How safe are your keys to your accounts? [Photo: Henrik Hemrin]

It must have been in the 1990's I got my first password for private internet purpose.

I started early with a paper to note down registrations and login info. Later it has evolved to a notebook for registrations, login info, software licenses, hardware info and more. 

I started with mostly pretty simple passwords, and reused them as well. The complexity of my passwords have indeed increased over the years. I have also worked to more and more not reuse same passwords at different sites, especially those more important where I would suffer more if someone broke in. Those decently secure passwords, unique per site, have been possible to change and still decently ok to remember for more frequent logins. But notebook has been needed for all as backup memory.

Over the years, it has also become more difficult to find the objects in my notebook, difficult to keep them in any sorted order. And the trouble when I don't have the notebook nearby. And the laziness to look into the book. I have many registrations, far more than hundred!

Some codes have also been important to always have access to in my pocket. So for many years I have also used an application in the mobile for important codes.

I have over time become less comfortable with my password handling. At the same time, I have been hesitant to store passwords digitally. A paper notebook, as long as it is not stolen, is a safe place to keep them.

I have read many websites and articles about passwords. I plan to list some sources for internet privacy and security I consider useful in a separate article later.

I have read that a good, strong password is not critical to change regularly. But it must be changed if it is revealed somehow. I have also read that one method, which can be safer than having less strong passwords, or reused passwords between registrations, is to not remember passwords and instead always use “I have forgotten my password” and generate a new password every time.

Well, I concluded I want to have my passwords digitally stored in a Password manager instead of my in my notebook. 

If I now should start to use a Password manager, I wanted a product that can do more than only handle logins. 

Some of my criteria for a Password manager:

  • Secure and trustworthy
  • Possible to use on multiple devices; automatically synchronized
  • Relatively easy to use
  • Available for multiple platforms and device types
  • Handle not only passwords, but also e.g. pin codes, software licenses and other info I have in my notebook

Regarding access to the Password manager from multiple devices, I believe any such solution is a higher risk than a more stand alone solution. But it is so convenient.

After reading many articles and web sites, and trying a few solutions, I decided for “1Password”. It is a paid software. When reading articles, their own information including their white paper (although the white paper still has some non-written sections), I concluded I feel decently confident that there solution is secure enough. Surely, I do not understand all I read. 1Password has competitors, both commercial and open source and non-commercial, which to various degree meets my criteria.

With the Password manager it means I only have to create and remember one password. But this password must be strong, “impossible” to guess or test out, and not at least I must remember it.

When I migrated to the Password manager, I took the opportunity to clean up and terminate some registrations.

Generally I generate passwords which are maybe 30 characters long, with a combination of upper case, lower case, numbers and symbols. The Password manager automatically creates such passwords; I can input how long and how many numbers and symbols I want. It can also create based on words. Those very long generated passwords strings are impossible for me to remember, and very difficult to guess or will take long time for a computer to try out. If someone get access to the data base of the registration, it can of course be revealed.

When I have created new, strong, passwords, I have seen that some sites do not allow so long as 30 characters, nor all allow symbols. Some sites requires the user to use, I would argue, too unsecure passwords. 

Once I have crossed the line to give up to insert passwords manually and store them in a note book, it is no problem the passwords are long and impossible to remember. And it is not a problem for me to change them, I do not need to have a system to change passwords so I still can remember them.

The Password manager also helps me to analyze: reused passwords, weak passwords, check if my registration may have been leaked (Integration to “Have I been Pwned”), and more.

Beside strong passwords, I consider it is worth to use two-factor-authentication (2FA) where available, e.g. by SMS, a software code generator or hardware. My Password manager has a built in code generator, so I can often use that one. But I am curious to try out YubiKey physical solution.

Furthermore, I can store other codes, software licenses, free text objects etc. And I can add more information than the password to the registration. I can even store important documents. And I can add tags. All in all, a Password manager gives me a good overview of my passwords and other objects.

This is where I am today on my password journey! What about you?

Henrik Hemrin
17 October 2018