Having worked [eeek] at least a quarter-century in IT Security, I know one of the biggest problems with your personal security on the internet is people's reliance on crappy passwords. "P@ssword1!" is a bad password. Your phone number is a bad password. Your ex-girlfriend's name and phone number is a bad password. Even "ManchesterUnited1?" is a bad password - though it's quite long, contains upper, lower, numbers, and a symbol, it is still made of two dictionary words with a really obvious number and symbol on the end, and will take a few seconds, or at best a few hours, for any modern multi-core password cracker to break. "Ezede'feG,'d"!&5${O2" is a good password, but of course you're never going to remember it, so what's the point? The most secure passwords that are also memorable are ones of the "Correct-Horse-Battery-Staple" variety (see also the XKCD cartoon that inspired this method)
The next biggest problem is that even if someone has a good password, they will tend to re-use the same password all over the web. This is bad because if (or realistically when) ONE of those sites gets hacked, and the password details leaked, hackers can try "credential stuffing". See some of the web's largest breaches listed on "have i been pwned". If (/when) your Facebook account is hacked, or your MySpace, LinkedIn, Wattpad, Adobe/Acrobat (to name a few of the big ones), the leaked lists become available for hackers to try against your bank, your email, your insurance provider, your pension, even if those have not (yet) been hacked. This is not a hypothetical problem - there are lists that can be easily downloaded containing 2.7 BILLION (with a B) username/password combinations and there's a really good chance that at least one of yours is in it.
What's the solution to both of the above?
You pick a good password manager (see below). You pick ONE good, long, secure, memorable, Master Password / Passphrase, and you use that to unlock your Password Manager (and never use that Master Password anywhere else). Your Password Manager can then generate and store super-random passwords of the "Ezede'feG,'d"!&5${O2" style and enter them into each and every other site you wish to log into.
🏆 Win / Win / Win! 🏆
I don't have enough passwords to justify this No? Less than four? OK, well make sure they are still GOOD passwords, write them down in a notebook, keep it somewhere safe, and sorry for wasting your time. Come back when the number gets a bit higher and you want help remembering / typing really good passwords
I'm not enough of a target / I've got nothing to hide / etc OVER 11 BILLION (with a B) accounts have been hacked. That's more than there are people on the planet. Even if you're not hacked yet, you don't have to be a target, automated attacks are compromising people's accounts all the time. "Nothing to hide" is a well-known fallacy that's simply wrong, or in any case Ed Snowden said it better than I - "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say"
Oh but I have a cunning system where I use one good password and one site-specific bit Oh really? You put "-fb" on the end of your Facebook password, and "-lb" on the end of your Lloyds Bank account? And you don't think a hacker would find it trivial to experiment a bit once they find your "ManchesterUnited1-li" and already have 80% of your password? "Seconds" would be a gross over-estimate.
Aren't Password Managers kinda inconvenient? NO! Actually it's super convenient, you get the benefit of ONE memorable Master Password(/phrase), but with none of the security risks of one password(/phrase) being used (or abused) everywhere! After unlocking your Password Manager once you can unlock several other websites in a row.
Isn't my browser's built-in Password Manager enough? Some of them are... "not awful"... as long as you have added a (good) Master Passphrase. There are, however, a number of well-recognised threats whereby a malicious website exploits a security hole in your browser, at which point your browser is not the best place to have all the keys to your kingdom. Security professionals generally consider it to be a good idea to keep browser and Password Manager separate, but browser extensions can then give you the same / similar convenience. Password Managers are also usually browser-agnostic, so you can usually use the same Password Manager but switch between two or more browsers, indeed most browsers (and other apps) across all your devices.
Are there any other benefits? Your passwords are probably backed up better than your laptop / phone. You can often securely share info with friends / workmates (alarm codes etc). Once you trust your one Password Manager, you can store more than passwords in it. EG Credit Card info, useful when online shopping especially if you don't want the store to remember your card details, but also don't want to re-type them by hand each time. When your cards are stolen, you have all the details you need to get them properly revoked and re-issued. You can store insurance policy details in case you need to make a claim under unusual circumstances. Tax info, the door code for the club, the combination for that lock on Fred's gate, prescription numbers, membership numbers, car radio unlock code, VIN, driving license details, passport numbers, hotel safe combinations etc etc - once you know you have a SECURE place to store stuff, it becomes the obvious place to store all sorts of things, safely, that you might need to remember later. When you have just been robbed, or when you suddenly DO need some personal info unexpectedly, "Aha! Yes! It's in my Password Manager!"
How about if my password manager is on my Phone/Desktop/Laptop and I don't have it on me? Perfectly good question! You will usually install on all of your devices, Phones, Desktops, Laptops, Browsers, and then most of the good password managers allow "cloud sync" between your various devices. Some even have a website you can use for emergency access if you have none of your Phone/Desktop/Laptop apps on you at the time (but be careful! Make sure you trust the browser you are using as well!)
... or if my Phone/Desktop/Laptop is stolen? If the thief doesn't have your master password / passphrase, it's still no use to them BUT assuming you can still remember (or find) your Master Password / Passphrase, you can recover all your other passwords on your replacement Phone/Desktop/Laptop.
... and if my Master Password / Passphrase is stolen? Then yes, make no mistake, you're having a really bad day. You can and should change your master password, of course. Hopefully your Password Manager also supports Multi Factor Authentication / Two-Step Login which the thief doesn't have access to, so your Master Password / Passphrase can't be abused from any new devices in the meantime? You should also change all the passwords that might have been compromised, but your Password Manager does at least contain a list of all the passwords that will need changing, and can help generate new ones for you, one at a time. Your credit cards may have been stolen too? Does your Password Manager have a list of those so you can also get those revoked / replaced?
Isn't this "All my eggs in one basket?" Well, kinda, yes, except internet security isn't quite like "dairy produce" security. In this case you would rather have all your eggs in one really good basket, well-protected, properly armour-plated on the outside and soft and protective on the inside too. You want a backup copy somewhere, yes, but you want that backup copy to use the same (or better) security. It's better here to trust one really good basket rather than exposing yourself to the possible security holes of a dozen separate authors / manufacturers / baskets. The key phrase is "attack surface": Depending on what you stored in your multiple baskets, and what overlap there is between them, the total exposure is still less overall if you have one really good Password Manager (with backups) rather than a dozen
Cloud sync, you say? Can the cloud storage provider read all my passwords? If it's a bad password manager, probably. If it's a good one, it has used proper high-strength "end to end encryption" and strong "key derivation functions", and your passwords are properly encrypted (using a strong key derived from your passphrase) before they leave your Phone/Desktop/Laptop/Browser and can't be read by anyone else. Good password managers will also use "Multi Factor Authentication" or "Two Step Login" so that even if your nice long memorable password/phrase has been guessed, or captured by keystroke-logging malware, your secrets should still be (somewhat) safe
I'm no security expert! How do I know what is a good vs bad password manager? Really good point. This is critical because a good password manager will protect your security but a bad one could steal / copy all your secrets without your knowledge, or at least lull you into a false sense of security! I'm here to help - this is important to me too! I've evaluated quite a few password managers in detail, and chosen the Vaultwarden / Bitwarden combination to store all my passwords, and I'm offering it to you too! Vaultwarden is a lightweight server (which I run for you, for free), which speaks the Bitwarden protocols to any/all compatible Bitwarden apps. It does the right thing with world-class military-grade end-to-end encryption done properly, strong key derivation functions, and cloud storage where the service provider can't possibly decrypt any of your passwords without your (long and strong) Master Password / Passphrase. It has a fair selection of Multi-Factor "two step" login options. It has good quality apps for Windows, Mac, Linux, all major smartphones, and extensions for all major browsers, and they are all "open source" which means they are going to be around for a long time even if the authors pack it in and retire tomorrow. Yes, there's even a command-line for my nerdiest friends! :-)
What's the catch? No catch. Honestly, as an IT Security Professional, your IT security and privacy are important to me. This is something I wanted to run for my own use, at which point it's essentially free for me to offer it to you too (unless you store huge amounts of data in it... so please avoid large attachments!)
Honestly, no caveats at all?!?
Well... OK, sorta kinda... Because this uses real, secure, encryption
"done properly", there is no way I, or anyone else, can read your
secret data without your Master Password/Passphrase even if you
wanted me to. Because of this, you absolutely cannot forget
your master password/passphrase. Ever. Or you have lost all access.
Forever. Start again from scratch. There is no recovery without your
Master Password. None.
I am (honestly) going to recommend that you write down your master
password/passphrase, with pen and paper, and store it somewhere really
safe. Chinese/Russian/Elbonian/NSA/Mafia/other hackers aren't going to
be able to raid that notebook in the back of your locked filing
cabinet from across the internet. Someone local who physically steals
your filing cabinet is probably going to take a while to
realise what this strange 4-word phrase is for, especially if you have
not put the URL next to it, and you have hopefully changed your
master password in the meantime, and updated it on all your Phones /
Laptops / Browsers / etc.
One more caveat: If you get your Master Password wrong too many times
in quick succession, my vault will lock you out - in fact my entire
server will look (to you) like it's offline for a short period of
time. Don't worry, I'm quite generous, however if you repeat this too
often once it returns back, you will be locked out for increasingly
more inconvenient lengths of time.
This is for your protection and mine, to prevent any attempts at
"brute forcing" anyone's Master Password.
Just and don't type it wrong too many times
What if I am offline, or if your server goes offline? My server has, historically, better than 99.999% uptime, which is better than most paid services, but that could change tomorrow, sure, or indeed you might be offline / without cell coverage / etc. The browser extensions/apps/clients synchronise with the server when online, but having done so, they usually work fine offline too, at least for a while, and they re-synchronise later when you get online again. If my server goes offline for any notable time, I WILL have backups, and I WILL be working out if/how I can get them back online somewhere for my own use as well as yours. Even so, you are welcome to use the built-in "Tools / Export Vault" to keep a backup copy somewhere VERY SAFE but you will want to make sure malware can't get its grubby hands on it, EG store on an encrypted USB stick in a safety-deposit box, a safe, or at least a locked filing cabinet, probably not right next to that notebook above though, OK?
What if your server gets hacked? Vaultwarden / Bitwarden use proper secure end-to-end encryption. Nobody on my server, legitimately or illegitimately, can read your secrets, without your Master Password / Passphrase.
But why should I take your word for it? Don't! See what CNET has to say, or PCMag, How-To Geek, Tom's Guide, NYTimes, Techradar, MSN, even Wikipedia (and Wikipedia's List of password managers)
What alternative options are there? Honestly not convinced? OK, well, sure, I'm just trying to make it easy for you, but what's more important to me is that you use A GOOD PASSWORD MANAGER, and use it right, but no, you don't have to use mine. The above reviews list a bunch of other pretty good options, some paid, some free. For a LONG time I used to use / recommend KeePass / KeePassX / KeePassXC which are all compatible with each other. They include an ability to merge an extra key file with your passphrase, and a few other neat features, but they require you to DIY all the synchronisation between your multiple devices - I'm not sure I can recommend them to beginners when newer / better options are now available, but if you wanted a good "offline" Password Manager, it's still a very noteworthy option. I used to recommend LastPass if you wanted someone else's easy cloud-based solution with "all the features", except they recently started charging if you want to use desktop AND Mobile apps, and some friends have been asking for a new recommendation. 1Password is pretty good, but again have recently started to increase the fees and decrrease the free offering. Of course you could always get your own ACTUAL Bitwarden account. They claim their Basic Free Account is "Free forever" and it's "open source" enough that even if they go back on their word, a replacement will pop up pretty soon... However on my server you also get a few of Bitwarden's Premium / Family / Organisation features thrown in as well - create organisations to share passwords with your friends / families / clubs / etc! Honestly, why not get a vault.bitwarden.com free account anyway and use it as a place to store your backup from my Vaultwarden / Bitwarden server? You'll have less of the features available there, but a perfectly good backup if mine ever goes down long-term. You could pay them too, of course - they have written all this good software and they deserve to make a living from it for sure. If you're among my nerdier friends, why not run your own Vaultwarden server? Perhaps you can backup to mine, and I can backup to yours?
I'm already using one of the GOOD password managers! Seriously? Awesome! Congratulations! If they ever change their terms and conditions in ways you don't like, or if you ever need a backup, my vault / Vaultwarden / Bitwarden can import from about 50 other password managers, just sayin' ;-)
I WAS already using a good password manager, but they started charging for [X/Y/Z] feature Yup, many of them have done that recently. That's what kicked me into setting up my own. I guess it's up to you whether you would like to continue using / paying for it, or "make do" with the limited "free" (for now) features, or move to an open-source one that is extremely likely to remain free for the foreseeable future? My vault, or anyone else's Vaultwarden / Bitwarden, can help you migrate when you're ready.
OK! I'm convinced! How do I use your vault?
📧 | It's invite-only right now, but all family / friends / customers / co-workers / acquaintances can get an invite - 📧 drop me an email (Or if you work with me, ping me on Slack). I'll reply with an invite which will include a link to create a free account on my personal Vaultwarden / Bitwarden server. | |
🔑 | You will want ONE long, secure, but memorable Master Password / Passphrase, that you will not use anywhere else. This might be your last password ever, so choose wisely! Then remember it because I can never recover it for you. You may want to write it down somewhere (yes honestly) and store it in a safe / a locked filing cabinet / etc. DO NOT ask your browser to remember this password for you! You will soon be replacing your browser's password manager with the much better Bitwarden one. (OPTIONAL): Consider a sealed envelope attached to your Last Will And Testament? | |
② | Having created an account, you should almost certainly set up at least one of the "Two-step Login" methods (under "Settings" at the top): | |
Easiest is the "Email" mechanism which will email you an unlock code any time you seem to be using a new device / app - make sure you can still get to your email WITHOUT needing access to your vault first! | ||
For bonus points, strongly consider one of the authenticator apps that generates a new 6-digit code every 30s, such as Authy, or any app compatible with "TOTP / RFC 6238" - which is almost all of them these days, FreeOTP, Google Authenticator, Microsoft Authenticator, etc | ||
Get Bitwarden apps / extentions / add-ons for all your desktops / laptops / mobiles / browsers but before your first login, go into ⚙ "Settings" and point them at my "Self-Hosted Environment" https://noseynick.net/vault/. Log in using your email address and Master Password. The first time you add any new device, you'll also need to go through the two-step login you configured above. | ||
⏩ | Click on "Tools" (at the top), "Import", and you should find instructions on how to import any passwords that you might already have in your browser or about 50 other password managers. | |
🌍 | One website at a time, visit each of your favourite websites and change your passwords. Go through their "change password" process, and Vaultwarden / Bitwarden will help you generate nice new site-specific random secure passwords (like "Ezede'feG,'d"!&5${O2" or whatever). Whilst you're doing this, clean the old ones out of your browser's password manager too. | |
🥂 | Congratulate yourself! You just took a really important step to secure your online life! Now make sure your Operating System and Antivirus are patched up-to-date, we can discuss the benefits of Firefox, uBlock Origin, and the pros and cons of VPNs another time ;-) |
If you need any help, 📧 ask me first. If you have issues with your invites, your two-step login, or general use of the web vault or apps, I can help fix those. Remember there is no possible way I can help unlock your vault if you forgot your Master Password though.
All of the mobile apps, desktop apps, and browser extensions / add-ons come from Bitwarden.com. They have some pretty good help pages.
On the server side, NoseyNick's Vault runs Vaultwarden in a tightly locked-down container on my server, hosted by Jump Networks in Telehouse London (almost exactly on the Greenwich Meridian). Vaultwarden is a lot like Bitwarden "Self Hosted" except smaller and more lightweight. It also gives a few of the "Premium / Family member" features of Bitwarden at no extra cost. Vaultwarden also has an excellent wiki and some Vaultwarden discussion forums where you might be able to get help if I'm not around.
All of the Bitwarden apps / clients use AES-CBC 256-bit encryption for your Vault data, and PBKDF2 SHA-256 to derive your encryption key. AES-CBC is the "symmetric" column here so meets or exceeds the very highest recommendations for crypto security. Despite all of this amazing crypto, A bad Master Password would still be a Very Bad Idea - definitely the weakest link in the chain.