I keep all important passphrases in my paper agenda and in my mobile phone and my browser remembers all the passphrases I use online. That is probably not safe. Is there a better solution?
You’re using several online services and have a different passphrase for each because it’s safer. You can’t remember all of them so you allowed your browser to remember them when you first logged-in. You also have other important and sensitive details to remember, such as PINs, credit card numbers and important phone numbers. Since it’s impossible to remember them all, you keep these numbers and passphrases on paper and in a text document on your desktop. If the paper agenda is lost you’ll be locked out of your accounts. If someone gains physical access to your computer or mobile phone and finds the paper agenda, too, gaining access to all of your accounts is trivial.
What you should do
There are a few options for good passphrase management and many poor passphrase management practices. Here is a list of what you should and shouldn’t do.
- Never store passphrases or other sensitive details in a text file on your desktop or in any other way that would permit intruders into your computer to easily find them.
- Don’t store passphrases in your browser’s passphrase manager. Allowing your browser to “remember” passphrases to online services such as your email or Facebook account means that it stores your passphrases in a single unencrypted file that can be easily recovered and read by anyone who gains access to your computer, either physically or remotely. For example, someone could get remote access via a malware programme. If this happens, see Kit #1: My email, Facebook or Twitter account was hijacked. From the browser settings menu, stop storing your passphrases, delete those that are already stored in your browser, and disallow the browser from ever asking you to store your log-in information again.
- Install a standalone passphrase manager application. This allows you to easily copy and paste passphrases into online forms. The software is designed so that you never need to display the passphrase on your screen. And because you do not need to type them it protects you from sophisticated monitoring techniques. If someone takes control over your computer, they won’t be able to access any of this information without knowing the master passphrase to your passphrase manager application.
- A recommended passphrase manager application is KeePassX for Windows, Mac and GNU/Linux. KeePassX is easy to use, doesn’t need installation and can be moved around with USB storage. Some passphrase managers, including KeePassX, allow you to not only store passphrases, but also any type of text or file types as attachments that you can lock under the master passphrase.
To keep in mind
- Consider revisiting all your passphrases and changing them to passphrases, which are longer and more secure.
- Consider changing all of your passphrases annually.
Where to find more help
- Create secure passphrases using Diceware.
- Learn more about creating passphrases that you can memorise.
- Secure data on your computer (see Kit #4. I need to carry around sensitive data in a secure manner).
- Get started using KeePassX – Securepassphrase storage.