In this chapter, I want to consider a comparison of the basic methods of storing passwords that I consider acceptable for everyday usage. I will not consider storing passwords in the cloud and in the browser, text documents on the desktop and pieces of paper near the desktop computer, since I do not consider these methods safe. In addition, I want to remind you that with any storage method used, the password itself must be secure.
Basic requirements for a secure method of storing passwords assume the stability of passwords in situations where physical or remote access is obtained to the owner’s computer. With remote access the attacker will receive the passwords entered by the user, so here two-factor authentication becomes the main protection, and the task of the password store is to prevent other passwords that were not used during the period of remote access by the attacker.
Storing passwords in memory
I myself recommend some passwords that are especially important for you to keep in your memory, but there is an opinion that it is better to keep all passwords in memory. If you can remember a password of 20-25 characters for each resource, keep it in your memory. But it is the most likely that it is not so.
But I strongly don’t recommend remembering a couple of passwords and using them everywhere. Firstly, a leak on one of the sites will result in the fact that malefactors will get your passwords to several of your sites. Secondly, the malefactors are well aware of the habit of using one password on several resources and receiving a bunch of email/password automatically check it on various resources.
The usage of a password stored in your memory which is valid on all resources, provided the presence of a secret. For example, you add the first and last characters from the site address to this complex password at the beginning and at the end. I will give an example, in your head you keep the password lghiopRxMnn65 £ GhiLg, when using it on Facebook you add the first and the last letter from the site address after the first character of the password. As a result, for Facebook you get the following password lFghiopRxMnn65 £ GhiLkg. A little secret makes your password out of your head unique to each site.
Tip
Add a secret to the password in your memory that contains characters from the site name.If we are talking about a cryptocontainer, you can use symbols from the name of the cryptocontainer.
Storing passwords in a notebook
This is a simple notebook in which you write passwords with a pen. And in my opinion, this is the safest way to store passwords. Probably, you have already had two arguments against this method: the first one is that it is inconvenient, the second one is that the book can be taken away from you and all the passwords will be obtained by the malefactors.
In order to make your book useless in the hands of a malefactor, we will add a little secret to the passwords. Number all pages in your notebook and, at each entry, add to each recorded password, first add the page number where the password is written, and at the end the word beetle (make up your own secret).
What will it give to you? If the malefactor gets your book, they will not know about the secret and naturally, by trying the passwords you have recorded, they will not be able to log in anywhere. At the same time you will not have any difficulty remembering the secret and adding it when you enter the password.
If it is difficult for you to enter a long password from a notebook, you can only write 6 characters there, the rest 15-20 can be copied from the password manager or the document (it is better to have several options for different types of passwords). This together will be a very safe solution.
By the way, I advise you to use the password manager in addition even if you are not too lazy to enter 25 characters from a notebook. This will increase protection against spying on your password, but you can limit yourself to adding false clicks along with covering your hand while you type.
Password Manager
If we are talking about an offline open source manager like KeePass, KeePassX or KeePassXC, these are reliable and time-tested solutions. KeePass in 2016 was audited with the money of the European Parliament, no serious vulnerabilities were found.
KeePass once had problems with the transfer of service packs in an unencrypted form, which left the malefactors the ability to intercept and modify them. Recommended solutions in our course do not contain such a vulnerability.
The main threat to the password manager is remote access, because when a computer is hacked, a malefactor gains access to all passwords. Similarly, KeeFarce worked as a tool that was integrated into the system and quietly saved all KeePass passwords in an unprotected CSV file. This file is then used by the one.
To prevent this threat, firstly, you need to take care of the integrated security for devices, and secondly, add the secret part of the password, which was mentioned above. But the main rule of security for password managers is to recommend having several files with passwords.
For example, you have especially important passwords that you do not use often, you should not store them in the same file with passwords to social networks used daily. Divide the storage, and you will significantly increase the security of your data.
To protect against offline attacks, when a malefactor attempts to gain access to your device, install the Panic Button emergency data destruction system. Advantage of Panic Button is that it immediately dismounts cryptocontainers, clears the browser history, the passwords stored in the browser, deletes the encryption keys from the RAM, traces of activity in the system and turns off the device.
And don't forget to use two-factor authentication wherever it is possible.
Storing passwords in a browser
In general, it is quite a convenient and secure way to store passwords of low importance, if storage occurs without cloud synchronization. I have already written about the threats of cloud storage in this material.
Cloud storage of any information, with the exception of encrypted by you yourself, affects the overall security in a negative way and it is not just about passwords. For example, Apple keeps your browser history in the cloud even after deleting it on devices, and forensic experts often successfully extract it from there. Apple itself easily gives this data on request. It is thanks to this that the “king of spam” Peter Levashov was deanonymized and arrested. His iCloud account was under control, the rest was already a matter of technology.