Online Privacy and Security Using a Password Manager

Fri, 2018/07/06 - 02:09 — lufthans

[This is an article I wrote for Linux Journal]

Internet and cloud companies do not have perfect security. We're all familiar with large scale data theft from big corporations. While most do a great job considering the attacks against them, you can do your part by protecting your own accounts.

It's common wisdom to use a different password for each account. Better yet is using a unique email address as well. That quickly becomes unwieldy, so we need an external brain.

Password managers function well as the external brain and can help with more than just passwords. They make it easy to have unique entries for usernames, email addresses, security question answers and much more.

Password managers securely encrypt data before storing it. In addition to passwords they should have fields for record name, username, website and notes.

The following example uses the apg (Automated Password Generator) command to create a random string of text.

$ apg -n1 -Mnl vucapob7

Now you have a unique username for your bank. The next social media site thieves will have to figure out both your username and your password to attack your bank account.

Use a unique email address. Rather than creating a whole new email account you can likely take advantage of subaddressing.

Some email providers have subaddressing, which allows a separator character and then a token. When delivered, the email provider ignores the separator character and the text after it. For example, you+vucapob7-mybank@example.com would be delivered to you@example.com. See the email subaddressing sidebar for more information.

Unique email addresses make it harder for the thieves social engineer companies as the thieves won't have your username whether or not it's an email address.

Since you're storing credentials in a password manager, you don't need to memorize or even see it. In fact you've turned your password manager into a credential manager holding unique passwords, unique usernames and unique email addresses. Just a few paragraphs in and you're already powering up!

But, as the infomercials say, there's more.

The notes field allows you to store multi-factor emergency codes, shoe size and anything else that might be useful for the account. You could store customer service phone numbers, cheat codes for getting to an actual person and notes from the last call.

Some sites have undocumented password requirements, such as not allowing '%' in a password. The notes field is a good place for a reminder for you. If you use NoScript and a cookie blocker, then you might also want to add notes about required JavaScript and cookie domains to use the site.

One key to having unique security questions is to lie. The company doesn't need to know your grandma's favorite first high school mascot. It just need a response only you can give. Random text to the rescue.

$ apg -n1 -m15 -Mnl icunyedgicekoco

That's a fun one. It'll be challenging if you have to say it over the phone. apg can help with that. The 't' option says to give pronunciation guides.

$ apg -n1 -m15 -Mnl -t icunyedgicekoco (ic-un-yed-gic-ek-oc-o)

Still sounds like a foreign language, but hardly guessable. The credential manager doesn't care, it's just data.

KeePassX Credential Manager

I recommend using KeePassX combined with KeePassDroid.

This article uses KeePassX 2.x. Most of it applies also to the KeePassX 1.x versions, but there are some differences.

Select Database-New Database to create a new credential database.

This password you have to memorize. If you forget the password for your KeePass file, then you can't open it. See the creating good passwords sidebar for how to choose wisely.

You can also use a key file. The key file holds the key used to unlock the database and your password opens the key file. An advantage is that the keyfile can be stored separately from the credential database.

Once you've entered your password I recommend you save the file and close it, then open the file again to make sure can type in your new password. Open and close 3 or 4 times to help you memorize the password. After 15 minutes, do the close and open dance again, then make sure you test it the next morning as well. Forgetting that password is the same as losing the file, the data is unavailable.

To add a new entry either click the key icon with the green arrow or the Entries-Add New Entry dropdown. The dropdown shows a third option, the ctrl-n shortcut.

KeePassX can autogenerate passwords. In addition to specifying character groups like upper and lower case letters, numbers and special characters, you can choose length and exclude look-alike characters such as O and 0 and 1 and l.

Choose a long length like 42 characters since you're not memorizing the passwords. The eye button will let you view the random text if you need (useful if a site discourages good passwords by blocking password pasting). Click the accept button to get KeePassX to store the new entry, then save the file.

In addition to the notes field, KeePassx 2.x has fields for additional attributes. The latter is a better place for storing security questions and answers. While both fields display the values in plain text, the default screen does not show additional attributes and there's a drop down menu to use them.

Additional attributes can be found in the Advanced section for an entry. To copy them, use the Entries drop down, select Copy Attribute to Clipboard, then select the attribute you want.

For securely copying a secret, it's important to keep it hidden, keep it safe. The password stays hidden because it isn't displayed. It's kept safe because it expires out of the clipboard. By default the clipboard is cleared after 10 seconds.

KeePassX provides handy keyboard shortcuts. ctrl-b copies the username into the clipboard for pasting and ctrl-c copies the password. Review the drop down menus to find more shortcuts.

Credential Manager Features

What features should you require in a credential manager?

clipboard clearing
password generation
pronounceable password option
encrypted data with operating system independent storage
backups and data liberation

The clipboard should be automagically cleared after a short time. No need for it to stick around and accidentally get pasted somewhere.

A credential manager should have a password generator. Even better is a random text generator available from anywhere in the application that simplifies creating random values for security questions and responses, subaddressing tokens and birthdates.

The random text generator should have an option for pronounceable passwords. KeePassX 1.x does, but KeePassX 2.x does not. Hopefully the feature will be added back in. apg's pronunciation guide is quite useful. Neither version of KeePassX has that.

The data file must be encrypted and interoperable. In order to be trusted the encryption software and algorithm need to be free and open so they can be independently audited. KeePassX is GPLv2 or later and KeePassDroid is GPLv3. Both incorporate code under other free software licenses.

Interoperability means usable by multiple applications. KeePassX and KeePassDroid use free and open KeePass file formats. KeePass, kpcli and other applications can also use the files. None can open the file without the master password. They are your passwords, you should have exclusive access.

Operating system independent is important for secure data. KeePassX runs on GNU/Linux, BSD, Mac and Windows. KeePassDroid will put both username and password into notification drawer for easy selection on the phone.

You need to have backups and data liberation. Since KeePass files are encrypted, copying them elsewhere is sufficient for backups. Keep old master passwords secure as they can be used on old backups of the file.

Data liberation means you can access your data even if the original application or service provider stops working. A standard format like KeePass works since many applications can read it. Additionally, KeePassX exports to a plain text file. Make sure to protect it with an encryption tool such as GnuPG.

For online password managers data liberation means you can get your data back out of the service provider in an open format. If you use a proprietary service, then you are dependent on that service allowing you access. Make regular exports to an open format in case the provider goes offline, decides you haven't paid recently or jumbles your data.

I recommend separate files for personal and work. No need for a subpoena about some work contract to have access to all of your personal credentials. Just like email, keep personal and work in separate accounts.

For traveling or mobile use, you don't need all of your credentials. You can drop the whole file on some file sharing services and unlock the entire file from your phone, but then a compromise on your phone has access to all of your accounts as well.

Keep an updated file with a subset on the mobile device. I recommend the minimum essentials to connect to your file-sharing service and operate if you have voice, but not data.

KeePassX does not provide a way to securely sync data to another location, but kpcli can export a group to a new KeePass 1.x file. For instance, create a "mobile" group in your KeePass file, then use kpcli to export that group. kpcli is available under the same licensing as Perl.

Other Useful Features

A credential manager can also be used to escrow data like family social security numbers, important private dates, insurance account information and anything else your family might need should you no longer be available. KeePassX can also store attachments. Now you have a data escrow manager. Power up.

A credential manager should liberally allow text for the master password. KeepPass files do. As expected, KeePass accepts special characters. In fact, when I give presentations on KeePassX I often demo unlocking a KeePass file with cut and paste of perl and shell script snippets.

KeePassX has an Auto-Type feature that will log you into a web site with one hot key, ctrl-v. While other people like Auto-Type features I find it too easy to mis-click and paste my credentials in the wrong place. Eventually I do get it right, usually long before "user+twyimCij5-fsf@example.com zFsZ5ZwEh5FHRgYf474MCRQ8pW4YNDXT87wrsQhkyL" starts trending in Google searches.

KeePass files also support an expiration date for passwords and KeePassX provides preset time periods like 3 and 6 months. Once the entry expires KeePassX marks it when viewing the group as a reminder to change the password.

KeePass allows you to access previous versions of an entry via its history feature. It's not quite revision control, but still handy.

It's also handy to provide a means of live security and authenticity testing.

For instance, LastPass is an online commercial password manager with a history of quickly responding to needs. In example, shortly after Heartbleed was announced LastPass integrated a check to verify the destination web site did not have the Heartbleed bug before sending credentials. It also does some verification to make sure you're connecting to the actual site rather than some phishing site.

LastPass is mostly browser based. The company also provides a command line tool with source available and a perusal of several files yielded GPLv2 or later licensing.

LastPass does encryption and password creation on the client side, so the company never has access to your unencrypted data. It shares credentials by encrypting on the client side with the recipient's public key. Again, LastPass doesn't see unencrypted credentials.

Lastpass also advertises a feature that allows the other person to use the credentials without seeing them. While LastPass can't view the unencrypted data, it's fairly easy for the recipient to capture the hidden plain text password.

See the password managers sidebar for a list of free software password managers.

If you prefer password generation and password storage come from different applications, the generating random text sidebar has some ideas for creating your own random strings.

creating good passwords sidebar

When using a credential manager you only need to memorize a few passwords. For instance, your password to authenticate to your computer and credential manager and both for work as well.

Here are some tips to building strong, but memorizable password.

Use multiple unrelated words, at least 4.

Include numbers, capital letters (not just the beginning of a word) and punctuation. Perhaps use them rather than some of the spaces.

If fluent in multiple languages, use them.

Use nonsensicle, uncommon words. No common phrases.

For instance, start with four unrelated words. This is probably fine for computer and network logins that change every few months.

anteater twiddle aquamarine drove

Use more than four words for your password manager where backups might be captured for long-term, offline attacks.

ameisenbaer twiddle aguamarina drove preamble esac

Even better, add some non-space transitions.

aMeisenbaer%tWiddle aGuamarina9dRovezpReamblezeSac

On a mobile device that last example is a pain. Especially when using a simpler password, minimize the number of entries in the mobile password database and change anything in it on a regular basis in case some app ships the file off to a botnet for cracking or the phone is stolen.

generating random text sidebar

The biggest key to a strong password is entropy, randomness. Use long, pure random text to get high entropy. A credential manager isn't the only way to create long strings of random text. For instance, let your cat walk on your keyboard.

Here are some methods that are more efficient and less scratchy than trying to train your cat to work on demand.

* Use a random text generation tool such as apg, pwgen or makepasswd.

* Use GnuPG's random function.

$ gpg --gen-random --armor 1 42

* Use OpenSSL's random function.

$ openssl rand -base64 42

* Use uuidcdef to create a UUID.

$ uuidcdef -u

* Create a hash of a real answer plus a master password as the salt.

$ echo "anteater twiddle aquamarine drove LinuxJournal.com" | sha256sum | cut -c 42

A feature of this method is that one master password can derive any site password without saving anything to disk. There's even a tool to help with that.

$ passwordmaker -r LinuxJournal.com -g 42 -a SHA1 -x -m "anteater twiddle aquamarine drove"

One problem with derive-on-the-fly is that you don't have per site random text. passwordmaker does allow using an unencrypted configuration file.

* Use date to generate a random birthdate.

$ date -d @$(($RANDOM*24*3600/2-500000000)) +%Y%b%d

email subaddressing sidebar

Subaddressing augments your email address by inserting tokens. It turns one email address into as many as you want.

A separator character is placed after the username portion of an email address and then you can add a token, @. You decide on the token.

Tokens can protect your accounts as listed in the article and also filter email. For instance, phishers like to send fake ebay mail. It's not ebay's fault, but it's a popular target. With an ebay token you know email without the token, user+pl8qr-ebay@example.com for instance, isn't from ebay and can automagically be trashed.

Some common email providers and their separator characters are:

Gmail: +
FastMail.FM: +
Kolab: +
Yahoo!: -

Gmail subaddressing can be disabled at the domain level, so might not be available for work accounts.

FastMail.FM also offers sub-domain as an alternative to subaddressing.

email subaddressing on your own SMTP server sidebar

Some common SMTP servers and their default separator characters are:

Postfix: +
Exim: default off
Courier and qmail: -

Some considerations if adding subaddressing to a domain: many web sites disallow a plus in an email address; periods are allowed everywhere, but often already in use for first.last@domain; dash is also fairly universally allowed.