Password managers are essentially a collection of all your passwords in one place. Sounds dangerous right? Your correct! Well, sort of. You see, if you took all your websites passwords and wrote them down in a physical book that someone could take out of your possession at any time then your passwords are meaningless.
However, a password manager is a digital collection of your passwords that are only accessible after unlocking a electronic device thereby vastly improving your security by some ugly mathematical function. Now you have to be wise about how you are locking your electronic devices.
Something you know, Something you have, Something you are
The following are the types of authentication methods available today that can be used to secure your password manager.
Something you know
This is the most common kind of authentication used for humans. We use passwords every day to access our systems. Unfortunately, something that you know can become something you just forgot. And if you write it down, then other people might find it. 1 Password strength is a vital concern here as well. You can use these guidelines for each password:
- Never reuse a password. Each site should use its own password
- Each password should consist of the following
- 16 Characters minimum
- At least 1 uppercase letter
- At least 1 lowercase letter
- 3 numbers
- 3 special character
- Your passwords should not be remembered. You should only remember one password, your password managers password! Everything else should be randomized
Something you have
This form of human authentication removes the problem of forgetting something you know, but some object now must be with you any time you want to be authenticated. And such an object might be stolen and then becomes something the attacker has. 1 There are many options out there and as always, We will never purposefully lead you astray. However, each device comes with its own pros and cons. Please see below for your options
- Software (AS A NOTE, SMS AND EMAIL 2FA CODES ARE INSECURE. USE ONLY AS LAST RESORT) Please confirm that these apps will work with your device and that you will comply with their TOS/Privacy Agreement
- Hardware (Please ensure you understand what you are buying, before you buy anything)
Something you are
Base authentication on something intrinsic to the principal being authenticated. It's much harder to lose a fingerprint than a wallet. Unfortunately, biometric sensors are fairly expensive and (at present) not very accurate. 1 Fingerprints, Eye-scans, Face-scans, voice-prints and many others are possible ways to use biometric unlocking. However, for most commercial devices it is usually fingerprints and face-scans. This is usually built in directly to the phones operating system to offer an alternative sign-in option.
With all of this new knowledge, we are going to discuss something called 2fa and 3fa.
Have you ever had to enter your password AND an additional piece of information such as a 6 digit code? Well that is considered 2FA and you are probably more familiar with this topic than you know. Every account since 2010, in our opinion should have, at a minimum, 2FA set up. This allows additional protection from attackers, hackers, and even punks who happen to guess your email and password. 3FA is ultimately the same, but having 3 factors of the above information to truly secure your account information.
Here are some scary facts from 2019
- Hackers steal 75 records every second 2
- Hackers create 300,000 new pieces of malware daily 2
- On average 30,000 new websites are hacked every day 2
- Hackers attack every 39 seconds, on average 2,244 times a day 2
If you can't tell, hackers are actively seeking out your information. A popular site have i been pwned, will even tell you if your email or password shows up in a breached companies list.
Enough already, get on with it
Ok ok, so we have gone over the vital importance of having passwords in a safe place, having passwords unique to each site, having randomized and difficult to remember/guess passwords, and also the importance behind having 2FA or 3FA for each account. Well, unless you have a perfect never failing memory or are a supercomputer you are going to want a password manager.
There are tons of them, they all roughly do the same basic concept but they will all likely have one or two unique pieces to make it unique and stand out. What was important to us was a service that was self-hostable (meaning we get to control our data instead of someone else), that offered a minimum encryption level of AES 256-bit (this is industry standard encryption in 2020), and was open source. Due to our requirements we decided to fully implement Bitwarden across the board. After all, it checks all the boxes and the user experience is 10/10. If you already use another password manager, we recommend switching as there are only 1 or 2 others out there that can even compete with Bitwarden and you are likely not using them. We do not recommend any closed source password managers, at all.
Steps to Follow
We are going to assume that you either already have access to Bitwarden either through their website directly or through a self-hosted instance.
To get started, you will want to go to either your self-hosted instances URL or https://vault.bitwarden.com/#/register. Then you will want to create your account using a VERY strong password. Refer to our recommendations above. Make sure you wont forget it.
Once your account is created, sign in
Once signed in, go to Settings, then click on "Two Step Login". From here, click on "Authenticator App" and Click on Manage. You will be prompted to open your 2FA app that you hopefully installed from above (we recommend either Authy or Tofu) and set up your 2FA for your account. This should be the very first thing you do once you sign in.
The second thing you will want to do is go to the "Tools" tab and then go to "Import Data" section
From here, we are going to import your previous password managers information. There are dozens of available options available here, so select the appropriate one(s) here and then do the correct steps and then select "Import Data".
The third thing you will want to do will be is to install the appropriate browser extension (we only recommend using FireFox on a desktop computer) and Bitwardens other apps that are appropriate for your use case.
The fourth thing we recommend doing is going under the "Tools" tab, and under the "Reports" section select the option that says "Inactive 2FA Report". From here, one by one set up Bitwardens in app 2FA for each site that allows 2FA. Yes, that's right. Bitwarden offers a BUILT IN IN-APP 2FA (Also referred to as TOTP) out of the box.
The fifth thing you will want to do is in both the mobile app and the browser extension is go to "Settings", then scroll down to "Other -> Options" and set the following settings
(This is just preference now)
Then we are going to click on the back arrow. You can set a pin code under "Security -> Unlock with PIN" if you wish, but its not really secure and not recommended. Remember, you set a strong password on purpose. Regardless of what you choose, now we are going to go to the very top of "Settings" under "Manage" and select "Sync" and select "Sync Vault Now"
The next thing we recommend doing is going back to your vault in the website and going to the "My Vault" tab. From here you will want to go through each folder and ensure each site is 1. still needed/used and 2. in the right place.
Congrats! You did it! We are all done. We now have a fully customized password manager. Wasn't that hard, now was it?
- 1 - https://www.cs.cornell.edu/courses/cs513/2005fa/NNLauthPeople.html
- 2 - https://www.webarxsecurity.com/website-hacking-statistics-2018-february/
Whats next? Read Step 3 in Achieving true Privacy and Security Online, The one about Encryption. Difficulty Level: Easy - Moderate. Multiple types available for all use cases out there. (Article coming soon)