion over the proper place to store passwords if they should even be stored at all and it has lead me to form a few opinions. First I'd like to describe a few terms that I may use throughout this article to describe different importance levels of passwords:
- Root Passwords: The most important passwords, these passwords control access to your most important services (Password Manager Login, SSO Logins, Microsoft, Google, Mozilla) a root password should either be remembered or stored in a secure physical location.
- Secondary Passwords: Passwords that could potentially cause as much damage as a root password, but are used more often(Bank Creds, Social Media Logins).
- "Default Credentials": Bad passwords that are usually used for convenience
- Strong Passwords: Passwords that are created by a password generator or can be verified to be secure.
With these terms defined we can start our discussion
A Defense of Password Managers
Password managers get a lot of hate because in most peoples mind you are simply gathering up your passwords for an attacker to find. This would be the case if there weren't verifiably secure password management solutions that you can implement yourself. This solution could be as simple as a password encrypted text file, by storing that encrypted file on a flash drive and only plugging it in when you need the passwords you can effectively airgap your passwords when they are not in use. In this example, you would use a root password to unencrypt the file and you secondary passwords would be stored inside. This model would work if you are extremely paranoid and not worried about quality of life issues. This setup can be replicated using password manager technologies to provide a higher quality of life while also maintaining superior security.
Password Manager Options
I can't tell you every password manager that exists, and I can't recommend any one manager with 100% certainty, but I can give you the tools required to make an informed decision. There are are few different types of password managers including cloud based, local, and browser/integrated password managers, password managers usually fall into multiple categories.
Cloud Based Password Managers
An example of a cloud based password manager would be the Google password manager, it's also an example of in integrated password manager since it integrates with the Google Chrome browser. This tool provides a high quality of life while also providing decent security being from a reputable vendor, similar solutions include Mozilla's password manager and the Apple Password manager. A lot of insecurity is created when a password in the "Default Credentials" category is used to access these services, and the services are used as a primary password manager. This means that you should treat your passwords for all of these services as a root password if there are secondary passwords stored in them.
Local Password Managers
KeepassXC is an example of a local password manager, this means the password will only be stored in the password manager, usually in a password encrypted file. These password managers provide more control over the passwords but offer less integration. You will usually see local password managers used in more rigorous settings as they provide more flexibility to move and share passwords.
Browser/Integrated Password Managers
We've already gone over Mozilla's password manager but it is a great example of a browser password manager as well. This type of password manager stores your passwords locally in the browser to provide superior ease of use while also maintaining the peace of mind that your passwords aren't being stored in the cloud. Apple's password manager in another example of a password manager that has integrated as well as cloud capabilities. Password managers in this category usually provide the best mix of security and usability.
P******* M******
Ok i'm sure you're tired of hearing the word password manager so we'll wrap this section up, what I want you to take away from this is (as always) that different problems require different solutions. Using a combination of these different solutions will provide you superior security while also maintaining a good quality of life, for example if you use an integrated password manager you can treat it as a root password (store the password physically), or if you have a local password manager, you can store the integrated managers' password there as long as the local password managers password is treated as a root password.
"Just in Case"
Even with all of these security measures sometimes it's out of your control, companies are breached everyday, and you use these companies services every day, so how can you protect yourself if you discover a password has been breached. As with every topic there is a lot of nuance, the steps to remediate your bank credentials being stolen will probably be different, but the methods described below will work the same.
Discovery
How would you even know if your password has been breached? It's not always just a notification that a Russian IP has tried to log into your account (of course this wouldn't work because you have MFA set up), sometimes it's an email from a streaming platform you use, or a notification in your password manager that one of your passwords is insecure. Whatever the means of finding out it is important to confirm the breach using OSINT sources and assess the impact, this means you need to check if passwords for your other services are affected as well. After you accurately assess the damage you can begin remediation
Remediation
Remediation is simply but requires you to be very thorough, make sure you change all affected passwords and update your password managers accordingly. Depending on how the attackers obtained your password you may also want to verify they do not have persistent access to any affected accounts. After you are sure all of the passwords have been changed you can move on to the final phase.
Monitoring
Monitoring is the final phase of our Password Breach Remediation plan, this phase is important because it can be essential for gathering more information about the attackers, or catching them in the act if they really do have persistent access. For most people this phase consists of turning on security alerts for the affected services, this will give you real time reaction capability and could stop further damage from being caused. After the monitoring period has concluded you can consider this case handled!
Lessons Learned (Conclusion)
In a world where passwords are still a vital part of our digital lives, understanding how to secure them effectively is more crucial than ever. As we’ve explored, password management is not a one-size-fits-all solution; it requires a nuanced approach that balances security, convenience, and individual needs. Whether using cloud-based, local, or integrated password managers, the key is selecting tools that align with your threat model and level of comfort. Storing passwords securely, whether through encryption or password managers, provides a robust defense against unauthorized access, but it's equally important to have a contingency plan in place should your passwords be compromised.
Even with the best preventive measures, breaches are inevitable, and knowing how to detect, remediate, and monitor compromised credentials is vital. By staying vigilant and proactive, you can minimize the damage from breaches and ensure that your online presence remains secure. Ultimately, the strategies outlined here offer a comprehensive approach to password safety, equipping you to safeguard your digital identity and prepare for unforeseen security challenges.
The world of password management is ever-evolving, and staying informed about best practices will be the most effective way to keep your data safe in an increasingly complex digital landscape.