Open in app

Sign in

Write

Sign in

Internet | Security

Protecting account passwords

Why you should use a specific password manager or password storage app

Encycl0
The Startup

--

Password managing and storage softwares/apps
Photo by Dan Nelson on Unsplash

If you are reading this, chances are that you have a Medium.com account and just like “with great power comes great responsibility” every account comes with a unique username and password :)

So you will end up with a ton of unique usernames and passwords each meant to be your key to open different digital doors. Google, Linkedin, Facebook, Reddit, medium, and so on. But that's not the end of the list, you also have usernames and passwords for different banking apps and accounts, and these are way more important than your social media accounts.

And how do you remember them ?

  • If you are saving them into your browser - you shouldn't.
  • If you are using identical or almost identical usernames and passwords you are risking a loss of multiple accounts simultaneously.
  • If you are saving them on your system locally, on a pdf or text file, you shouldn't do this as well. Even if you encrypt the file or make it password protected there is still a chance that your data may be compromised.

How ?

For example (nerd stats warning)

I have a text file in which I store all my account/banking details. I compress and encrypt it with 7-Zip (or any other encryption software) using the following parameters:

Compression parameters:

  • Archive format: 7z
  • Compression level: Ultra
  • Compression method: LZMA2
  • Dictionary size: 64 MB
  • Solid Block size: 4 GB
  • Number of CPU threads: 4

Encryption parameters:

  • Encryption method: AES-256
  • Encrypt file names: True

The password for the encryption is chosen such that it won’t be found in any dictionary and is rather an almost random string (composed of 15–20 upper and lower case letters, numbers, and symbols). I do not store this password anywhere.
Also, the filename of the text file is kept such that no one will be able to tell that the file is related to account details at all.

But is this secure enough ?

Password managing and storage softwares/apps
Photo by Daniel Herron on Unsplash

The answer is a big NO

Let's see how

Now assume that your system is compromised through any malicious software and someone else takes control of it or another scenario is that someone was able to access your system physically.

Although the parameters you used above are very strong and cannot be decrypted by the brute force method, but if the guy is professional he doesn't even need to do that.

Yes, you did not store the unencrypted file anywhere, but your encryption software does it automatically for you.

How convenient, isn’t it? ;)

The text file is still in the Temp directory of your operating system (Windows/MAC) so the file is still accessible and can be opened by an external text editor software.

And that's not it, the worst case is that very often such an application will never care to delete the file, relying on automatic cleaning to do this at some point in the future… (Operating systems Temp directory, like the browser’s cache directory, can be a real cave of wonders for the attackers!)

“Every time you open and decrypt the file to use it, you are at risk”

The problem with using 7zip or any encryption software to save an encrypted text file with account details is that when you need the data, you will have to open the file and unzip it. At that time 7z will dump an unencrypted copy of it in the O.S. temp directory. You (or the software) will need to wipe the temp directory properly every time you open the file.

How is password managing and storage app/software more secure ?

The main problem with the above method of storing account details is that encryption softwares are designed to protect the original file that they are encrypting and that's why they create a temporary copy before encrypting and also every time you open or decrypt the file.

Password managing and storage softwares like KeePass are specially designed for this purpose. They never save any password without encrypting and they never store a decrypted version anywhere on the system.

When you create a new database of account details in a password managing software, you only have to remember one master password to access the database and everything you type in the database is encrypted from the start.

“You must protect the master password properly and with utmost care”

if it falls into the wrong hands (which is technically anyone other than you) he can access all of your accounts.

Password managing and storage softwares/apps
Photo by Shane Avery on Unsplash

That means

  • Never write it anywhere digitally (smartphone, PC tablet, etc)
  • Never save it as a photo or screenshot.
  • Never use any old password from any other account.
  • Never use obvious and easy to guess passwords like dictionary words , your birthdate or your name, etc.
  • If you write it on a piece of paper (which I would advise against) omit a few characters and remember them so that it's safe even if someone else found it.
  • And lastly, Don't share it with anybody (well, this one is a no brainer)

Last but not least — research properly which software or app you are going to use. I prefer to use open-source software because they are considered most secure in general, but there are also some paid ones in the market that offers a lot more convenience and some other features.

Digital
Internet
Passwords
Privacy
Cybersecurity

--

--

Encycl0
The Startup

Written by Encycl0

2 Followers
Writer for

This guy is a mystery. Some people say that he doesn’t even exist, but I don’t think so.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams