In the first post of this series, I describe four steps to secure your passwords with a password manager. This post describes a number of additional tips for using your password manager software most effectively. The “Tips for Standard Use” section is for everyone. The “Tips for Extra Password Security” section is for those who need additional security, with less regard for convenience.
Tips for Standard Use of a Password Manager
15 Character Passwords
For each account, use your password manager’s random password generator to generate passwords that are 15 or more characters long, and make sure your password manager stores it. Usually you will want to generate passwords that include upper case, lower case, numbers and special characters to increase password strength. But for passwords that you sometimes enter manually into cell phones or other devices without full-sized physical keyboards, you can generate 15 random lowercase letters. 15 random character passwords are very strong even if restricted to lower case letters.
Do not reuse passwords for more than one account. This is especially important for all financial, e-mail and social networking services. I could provide you with a list of reasonable exceptions to this rule, but why bother? Your password manager remembers and enters all your passwords.
Turn on Master Password Protection and Keep it on for All Passwords
All password managers offer a master password to protect your account login data. Always have the master password enabled to protect all current and newly created login data. Most password managers have an option to require new login data be protected by the master password – make sure this option is turned on. Turning off your master password protection is very risky, equivalent to leaving your key chain hanging on the outside front doorknob to your house.
Select a Strong Master Password
Choose your master password wisely and never share it or write it down. It should be at least 15 alphanumeric characters, very hard for anyone to guess, yet very easy for you to remember and enter. Pass phrases containing a mixture of words and numbers work well for this purpose.
Passwords constructed out of obvious personal information (i.e. MySonIs4YearsOld) should be avoided, because password cracking software may try such passwords. On the other hand, a lie or intentional misspelling (i.e. MySunIs444YearsYoung) is not something password cracking software will have enough time to try, as the number of possible 15+ character lies and misspellings is far greater than the number of true and obvious personal facts.
Following are some weak and strong examples:
mybirthdayisJanuary7—guessable as this phrase (or 364 others like it) applies to all people.
antidisestablishmentarianism—long but terrible because it is in the English dictionary. A phrase should have at least three words and 1 number.
4scoreand7yearsago—easily guessable as it is the start of a very famous speech by Abraham Lincoln, and is likely to be in some password cracking programs.
Strong (but don’t use these specific phrases, obviously):
FredAusterlitzwasbornMay101899inOmaha—though in some ways similar to above birthday password it is much stronger because it is longer, unrelated to your life, and it’s not even clear who it refers to, even though it’s easy to remember for fans of Fred Astaire. If it takes you a long time to type out this 37 character password then go with something shorter and with fewer capital letters – you don’t want a password that is really annoying to enter, as you may then be very tempted to abandon a strong master password.
Ireland1871Wales1920disestablished—though inspired by the Wikipedia entry for antidisestablishmentarianism, this is much stronger because it has three separate words divided by 2 numbers.
AIisnolongerthe76ersAnswer—obscure, yet an easy phrase to remember for a 76ers fan who knows that Allen Iverson, nicknamed “The Answer,” no longer plays for the 76ers.
Fred’sPorsche911Turbo–If a minor acquaintance of yours owns a Porsche 911 Turbo, this is a good password: 19 characters, fairly easy to type, very easy for you to remember, but too obscure for someone else to guess. If Fred is your husband, though, this is a less good password, because the password contains obvious personal information, which is something password cracking software might try.
And here are a few more examples of strong but memorable passwords from the book Perfect Passwords by Mark Burnett:
- 2+2+3 isn’t five
- staying “interconnected”
- (999) dog-walk
- 43 O’Clock is late
The examples I provided are long and will take 5-30 seconds to enter, depending on how fast you type. But you’ll only need to type the master password at the beginning of each computer session. This is minor overhead in return for an enormous security benefit.
Expire Your Master Password
After you first enter your master password, you can then log in to online accounts (with a single click each) for the rest of your work session. However, you want your master password to expire as part of your natural work flow—you don’t want someone to walk up to your desk and start logging into your various accounts. Go to your password manager’s security settings to make sure that the master password will logout automatically when you close the browser, put your computer to sleep, go into screen saver mode, and/or after a certain number of minutes of inactivity. Most password managers provide options to customize these sorts of settings to suit your own circumstances.
Open Web Sites Directly From Your Password Manager
Security expert Robert Chapin has criticized password management software for making it too easy for users to automatically login to a fake web site, which then steals the user name and password entered by a password manager. To thwart this technique and save yourself a click, you should only log in by using your password manager to open password-protected web sites directly. Simply select the web site from within your password manager, and you will be taken to the web site and automatically logged in.
Some password managers have an option to automatically log you in if you just happen to visit a site whose name is the same or similar to the one stored by the password manager. Do not enable this feature. You don’t want to automatically be logged into a fake site.
Test Memorized Passwords After Opening a New Account
Password managers can be awkward to use when you open a new account. They will memorize login information for the account registration screen but then might not work for the regular login screen. The best way I’ve found to deal with this is to NOT have your password manager record the password when setting up a new account. Keep the username and password somewhere temporarily. Logout of the new account immediately after setup. Then log back in using the regular login screen and have the password manager record your information as usual. RoboForm has a new account feature to make this whole process easier but it doesn’t get it right for every site, so even with RoboForm you should still test the recorded information by logging back in right away.
Test Changed Passwords
Some password managers don’t deal very gracefully when changing passwords on an existing account (though both 1Password and RoboForm usually get this right). As with new accounts, after changing an account password be sure to temporarily record the new password, then log out and log back in with the new password to make sure the new password was properly recorded.
Backup Your Passwords
You must back up, sync, or print out password files regularly. If you lose your password data due to hardware failure, loss, or theft, or any other reason, then you’ve lost all your passwords and you will only be able to get them back from any backups you’ve made. If you already have a backup system in place, be sure that your password files are part of the backup set. A reasonable low tech solution is to print out your passwords and store them in a safe and hidden off-site location.
For those who regularly use multiple computers, having access to your passwords on every computer can be very handy. “Sync” solutions can do this while simultaneously taking care of backup as well. Web-based password managers such as LastPass do this automatically. Some desktop based password managers offer syncing via an online service or via proprietary syncing software (RoboForm offers both). Yet another option is to use a sync service like Dropbox to sync data among multiple computers.
Any of these options can work. Just make sure these backups are done automatically, or at least frequently. Apart from your master password, you may not actually know any of your passwords, including the new one you just created last week . . .
Some password managers offer a choice of encryption algorithms. Be sure that AES is selected (AES 128, 196, and 256 are all fine). This algorithm has withstood extensive scrutiny and as of 2010, breaking AES encryption without the key is so difficult that it is rare for an attacker to even try. AES is the default encryption used by these four password managers.
Tips for Extra Password Security
Everything in the previous section should be considered standard password security procedures. The next few steps are for those who want to be even more secure, but the incremental extra security comes with a significant hit to convenience and usability. So you’ll have to be your own judge as to how much of this is necessary.
Empty the Clipboard
If you use your computers clipboard to store passwords temporarily (for example, when setting up a new account or changing passwords), be sure the clipboard is emptied. Some password managers have an option to empty the clipboard automatically upon logoff or a few minutes of inactivity. Enable these options.
Purge the Newly Generated Password
Similarly, a newly generated password is temporarily held in memory. Some password managers have an option to purge this password upon logoff or a few minutes of inactivity. Enable these options.
Enter the Master Password Using a Virtual Keyboard
Keystroke loggers can and do get installed on some systems, and you won’t know they are present. You can thwart most keystroke loggers by entering your master password using your password manager’s virtual keyboard, and only when all browsers are closed. While the chance of your master password being recorded by malware is small, it is even smaller if you follow these steps.
Use Two-Factor Authentication
Two-factor authentication (an option available for KeePass and LastPass) is an even stronger way to thwart keystroke loggers. With two-factor authentication, you will need both a master password (something you know), and an additional factor such as a USB stick or fingerprint reader (something you have) in order to access your passwords. Current implementations of two-factor authentication are somewhat cumbersome to set up and require you to carry something extra in your pocket. Perhaps some day it will be easier to set up and will use something you always carry anyway such as your cell phone.
Store Passwords on a USB device
Some password management software offers an option to store passwords and the software on a USB flash storage device. When the USB device is in physical possession of the owner and not inserted into a computer, it is impossible to steal the passwords. If you choose to follow such an approach, you still want your passwords backed up so that you don’t lose everything if the USB device is lost or destroyed.
Store Encrypted Notes
Most password managers have a feature that allows users to save encrypted notes, protected as usual by the master password. Use this for bits of private information that are not online accounts, such as the username and password to your router, logins to your Windows account, your burglar alarm code, etc.