A guide to (personal) password security

Or, how the hell would you keep track of all the passwords you need to remember.

(This was supposed to be a short note I had planned to share internally to our team, but ended up growing too large. I decided to post it online in the hope that it would be useful to others too! — Ankit)

The short version is:

  • Use a password manager.
  • Make sure that the password manager is backed-up!
  • Use an long, unique passwords (that you remember) for your email account.
  • Turn on two-factor for your email at least.
  • Generate random passwords for every other site you register on.
Short note before we begin: If you’re following this guide, be careful and consider the steps you are taking. You do not need to do everything at once — understand each step and make deliberate progress. It’s better to do this methodically 👍

Step 0: Check if your passwords are already compromised

Go to haveibeenpwned.com and enter your primary email address — I bet you will be surprised with what you find there. If your credentials have been leaked, please go and change them!

You can also sign up to receive notifications for future data breaches.

Step 1: Start using a password manager

A password manager is an application that behaves as your own personal password database. You only need to remember one password — the master password that you can use to unlock your password database — and all your other passwords will be saved within the password manager.

This is tremendously useful.

  1. You can have a unique password for every application or website you need to register for. Having unique passwords is critical: using the same password on every website is trusting every website with all your other accounts. While most companies would store passwords in a secure manner, you only need one bad implementation for all your accounts to be compromised.
  2. Using a password manager means that you can actually use long and secure passwords. Secure passwords mean that even if the database is leaked, attackers will not be able to easily brute-force the plain-text of the password. Password managers can usually generate random passwords for you — here’s a 20-character password I just generated: 5y3gqRWRAw6J88jktZhZ
  3. It reduces stress. You don’t have to remember multiple passwords. You don’t have to panic every time some application forces you to change your password.

I highly recommend always using a password manager.

There are many options to choose from. Two high level classifications are:

  • Online password managers — usually a SAAS product, they use a central server to store your passwords and usually have browser extensions or native client applications. Examples include LastPass and 1Password.
  • Offline (local) password managers — applications like KeePass that you install locally, and store the passwords within a file on your computer.

What do you pick? Look at the options and decide for yourself. There are many articles that review, compare & contrast different options.

I personally use KeePass. It’s an open source, local (offline) password manager. While it may not be as well integrated as some of the other options, I have been using it for over five years now and have never had any problems.

This is my setup:

  • KeePass on Windows, and KeePassX on Mac / Linux.
  • Password database stored on a Dropbox folder.
  • KeePassDroid for accessing passwords from my phone.

Step 2: Make sure your password database is backed up

If you are using a local password manager like KeePass, you should make sure that you do not lose your database! By far the simplest option is to use something like Dropbox or Google Drive and put your database file there. You should think about having multiple copies though — just in case.

Do the following: one cloud provider, and one physical offline copy (backup to a USB drive). Hell, just email it to yourself every so often.

If you lose your database, you’ve basically lost all your accounts. So take this very seriously.

This is one argument in favour of using online password managers, but I recommend taking backups / exports from any online provider as well — just in case.

One very subtle point: if you put your database within Dropbox, make sure you remember Dropbox’s password! Don’t use the password manager to store credentials for any service you use to backup your password manager! Otherwise, you will lose access to it.

Step 3: Use good passwords for your email account(s)

I only need to remember three passwords, really:

  • The password to my Google account
  • My Dropbox password
  • And my password manager password

I personally prefer to use a strong password but re-callable password for my email. If you can access your email account, you can reset access most online account with some effort, so the loss of your password manager (if you manage to lose it) will not impact you so much.

I prefer being able to access email on any new machine, from my phone, etc — without needing to set up a mobile app to decrypt passwords. It’s too critical to lose access to.

Step 4: Turn on Two-Factor Authentication for your Email

For the love of all that’s holy — turn on two factor auth for your email account at the very minimum.

Phishing attacks are very common now, and have gotten scarily good. Your email account is the key to everything else. (This is how the US Democratic party was hacked!)

Recent, scarily-good phishing attack

Using two-factor authentication will drastically reduce the scope of phishing attacks — even if your credentials leak, they will not have access to the secondary auth mechanism.

If you use Gmail for example, turning on two factor is simple. You can use three modes of authentication:

  • A SMS OTP, which can be sent to your primary phone number or to a recovery phone. Get someone you trust to be the recovery phone number for your account, in case you are stuck somewhere without access to your own phone.
  • TOTP codes — one-time codes that can be generated by an application like Google Authenticator without needing access to the internet.
  • A hardware security key, which would cost money unfortunately.

I suggest using both TOPT codes and SMS (with primary and secondary phone numbers).

Few other guidelines:

  • If you use only TOPT codes, you should know that you will lose access to your account if your phone is reset. Make sure you keep backup codes stored somewhere securely, or you have a phone number option!
  • I store backup codes in my password manager, of course (where else!)

Step 5: Generate random passwords for every other site

If you’ve followed these steps, you should now start using randomly generated passwords for each account you use. You can start slowly — keep changing passwords for sites as you login to them.

For me, doing this was a relief: I was able to let go of some anxiety about remembering too many usernames & passwords, and only focus on the most crucial ones.

Questions, comments? Please reach out to me via email or twitter.

PS: ClearTax is hiring. Please send an email to ankit@cleartax.in if you’re interested!