Difficulty in Managing Passwords
In today’s digital world, there is a need for users to be authenticated to a vast number of applications, sites and services. This has presented many problems as people find it difficult to come up with strong passwords, which can easily be remembered, one for each site they login to.
Best Practices for Personal Password Management
1) Use the GRC’s Brute Force Password Search Space calculator to derive a password which is both strong, and at the same time, can be easily remembered.
Research has shown that the most widely used passwords are – 123456, password, qwerty, baseball – and more could be referenced here. Make sure that your password is not widely used or easily guessable.
2) For absolute password security, use GRC’s Perfect Password Generation tool to derive a password which is near to impossible to crack (maximum entropy). Such passwords should be managed through a Password Manager application (described later), as the passwords cannot be remembered by human beings.
3) Use Password Manager Applications such as KeePass and LastPass to manage your passwords. They store your password in an encrypted container whose encryption key is derived from your main password for the Password Manager application. Make sure that the main password used for the application is as strong and memorable as possible!
Never use the same/similar password for two different sites. This presented the risk that if one site was compromised, then the user’s credential for all other sites get’s compromised too.
Never physically write down your passwords, or store them as plaintext, or use password protected excel sheets/documents. Even though excel docs could be password protected, they do not encrypt the contents of the file and excel password protection maybe easily breakable.
KeePass is an open source cross-platform software. KeePass stores the password database in local storage. The database is encrypted with latest encryption algorithms – AES or Twofish. Access to the KeePass database is controllable using a password or a key file.
KeePass is more suitable for your accounts that you want to be extremely closely guarded – such as bank accounts – and for applications invoked through a client program in the computer (other than the browser).
LastPass is freemium Password Management application. Passwords in LastPass are protected by a master password, encrypted locally, and synchronized to any other browser and also to the LastPass server cloud. LastPass has a form filler that automates password entering and form filling. It also supports password generation, site sharing and site logging.
LastPass is more suitable for your online site, service and web application which are invoked through a browser on your computer.
LastPass – Ideal Logout Configuration Improved Security
It is advisable to configure LastPass plugin in Browsers to logout automatically when the browser has been closed or when the computer has been idle for 5 minutes.
The configuratyion screen could be reached by: Click on LastPass Extension Icon > Preferences > General > Security.
KeePass – Multi-User Support
KeePass databases support multi-user login modes. Anybody with the password / key file to the KeePass database could load and work with the database. It offers Microsoft Office-Style locking / Synchronize or Overwrite capabilities for multiple user support. Refer to this link for more details.
Small teams in Organizations tend to store their shared passwords using Microsoft Excel. KeePass would be an excellent replacement for Microsoft Excel based password management.
KeePass and LastPass Portable Versions
Both KeePass and LastPass offer portable versions (which can be invoked from a USB thumb drive / USB hard disk) for people who access their sites from untrusted locations – internet cafe, public computers, etc.
Where is LastPass database stored? https://lastpass.com/support.php?cmd=showfaq&id=425