What you should and should not do with your passwords

I know, I know… password management sounds like a very “exciting” subject, doesn’t it? Why even bother writing about this after so many years, now that various password-less standards (like Passkeys) are trying to make passwords go away?

Even so, passwords are our everyday reality. Perhaps even more so in our private lives (vs. work lives, where a lot of authentication is done via certificates or some other means). Even with great changes coming (as more platforms adopt Passkeys, for example) – because there are still requirements for changes on web site / service sides too, I expect passwords will stay with us for years to come.

What you should NOT do with passwords (and why)

Even after so many years of passwords being around, I must say that I am somewhat floored by hearing how people store their passwords. Here are some of my favorites of how you should NOT store your passwords:

• In an Excel / spreadsheet file (no, it does not matter if you put an Excel password on that file).
• In a Word / text document somewhere hidden in a folder structure.
• In a note taking application (OneNote, or whatever else you might use).
• In contacts on your mobile device.
• Written down in a notebook (hardcopy, on paper).
• You might not store any passwords because you have a “system” which allows you to generate a password on the fly for every web site you might need it for (let’s say by using a combination of first few letters of the site name with some other word).
• You might not store passwords because you re-use the same 3-4 passwords on all web sites you ever need to create passwords on.
• In a draft email that permanently sits in your drafts folder.

I am sure you can think of some more!

The reality in which we live is that many sites that make us use passwords are exactly the sites that are a very interesting target for various bad actors, as they know that they will be the sites that do store passwords for their users. Due to a variety of reasons (ranging from human incompetence to newly discovered vulnerabilities) – the best thing to do is assume that at some point, any password that you provide to a site will be leaked. Some never will be. But some definitely will be.

The above list can be roughly split in two different categories:

• Password reuse / creation system schemes – your leaked password is usually associated with the email address / username. It is relatively trivial to take that email / password pair and attempt to use it across variety of popular sites to see if the username / password pair has been used on more than one place. Password reuse is (in my opinion) very lazy, and it is really just asking for trouble. Similarly, if your leaked password is something like “BestbuyP@ssw0rd”, it does not take large leap to try using “CostcoP@ssw0rd” with the same username and see if it works. The obvious nature of “unique password generation scheme” people sometimes use is that it is kind of… obvious.
• Insecure storage of passwords – this one is not going to be a problem until it is. If your passwords are stored in a way that is inherently insecure, nobody will care until that single account of yours is breached or someone gets access to this insecure password storage. Then, suddenly, you went from “no problem” to “100% of the problem”. If all your passwords were in there, now you have no choice but to change all your passwords, all at once. This can be catastrophic.

OK, those things were bad; what should you do instead?

There are many different solutions for password management. In my opinion, what I am looking for in a solution is:

• I want it to work across all my devices; I am not overly keen on relying on a solution that will work only on my phone and MacBook but not on my PC.
• The solution must work for browser and various apps. Not just browser.
• I want to be able to do a backup of the data on my own terms.
• I want to have the ability to share passwords with a family member.
• I want to be able to manage multiple password files, for different purposes.
• I prefer not to pay a service fee / subscription (but this would not be a deal breaker).

Above requirements of disqualify things like: browsers saving passwords (those passwords can be replicated between machines, but they will be stuck in the browser). iCloud password keychain (I’m in Apple ecosystem but not 100% as I use PCs too). Various phone-only solutions (like Microsoft Authenticator, because no PC presence). While I might let any of those save my password for easier use in specific scenarios, they will not be where my passwords are “mastered” from.

Generally speaking, you have two options when talking password management:

• Get the password “service”. For a (usually) small fee – you will have a place online that stores all your passwords and will typically have “endpoint apps” for all your devices that will support signing into your password vault. Some examples: LastPass, 1Password, Dashlane. There are likely others. Benefit is simplicity and hands off approach to what makes this work. Drawback is recurring cost (although not very high) and knowing that those services too can have data breaches or information leaks.
• Host your own (self-host) encrypted password database and take care of its replication by yourself. Benefits are the ability to change storage providers (no vendor lock-in) and switch solutions when wanted. The drawback is complexity; you need to make sure that all your computing endpoints support the password database you chose, you need to consider how to replicate the passwords between devices and if your data gets leaked, it will be your own fault. ?? Some examples of self-hosting products are KeePass (or any of the compatible apps), Passkeep or BitWarden. Typical shared storage would be something like OneDrive, Google Drive or Drop Box (or you could choose not to use shared storage at all).

I will tell you right now: no matter which direction you take this in, you will be in a better situation than if you do not have centrally managed passwords at all. Do not let perfect be the enemy of good here; either direction you take will carry some cost (in time or money) but almost ANYTHING is better than storing passwords in an unsecure way.

How I do it

I want to be clear that the way that I do it is not presented as the best way there is. It is simply the way that works for me and my family (for passwords that we share), with devices that we use.

• On the PC, we use KeePass to create a password database. There are various ways to encrypt the database.
• The encrypted database is then stored on Microsoft OneDrive, in a separate folder that is shared with my spouse only.
• On iPhone / iPad we use an app called KeePassium to access this database.
• On my MacBook, I use KeePassXC.
• While OneDrive keeps file versions by default for me, I backup that file also locally on one of my computers on a nightly basis via a scheduled task. (Hmm… this reminds me, I should probably write about backups at some point!)

All the above ensures that all the people who need access have access to the password database (and can create / edit passwords too) on all devices they use. OneDrive replicates the database file between devices and devices use the file seamlessly (even use biometric authentication on phones to open the password database). Perhaps sharing a password file between spouses is not a requirement for you, and if so, you do not need to worry about sharing the file with them and making sure they have access.

What is in this password file?

I have a unique password (randomly generated) for every single site / app / service. There are several hundred entries in the main password file and every single password is unique. While I appreciate various browsers and phone software offer to generate unique passwords for me, my workflow is that passwords are generated ONLY using the password manager (or are pasted into the password manager). The important thing is that I do not want to create a unique password in a browser or app and then have no easy way of accessing this information from a totally different device, or risk that if something happened to the machine / browser instance, my password would be lost.

I never remember individual site / service passwords. I really need to know one thing: how to unlock my password file. Anything else? Computers / phones are great at storing data, so I let them do that for me. I might know one or two more passwords but overall, I do not put any effort into remembering passwords or making them “easy to remember”.

Again, take any approach to storing passwords that fits your lifestyle! But do not leave this to chance and do not hope that your insecure password storage method is OK just because it has been OK so far. Passwords are still a large part of our lives, and it is not too late to re-vamp your (or your family member’s) password storage process!

Finally, I will leave you with a classic xkcd comic about passwords:

https://xkcd.com/936/

Stay safe!