P@s$w0rdz: Storing Passwords

Paper, Memory, etc. | Browser: Autofill; Apple: Keychain; Cookies |
Single Sign On | Encryption: Local, Cloud

baby
"Too many passwords to remember"
by Dianna Geers is licensed under CC0 1.0

Memory; Tattoos; Paper; File; Password Manager

  • "Never memorize something...
  • Reused and weak passwords are the easiest to remember,
    especially if you have many accounts.
  • Unfortunately, these are insecure and might be forgotten.
  • You could setup strong passwords for only "important" accounts
    -- but how to decide which ones to protect and
    which to abandon eventually to hackers?
  • Why clutter your brain with remembering all of those passwords,
    plus generating new unique ones?
  • book
    "Password Book 1 005" by ronijj
    is licensed under CC BY 2.0

    It's better if you can limit recall to several strong (memorable) PINs and passphrases:

  • one for each device
  • one for an encrypted file or password manager (PM) app
  • With tattoos, you'd always have your passwords with you. ;-)
  • If visible, they're public.
  • If ink is temporary, passwords could wash off.
  • If ink is permanent, passwords would be difficult to update.
  • Paper can be a workable option if you don't mind entering long, strong passwords,
    bank postit
    "How to not keep passwords safe"
    by European Parliament Technology - DG ITEC
    is licensed under CC BY-NC-SA 2.0

    storing them somewhere secure, and keeping a backup copy.

  • If you store passwords in a text document or spreadsheet,
    is file strongly encrypted,
    and does device have a strong password?
  • You'd need to manually sync file between any devices,
    generate strong random passwords via your OS or browser,
    copy/paste from document into web pages,
    and remember to close document when you're not using it.
  • But, if you don't need a PM's convenience or other features,
    a file -- if strongly encrypted (later discussion) --
    would be a simpler, less expensive alternative to a PM
  • We'll be focusing on Password Manager apps in upcoming sections.
  • Regardless of your storage medium -- memory, paper, file, password manager, ...
  • sign pw
    "Hiking Club Password Sign, Wild River State Park"
    by Tony Webster is licensed under CC BY 2.0

    Will you -- or someone you trust (but not hackers) -- be able to access your accounts

  • if you die, or your memory fades, or there's a fire, flood or burglary?
  • So, securely and remotely backup any passwords, esp. for devices & password manager,
    e.g., device you evacuate with, cloud service, Safety Deposit Box, and/or a trusted friend
  • 'The Wallet Event': Crypto Startup Bankrupt After Losing Password to $38.9 Million Physical Crypto Wallet the company also did not write down recovery phrases; 8/26/2023
  • How to prepare your digital assets in case of death MW; 10/21/2020

Browser

Autofill

kc1Apple: Keychain

  • "Passwordless" passkeys were discussed earlier.
  • This term is somewhat misleading since device accounts and web sites still require passwords,
    but the OS would store and manage your passwords, with no separate password manager app required.
  • The "primary password" would generally involve possession of another device,
    authenticated via biometrics (fingerprint, face) on phone, watch, etc.
  • However, you would still need to provide a device password occasionally.
  • The same earlier caveats apply.
  • Keychain may work only for Apple devices
    -- and maybe only with the latest (upgraded) OS versions (Passkeys requires iOS/iPadOS 16+; macOS 13+)
    and only for some browsers (e.g., Safari, Chrome but not Firefox?)
  • You still need strong device passwords for iCloud/AppleID, Mac, iPad and/or iPhone
    -- the scheme is only as secure as the weakest password.
  • You need to lock/logout device when away,
    to avoid access to your account, already logged-in sites, password resets, etc.
  • If you follow these caveats and need no other PM features,
    Keychain (plus Passkeys if available) could provide a free, convenient, secure PM alternative.
  • Re-enable Safari Autofill (above)
  • To enable Keychain syncing:
  • macOS: (apple) > System Preferences > Internet Accounts > iCloud: Keychain (on)
  • kc2iOS: Settings > (user) > iCloud: Keychain (on)
  • To view / edit credentials (User Name, Password, Website):
  • macOS: Safari > Preferences > Passwords
  • iOS: Settings > Passwords & Accounts > Website & App Passwords
  • To see notifications about compromised/weak passwords:
  • iOS: Settings > Passwords > Security Recommendations > Detect Compromised Passwords
  • If you do use Safari & iCloud for passwords, and have recent devices,
    you could use iCloud's new 2FA capability instead of a separate 3rd-party app.
  • How to Use Hide My Email for Signups from iPhone & iPad OSXD; 10/14/2021
  • You Should Use Your iPhone's New Built-in Two-Factor Authentication
    only iOS15, macOS 12? LH; 9/23/2021
  • How to take control of your passwords using iCloud Keychain on your iPhone, iPad, and Mac
    While iCloud Keychain is safe, secure, and easy, it's also very tied to both our Apple devices and Safari in general.
    There’s no easy way to export passwords, sync notes, share passwords with other browsers, or access your keychain
    on an Android phone or Chromebook; MW; 2/15/2021
  • How to use Apple's Keychain password manager in Google Chrome TNW; 2/1/2021
  • How to share a password via AirDrop from iOS 14, iPadOS 14, or macOS
    from KeyChain, even if iCloud syncing off; MW; 10/23/2020
  • Refs: iCloud

Cookies

  • On login page, a site may offer some options:
    e.g., "remember me", "stay logged in", "trust this device" and/or "not require 2FA/MFA codes"
    -- such choices store a browser cookie (like a claim check) to identify your device and browser.
  • If you have a weak password on your device or a long delay before password is re-requested,
    a thief could access your browser and some sites without a passsword, MFA code and/or 'secret answer';
    malware might also be able to steal & reuse your browser's cookies.
  • A Password Manager can quickly fill-in securely-stored credentials: username, password, MFA code.
  • So, leave those site options unchecked -- and periodically clear cookies (next).
  • It's a good practice to logout when you're done especially for sensitive sites.
    It's easy to login again later with PM.
  • To clear all cookies (sites will require login next time):
  • macOS: Safari > History > Clear History and Website Data (cookies, history, other data)
  • macOS: Safari > Preferences > Privacy > Cookies and website data >
    Remove All Website Data
  • macOS: Firefox > History > Clear Recent History
  • macOS: Chrome > Preferences > Advanced Settings > Privacy > Clear Browsing Data
  • iOS: Settings > Safari > Clear History and Website Data (cookies, history, other data)
  • For more details, see section: Safer Internet: Browsing: Manage Storage of Private Data: Cookies
SSO
"Username and Password Infographic" by StatusEngage
is licensed under CC BY 2.0

Single Sign On

  • Generally, don't login to 3rd party sites using your Facebook / Google / LinkedIn / Twitter
    credentials -- aka Single Sign On (SSO) or "Oauth" or "Federated Identity"
  • From a privacy standpoint, you may not know which information
    you're allowing sites to share, e.g., contacts, emails, tracking, etc.
  • From a security standpoint, it's like using the same password across sites -- a no-no;
    anyone with access to your device could access those sites.
  • If one site is hacked, you can be vulnerable on multiple sites that use those same credentials.
  • If you change the password or change your mind,
    did you keep track of which sites for which you'd need to revoke or update authorization?
  • An exception: "Sign in with Apple" appears to address these issues
    -- though it may not be as widely available yet; Sign in with Apple FAQ MW; 4/8/2020
  • no tracking; random email address with free anonymous forwarding; requires MFA
  • Still, you'd probably be better off with a Password Manager -- or Passkeys (eventually).
  • Refs: SSO (Single Sign-On)

Secure (Encrypt) Your Passwords

  • Summary: If you use a strong key, e.g., primary password,
    with latest software versions using AES encryption standard
    -- preferably AES-256, but AES-128 is still excellent --
    passwords (or other info) are the most secure,
    whether stored locally or in the cloud.
  • Some apps that use AES-256:
  • 1Password (and most password managers)
  • Office, Acrobat (productivity apps)
  • WinZip, 7-Zip, Keka (compression utilities)
  • And there are others, but you need to check the fine print.
  • Interested in more details about security of older app versions,
    symmetric vs. asymmetric encryption,
    local vs. cloud security, and other tools -- read on.
  • Below: main encryption methods, and corresponding examples of Local and Cloud storage,
    ranked by security: 0 (none/weakest) - 2/3 (strongest); my characterizations/estimates; disclaimer: I'm no crypto expert
  • Strength of encryption and level of protection correlate to strength of device/primary/account passwords,
    encryption algorithm (RC vs. AES), and number of bits used (AES-128 vs. -256).

filevaultSymmetric vs. Asymmetric Encryption

  • symmetric: same cryptographic key used
    for both encrypting & decrypting; best for single user;
    how to communicate key separately and securely to someone else?
  • examples (using AES-256):
    password manager/vault: 1Password;
    disk encryption: FileVault (Mac), BitLocker (Win);
    cloud backup: Backblaze;
    other apps, e.g., MS Office, Acrobat, WinZip; 7-Zip; Keka
    -- generally, long-term file protection
  • Wikipedia: Symmetric Key e.g.,
    Advanced Encryption Standard (AES), 128-, 192-, 256-bit;
    use the same cryptographic keys for both encryption of plaintext and decryption of ciphertext;
    for communication, requires secure initial exchange of one (or more) secret keys between the parties
  • How does AES encryption work? 2/4/2019
  • asymmetric: several different keys involved (some known by each party);
    user encrypts with own private key & server's public key;
    server decrypts with own private key & user's public key (-- and vice versa);
    more points of vulnerability: software regularly updated on both user and server? certificate authorities
  • examples: web: https:; email: IMAP, SMTP -- generally, short-term communication
  • Info encrypted only during transit between user and server using TLS (asymmetric)
  • Info decrypted and generally stored decrypted; it may be re-encrypted by server,
    e.g., sending email to recipient, or storing sensitive info, e.g., credit cards;
    passwords possibly encrypted, but converted to "hashes" (instead of plain text, hopefully)
  • Any already-encrypted files preserve original encryption, e.g., 1Password, 7-Zip
  • End-to-end encryption (E2EE) -- between users, without server decrypting/re-encrypting
    -- is possible/desirable, but difficult to achieve, e.g., really secure chat. (Governments hate E2EE).
  • Wikipedia: Public Key aka asymmetric cryptography; e.g., Transport Layer Security (TLS), SSL,
    S/MIME, PGP, and GPG; requires two separate (but mathematically linked) keys,
    one of which is secret (or private) and one of which is public;
    public key (certificate) is used to encrypt plaintext or to verify a digital signature;
    whereas the private key is used to decrypt ciphertext or to create a digital signature;
    computationally infeasible for a properly generated private key to be determined from its corresponding public key
  • Wikipedia: symmetric vs. asymmetric: postal analogy
  • Fact Sheet: Does quantum computing put our digital security at risk?
    symmetric vs. asymmetric; # of qubits; Internet Society; 7/2021
  • Refs: Be Safer on the Internet:Encryption
  • Not all encryption is the same or necessarily strong!!

Local Encryption: computer, phone, tablet

  • 0. [none] unencrypted file or passwords/credit cards in browser -- anyone with device password
    or with access to internal (unencrypted) drive
  • 1. [older; symmetric]; weakly encrypted file (text, spreadsheet, .pdf, etc.); oldest software
  • Windows: Why You Should Never Use the Native .Zip Crypto in Windows; instead, use AES, e.g., 7-Zip, Office, etc.;
    macOS: ctrl-click (Archive) and zip (Terminal) have poor encryption; instead, use AES. i.e., Keka, DiskUtility, Office, etc.
  • [DES; RC4-128, ?]: Microsoft Office (95-2003), Adobe Acrobat (6.0-), WinZip (2.0-);
    Apple iWork, Preview (-2016?); OpenOffice?
  • [Blowfish]: LibreOffice (-3.4)?
  • 2. [AES-128; symmetric]; moderately encrypted files/folders; older software
    -- Office (2007-2013), Acrobat (7.0-), WinZip (9.0-); Apple* (iWork): Pages, Numbers; Preview (2016?-)
    *Security of Password-Protected iWork Documents bottom line: AES-128 is very secure ('centuries' to crack vs. 'millenia' for -256);
    still, since FileVault and Disk Utility already support AES-256, why hasn't Apple increased default encryption for apps (backward compatibility?)
  • Pages/Numbers/Keynote: File > Set Password
  • Preview: Export > Encrypt [checkbox]
  • 3. [AES-256; symmetric]; strongly encrypted
    via latest software with strong primary password or private key:
  • password vault; e.g., 1Password
  • selected files, e.g., Office (2016-; 365-); Acrobat (X, Pro DC); LibreOffice (3.5-)
    Microsoft Office encryption evolution: from Office 97 to Office 2019;
    LibreOffice password-protected files; 3.5 (AES) vs. earlier encryption
  • Word: Tools > Protect Document
  • Excel/PowerPoint: File > Password
  • Adobe Acrobat Reader/Pro* DC:
    File > Property > Security or
    Edit > Protection > Security Properties
    > Show Details: Encryption-level     -- *Reader: check-only (free); Pro: change ($)
  • How to Password Protect Any File
    Microsoft Word, Excel, and PowerPoint; Google Docs, Sheets, and Slides; Apple Pages, Numbers, and Keynote; Wired; 6/19/2022
  • LibreOffice: File > Save as > Save with Password .odf: metadata not encrypted; .pdf
  • files/folders w/ compression: WinZip (9.0-); 7-Zip (Win; free);
    Keka (7-Zip on Mac; site: free; App Store: $3)
  • entire device: phone/tablet: e.g., Android, iOS -- anyone with device passcode
  • folder / disk partition, e.g., Disk Utility (Mac) into .dmg file
  • open sesameentire disk, e.g., FileVault (Mac) or BitLocker (Win):
    -- if private key (pk) is saved in PM, it's accessible only by you;
    if pk saved in device's keychain/registry, anyone with device password?
    if pk saved in cloud by OS, anyone with cloud account password or subpoena?

Remote Encryption: server, cloud [TLS; asymmetric only during xfer]

  • 0. unencrypted public file/folder on cloud storage
    -- anyone with URL can typically access
  • 1. unencrypted private file/folder on cloud storage;
    also received/sent email still stored on email server;
    -- anyone with account password; cloud provider? accessible by govt. subpoena?
  • 2. [AES-128; symmetric] separately encrypted
    via latest software with strong primary password / private key:
  • selected files: Apple iWork: Pages, Numbers, Keynote; Preview on cloud storage
  • 3. [AES-256; symmetric] separately encrypted
    via latest software with strong primary password / private key:
  • password vault: e.g., 1Password
  • all files/folders: e.g., Backblaze (cloud backup service)
  • selected files: Office, Acrobat Pro, LibreOffice, WinZip, 7-Zip, Keka
    on Box, Dropbox, Google Drive, iCloud, Microsoft OneDrive, ...;