Context

If you’re anything like me, you’ve created your fair share of user names and passwords over the years and it is likely that many more will be added in the future as well. To complicate things even more, you are probably using multiple different user names and passwords because of different requirements. Possible reasons:

• Username (because your desired username might not meet the requirements or might already be in use. Or because your -email is used as your username)
• Minimum number of characters.
• Maximum number of characters.
• (Specific) special characters required.
• (Specific) special characters not allowed.
• x number of upper case characters
• x number of lower case characters
• x number of digits.
• x number of special characters.
• Password needs to be changed every x days.

Because of the large number of accounts (I have about 200-300 accounts) it is impossible to remember them all. Even though it might be tempting to use (a couple of) the same username and password combinations for logging on, this is not recommended because it is a security risk. When one of the places where you use a specific user/password combination is compromised, all other places where you use this same combination are at risk too. In this post I will try to describe some challenges and what you can do about it.

Consider these examples before even considering using the same user/password combination:

• The person/company managing your account/password can have bad intentions or might not have a good) security / password management mechanism in place. A recent example was the leak of over 6 million LinkedIn password.
• User/password might not be sent over a secure connection and will be compromised.

Another option is to choose to connect your facebook, twitter, google, etc. account to log on to various site. The risk of this is also that if your account has been compromised, it will provide access to all services that are connected to it. I personally also don’t like the idea that companies like facebook, twitter and google have (even more) information about what services I use, when, how often, etc. So if you have a choice, I would personally create a seperate user/password combination for the specific site/service.

To improve security, using multi-factor authentication (requiring multiple types of authentication) is recommended if possible. This is especially true when it uses biometrics and/or requires (access to a) physical device like by example a token or mobile phone. Just using passwords simply isn’t enough nowadays because with cloud computing people have access to such tremendous computing power that brute force hacking passwords is much easier and quicker than before.

Also keep in mind when creating account recovery questions/answers that you should be the only one being able to answer those correctly. You could choose to use a password that has nothing to do with the question as well to make it even harder for someone else to use this method to gain access to your account.

Another thing to keep in mind that your e-mail is also a very important part of your security, because it is also often use to recover/reset user accounts and passwords. So make sure this is secured properly as well.

For more information about password management best practices, read this article from Hitachi.

My approach

• Use a password manager to store my user accounts, passwords, serials, licenses and other important information (like by example by mobile phone SIM unlock code) in one place. I specifically chose KeePass Password Safe1.xx instead of KeePass 2.xx but you can use other software as well. Important considerations for me when choosing a software solution include:
  • It provides the levels of security I require and is a proven solution.
  • It can be used on all the platforms I use or might use in the future like by example Windows, Linux, iOS, Android, Windows phone.
  • It is portable so I can use it everywhere. This means it does not require installation (including permissions to be able to install) and/or does not depend on other frameworks or installed features like by example .NET framework (KeePass 2.x requires .NET to be installed).
  • It is able to import/export credentials in a format useful to me.
  • It can be used to store metadata (categories, notes, attachments for license files, certificates, etc.).
  • It Includes a customizable built-in password generator.
  • It creates different random passwords (using a built-in password generator) for each site/purpose with the best possible password strength while still matching the requirements of the site/purpose and stores them into the password manager.
  • It automatically creates backups of previously used passwords.
  • It meets my needs with regards to plugins/extensions.
  • It is easy to use and customizable I personally increased the time a password stays on the clipboard to 60 seconds because this makes it easier for me to use.
• Mitigate the risk of having access to your password database compromised:
  • Use a strong password for accessing the password manager (database) that you’re able to remember, because when you forget this password you don’t have access to any of your accounts and passwords.
  • Change the password for the password manager database on a regular basis.
  • Use multi-factor authentication before allowing access to your password database
    • Use both a password AND a key file.
    • Keep the key file in a secure and portable place (USB).
• Mitigate the risk of losing access to all your account and password information:
  • Store the password database locally.
    • Make sure you know the username and password for opening the password database.
    • Make sure you know the username and password for logging on to your local pc without having access to your password management database.
    • If you’re using Windows 8, you can configure to logon using your Microsoft account. Make sure you know the credentials.
  • Synchronize the password database to an online service like by example dropbox, Microsoft skydrive, Google drive.
    • make sure it can be used by all the platforms you use or might use in the future. And more importantly
    • Make sure you know the username and password for these services without having access to your password management database.
  • Backup the password database regularly both locally (usb) as remotely (cloud backup).
    • Make sure you know the username and password for the backup service without having access to your password management database.
    • Test on a regular basis if the synchronization and backup mechanism is working correctly.

Closing thoughts

Properly securing and managing all your usernames, passwords, licenses, serials, etc. is a lot of work. Especially when you have used the same user/password in a lot of places, because this means you have to change it everywhere.

It is however important that you do so and you could choose to start doing it for new accounts/passwords and then gradually migrating the old ones as well.

I hope this has been informative and should you have any questions or comments, please let me know.