This chapter will be based on pieces of advice that are in the interest of security to be followed when using password managers. Most password managers, at least those I recommend in the course, are based on KeePass and the basic settings have not changed for many years.
Automatically disable unused files with passwords
You must have heard about Silk Road and its creator the American Ross Ulbricht. It was the largest shadow market for drug sale, which became a symbol of Darknet, and seemed anonymous and unapproachable to visitors. The main tool for paying among users was Bitcoin cryptocurrency, during a year Silk Road sold goods for 14-15 million dollars.
Ross Ulbricht not just created this market and organized the sale of drugs on a global scale, he hacked computers, falsified documents, and even ordered several murders. All this could not fail to attract the interest of the FBI agents.
In early October 2013, the administrator of the largest drug selling site went to the public library, a place he probably considered safe. But it was not his lucky day, he didn’t expect that he was accompanied by a number of agents and they were waiting only for the one moment when he decrypted his disks and files with passwords.
Ross Ulbricht took care of his safety and kept all his valuable data in a cryptocontainer. Despite the many ways to crack the cryptocontainer, the chances of getting access to the one in encrypted form even for the FBI are small.
Ross settled in the library and decrypted access to information, including passwords to the management of Silk Road. Further, according to information in the media, everything happened like in the movies, a man and a woman, who were near him, started a fight. This made Ross Ulbricht turn to them and get distracted from the laptop. At this moment, an Asian girl sitting next to him grabbed his laptop with decrypted data and ran away. Ross Ulbricht was arrested, and thanks to data from a laptop, the prosecutor proved him to be guilty in court. The creator of Silk Road was sentenced to life imprisonment.
What could save Ross? The only option to automatically unmount cryptocontainers and password files after 15 seconds of inactivity. In this case, by the time the agents access the laptop, all data would be encrypted.
Tip
Configure automatic disabling of files with passwords.This option is in the settings of most password managers, in KeePassXC it looks like this.
If you are not working with particularly valuable information due to which a laptop can be taken away from you, for example, business competitors or employees of a rival scientific laboratory, you can specify not 15 seconds, but 15 minutes, for example.
We recommended doing the same with cryptocontainers. Emergency data erasure systems, such as Panic Button, in the case described above will be powerless, because there will be no one to activate them. And the logical bomb here will not help, since the condition for its activation is to enter the system or exit from sleep mode. Such a solution would have been effective if Ross Ulbricht had configured him and had time to press a combination of hot keys to activate panic, this would be 1-2 seconds, but he didn’t have them either.
Multiple password databases instead of one
Use multiple databases for different frequency and importance of passwords. For example, in one database you will store constantly used passwords of low importance, such as personal mail, social networks, entertainment sites. In another encrypted database you may store passwords associated with the work and that are usually used during working hours. In the third one there will be the passwords used very rarely, for example, access to the "cloud" with saved backups.
I hope that the benefits of such a scheme are obvious, if you get physical or remote access to your device, then the probability of getting access to all your passwords will be minimal.
Tip
Split passwords into several databases, do not store all passwords in one database.Clipboard clearing
Many people consider this option useless and unnecessary. Its main task is to protect against theft of the password from the clipboard. Imagine the situation, you copy the password, log in to the site, and forget about the password copied to the clipboard. Then you get to the site of the malefactor, and they use scripts to copy information from your clipboard. You may estimate the danger of this attack yourself. Certainly, one password in the hands of one is a questionable threat, but it’s better for you not have the situation like that.
Tip
Enable the option to activate automatic clipboard clearing.This is how this option looks like in KeePassXC.
Backup in a secret storage
If you have set up an emergency password erasure system and it is time to activate it, otherwise the data will be lost for any other reason, then you will find yourself in a difficult situation. It is better to think about this in advance by making a backup and keeping it in a safe place, for example, in a secret repository.