Site icon Airgapped Thoughts

How To Safely Store Passwords / Keys

One of the biggest headaches for most people is the management of their passwords. We tend to use the same password for most online services like social networks and eBanking, and not only that, but this password is usually weak like for example a phone number. Sure, most services nowdays have some kind of extra protection like 2FA but why pushing it that far? There are also occasions that we need to store critical info that have no kind of protection and its completely up to us to securely store them like for example a bitcoin private key. In this case, your best bet is to make password managers you second nature.

WHAT IS A PASSWORD MANAGER?

As the name suggest, a password manager is a program that is responsible for securely storing all of our passwords. They come in many forms and with many different extras and obviously they use various types of encryption for the password database. Most of them can also create passwords for you so you can start using different and unhackable passwords in every site without having to remember (almost) anything.

I’ve tried many different password managers and the only one i suggest is Keepass. That’s because Keepass is open source, have many advanced feautures, has great encryption, supports both a password and a keyfile before you can access your database (like a 2FA), and it’s crossplatform for countless operating systems which means that you can carry your passwords with you on your Android flagship phone or even your 15 years old Java phone. There are also some online services that create and store passwords for you and sync them across all of your devices like Roboform (which used to be a complete offline solution but not anymore) and LastPass. Although some of them offer good security (like the local crealtion of a master key), i’d still wouldnt use an online service no matter the convinience of syncing.

Now let’s visit Keepass website and download the latest version. Install and run it. Create a new password database by clicking the empty document icon.

Press ok to the next message and you’ll get to save your new database that will keep all of your passwords safe. You will have to choose a location and a name for the database. It’ better to choose something completely irrelevant and not a name like “MyDatabase” like i did for this example. You can rename the file whenever you want though.

THE NEXT STEP IS VERY IMPORTANT.
You will have to give a master password for your database. This is going to be used to unlock your database when you want to add or view one of your passwords. You can completely ignore the creation of a password and add a keyfile as a protection. A key file is a file with completely random data. If someones steals your database file, he wont be able to view it without the key file but if he gets his hands on both of your files (the database file and key file), you’re done! So we will go with the best solution of all and add both of a master password AND a keyfile for our precious database.

Make sure you understand the difference between these files before proceeding:
Database file: The file that will contain all of our important data (passwords, important notes etc). Do not make any mistake and not backing it up after adding new entries in it.
Master password: A PIN protection for our database file. This is the only thing that we can store just inside our mind so do not underestimate it. Your password should be hard to brute force.
Key file: A file with random data in it. Impossible to randomly replicate but if you keep both of your database file and key file in the same device (you can keep your key file in a usb flash drive for added protection) and someone steals your device, your last hope is a PIN protection.

Leave the master password box ticked and let’s go and add a key file too by ticking inside the “Show expert options” box.

Click “Create” to create your key file.

Choose a folder to save your key file into and a name for it. Use a completely irrelevant name and not the one i did.

The next step is very important, we will have to make random mouse moves to add random data to our key file.

In this step you are creating an entropy which is responsible for the randomness of the key file data

Now we are back to the creation of our master password. Make it hard to guess and and brute force. Combine words with numbers / symbols in between and do not underestimate the power of lowercase / uppercase switching! You can change it anytime while keeping the same key file.

YOU SHOULD CHOOSE A VERY STRONG PASSWORD SINCE IT WILL HAVE TO KEEP ALL OF YOUR OTHER PASSWORDS SAFE

The next “General” screen is optional but the “Security” tab is important for paranoid people so let’s go there and let’s see the available options.

The encryption section has two encryptions available, AES/Rijndael and ChaCha20. Although ChaCha20 is faster, AES is well tested and i personally prefer it. The key transformation section is much more important with 2 options available: AES-KDF and Argon2.

You should go with Argon2 which has a better resistance against GPU/ASIC attacks. The following options will allow you to make your key harder to brute force but will also increase the time you need to save and open your database. Click on the 1 second delay button and the values will be calculated depending on the power of your machine for a 1 second delay before saving or decrypting the database. You can play with the values and press the “Test” button to see how much time it will take on your machine based on the new values. When you are happy with the results, hit the “OK” button. Definitely worth to increase the values, especially if your computer isnt powerfull and so the recommended values wont be ideal for the real world.
You can take a look at the other tabs but the default values are ok.

The next window will let you print a sheet for your master password and with the location of the database and key files.

The sheet looks like this.

At last we can start adding our passwords and keys.
At first we should delete the demo entries by right clicking on them and choosing “Delete Entry”.

At the left pane, there are some default groups (categories) for our entries. We can also delete them and create our own groups based on what we wanna add. Every group can have infinite subgroups. At the right pane, we add password entries which will go to the selected group. Let’s create a new group for the passwords that we use in the web, just go to the left pane, right click in the empty space, and type a name for it. In the example, we chose the name “Web Passwords”.

Now we can see the Web Passwords group in the left pane. Click on it, and then go to the right pane, right click, and “Add Entry”. We are going to create a demo entry with our facebook credentials.

Give a relevant name for your entry, the username and password for that service, the url of the website, and some important notes if there are any, and press “OK” to create your entry.

We just created our first entry inside our group! Don’t forget that you can create a group and an entry about anything important. You can for example add entries for all your crypto public and private keys or create entries for the PINs you are using in various mobile applications.

Don’t forget to save the database after adding a new entry by choosing “File” and “Save”.

Now that you are using Keepass, there is no need to use one password for all the sites. You can also let Keepass create strong passwords for you whenever you wanna sign up to a service / website. Let’s say for example that you wanna sign up for Netflix. Open Keepass and create a new entry. Next to the password field, there is a key icon. Press it, and choose “Open Password Generator”.

The password generator tool will create a password for us. You should select a password length and a character set for your password. Keep in mind that every site has different password length limitations and character sets. For example a site might let you use passwords for up to 20 digits while others will go for 16. If you type an incompatible password in a site, it will tell you about the limits and you should choose the following options accordingly. You could also ignore the “Show dialog for collecting user input as additional entropy” since its a really paranoid feature, but let’s try it for once and i’ll let you decide what you’re going to do. This will add extra randomness to the generated password.

It’s the same as with the creation of our key file, create randomness by moving the mouse around and typing something in the text field.

We’re back at our Netflix entry with the newly generated password ready to be saved. Don’t forget to add a username for our entry and then proceed with “OK”.

Done.

Now go to Netflix and sign up give the completely random, impossible to guess and no need to remember generated password.
Don’t forget to save the database and make a backup of it.

You can also download KeepassDX for your Android phone and keep using your database on the go, you can view and create new entries with it, and make your fingerprint work as a combination of your database password and key file so you can unlock the database with just a single tap on the screen.

Some advices:

. Do many tests with Keepass before making it your default way of managing your passwords. Leaving your old habbits for managing passwords for a new one, is a huge deal.
. ALWAYS create a backup of Keepass database after making a new entry on it. Keep the backup copy somewhere safe. You only have to backup the key file once.

. Try not keep both of the database and key files in the same device unless your device has encryption on the storage, you can keep the key file in a different storage like a flash drive, even mobile phones can read files from flash drives as long as they support OTG.

Keep It Safe!

Exit mobile version