|Protecting your passwords
by Chris Taylor
experts say you should use
unique, complex passwords for each service you use. My memory was
good enough for me … up until about 6 or 7 different services. I
now have dozens and I can’t remember them all.
manager stores all your
passwords in an encrypted vault. You just have to remember one
password to open the vault. As long as you use a unique, long, and
complex password for the vault itself, all of your passwords inside
are secure. There are lots of password managers to choose from. This
article is not intended to be all-inclusive. I am not even saying I
think these are your best options. It’s about how I chose a
is very easy. Good
cryptography not so much.
Schneier, a highly-respected
cryptographer and security pro wrote, “Anyone, from the most
clueless amateur to the best cryptographer, can create an algorithm
that he himself can't break. It's not even hard. What is hard is
creating an algorithm that no one else can break, even after years of
simply have to trust others;
I am not a cryptographer. I did web searches to see if lots of others
believe a given password manager uses a proven encryption algorithm
and has implemented it properly. An open source solution is highly
desirable; maybe others who understand encryption will look for flaws
in the source code.
looked at features. My
shortlist; free; not locked into a service run by a provider who may
start charging or go out of business; portability (ability to run
without installation); a notes field to add related information; and
multi-platform (Windows and Android) so I could access my passwords
from all my computers and my phone.
is a free open source password manger that uses the Twofish
encryption algorithm. Designed by Bruce Schneier, I trust the
encryption is implemented properly.
Safe can generate random,
strong passwords for you. It can autofill web page logon screens to
save you typing. The Windows clipboard is securely cleared
afterwards, but only when Password Safe is closed or you click a
button on the toolbar. There is a Notes field where
store information related to a password entry.
Safe automatically locks
the database if you have not used it for 5 minutes, helping keep
There is a
version, a portable version, and a free, unofficial Android port.
As an aside,
and blog Schneier on Security (https://www.schneier.com/)
are well worth reading.
is well-known, free, and open source. It supports the Advanced
Encryption Standard (AES) and the Twofish algorithm to encrypt its
password databases. Both are highly regarded.
includes measures to protect
against dictionary and guessing attacks. Process memory protection
keeps your passwords encrypted while KeePass is running, so they are
not revealed even when Windows dumps the KeePass process to disk.
There are protections against keyloggers.
lots of convenience
features. It can generate complex passwords. Usernames and passwords
can autofill web logon screens and information it puts on the
clipboard is automatically cleared after a user-defined time period.
There are many options including the ability to automatically lock
the vault after a user-defined period of inactivity.
field allows you to
store other sensitive information such as your Social Insurance
Number. Entries can even store file attachments, such as a photo of
your passport or birth certificate.
version and a portable version. Even the installer version does not
write outside the program directory, other than to create the program
directory and Start menu icons. KeePassDroid is an unofficial, open
source Android port.
using KeePass and
KeePassDroid for many years and am very satisfied with both.
I store my
KeePass vault in a local
Google Drive folder, which is automatically synched between all my
computers and phone. The KeePass portable program files are also on
my Google Drive, so I can access my passwords from any
internet-connected Windows computer.
If you don’t
want to mess with
setting up your preferred cloud storage to store your password vault
and configuring all your devices to access the vault from that
location, Standard Notes (https://standardnotes.org/)
is an interesting free & open source note manager. It is not
designed as a password manager, so don’t expect it to generate
passwords, enter your password into web sites, etc. But it can be
used to manage any text-based information, including passwords.
Notes uses AES-256 for
encryption with a password-stretching algorithm
with over 100,000 iterations.
secure, what I like
about Standard Notes is that a free account allows automatic database
synchronization between all your devices. If you worry that the
vendor might go out of business, you can self-host the
Notes is available for
Windows, Android, Linux, iOS, and Mac. You can also access your notes
through a web site (https://app.standardnotes.org/)
Notes assumes your
operating system has been adequately secured; to the extent that,
once you open your vault the first time and provide the password, it
will never ask for your password again if you are logged into the OS.
operating system’s security
is adequate, why bother with a password manager at all? Many people
treat their overall Windows experience in a low-security fashion with
a weak or even no password. Then they want to treat specific
sensitive information in a more secure fashion. Fortunately, Standard
Notes does have an option, which I highly recommend, to add a
password requirement every time you open your vault.
published: November 2018
top of page