On Storing Passwords In A Safe Way

My journey towards a better security

🕒 5 min read

Category: Computers

Tags: password, security

It's been a while since I last wrote here... Let's fix this with a new article on an important topic.

Storing passwords

For a very long time I have stored my passwords within Firefox, synced "in the Cloud" through my Firefox account. This solution offers four main advantages:

While this solution had seemed like a good one for a while, I recently thought I could do better than putting my trust in a company - even though Mozilla is respectable and trustworthy. Eventually, every big company gets hacked and I don't really know how they encrypt my data on their servers.

Moreover, I wanted to be able to safely backup my passwords somewhere (offline, if need be, or elsewhere). My past solution had a flaw: were I to lose my laptop and smartphone (theft, apartment burns dowm, earthquake, whatever), I'd have no way to recover my passwords since I don't know any of them, not even my Firefox password (what good would it be for anyway, since two factor authentication is enabled and my two only trusted devices would be lost).

Side note on this topic: I always randomly type my passwords as I create accounts. I don't use services that generate them for me (like Dashlane or Lastpass to mention a few). I don't trust these programs to store my passwords (we'll see why in a bit). Nonetheless, I always make sure to include capital letters, numbers and special characters, with a length greater than 8.

With this all in mind, I needed to find a solution that could fulfill the following requirements:

Market analysis

1password

Apparently a great tool, I've read a lof of good reviews. Advocated by the famous website Have I Been Pwned. However, since this is proprietary software, it is de facto a no-go for me. Plus it's a paid service.

Keepass

A tool initially made for Windows.

Pros

Cons

Pass (Linux CLI)

A tool for Linux (CLI). Convenient on a laptop, not very much on a mobile phone. However, I tend to trust a CLI tool more than Keepass, which implies many platforms and binaries. One of the reaons I guess is that it's on the official Linux distributions repos.

Pros

Cons

Dashlane and Lastpass

Proprietary software: no go.

One cool feature Dashlane offers that is worth mentioning though: setting an emergency contact for your important accounts in case of a critical matter. I wish other tools offered the same feature.

Conclusion

Seems like I'll either go with either Keepass or Pass. I'll update this article as I become familiar with either of them.

Another topic: two-factor authentication

For this one, I felt that storing my secrets on my phone (Google Authenticatgor to name it) only sounded a little too much like a Single Point of Failure. Should I ever lose access to my phone for any reason, I'd be locked out of services with two factor authentication enabled. Time had come to find a way to save a backup of these secrets.

To do so, I developed my own solution: gauth2. It is forked from another project (gauth). I improved it and redesigned it a bit. I also added some features.

How does it work? Well, it is a web app that stores in one's browser (in the LocalStorage, to be precise) one's secrets and generate One Time Passwords based on these secrets. The secrets can even be encrypted with a password, to prevent someone with access to the browser from stealing the secrets. It also allows secrets to be exported and imported for more convenience. I am very satisfied with it so far. This, coupled with Google Authenticator, is a pretty solid combination.


Hope this helps. Cheers!