Boosting your internet security with password managers: better to be safe, than sorry
Each time you log into one of your countless online accounts, you probably also hear that voice in your head, nagging, because of your poor internet security practices. Finally, however, I decided to get rid of it, now and for all time. And this is how it’s done: password managers.
With today’s large number of online accounts, trying to remember all of your passwords inevitably leads to one of two security issues: either your passwords are too simple to guess, or you end up using one strong password for multiple sites. Just read the article The Only Secure Password Is the One You Can’t Remember on lifehacker, if you need some further justification for why these two strategies could be problematic.
A far better strategy would be to use a password manager, as they
- help you to come up with strong and unique passwords (automatic password generator)
- store a list of all of your passwords in encrypted format, such that only you can read them with your master password
- help you to make use of your complex passwords as user friendly as possible (very similar to the way that browser-based auto-filling works)
For a good introduction to password managers in general, and why they are safer than browser-based solutions, take a look at Why You Should Use a Password Manager and How to Get Started.
As far as I can see, currently the two most popular password managers available are LastPass and KeePass. While LastPass is a cloud-based proprietary solution, KeePass is open source, and all your data is stored locally. So which one to use?
Well, my choice fell on KeePass. However, before I further elaborate on the reasons of my choice, let me first say a few words on LastPass. From what I have read on the internet so far, and from my first impression from the homepage, LastPass seems to me like a perfectly adequate solution as well. Developed by a company, it seems to me more user friendly, richer in features, and the homepage contains a lot of nice tutorial videos. Also, I think that you do not need be afraid of trusting your personal data to some profit-oriented company in any way: you simply do not do this with LastPass, as they will exclusively get your data in encrypted format. As stated in Which password manager is the most secure?:
All the encryption and decryption happens locally on your computer. Because these companies don’t have the encryption key, even if their servers get hacked, evildoers wouldn’t be able to decrypt your data…
Nevertheless, I chose to use KeePass (or rather: KeePassX, as it is called for Linux). I did this for mainly one reason: accessing my data while traveling. When traveling, I often do encounter situations where there simply is no internet connection around. Hence, accessing cloud based data will naturally become a problem. Alternatively, I might be forced to make use of either a public network connection (starbucks), or some other person’s computer (internet café). I am definitely not an expert on internet security, but from what I have read so far, you should never use any sensitive data in these situations. This includes, in particular, usage of your master password.
You can find the nice introduction KeePassX: Keeping Your Passwords Safe in the Linux Journal archive. From what you read there, you should be able to setup your KeePass database such that it gets synchronized to all of your devices through Dropbox. Keep in mind: your database will always be stored in encrypted format only. Dropbox will never see your data in an unprotected state! Hence, in order to be able to retrieve your data in unencrypted format on your mobile phone, you additionally need to use an application for decryption (for example: KeePassDroid on Android OS).