Drop #192 (2023-02-03): Weekend Project Edition
Making Your Credentials Less Incredulous
While these WPEs usually focus on fun desserts 🎂, a balanced diet requires consuming at least some green veggies.
All of us use credentials to access all sorts of protected systems and information. Managing these credentials is hard, mostly due to three decades of consistent failures by all of us in cybersecurity. Matters were made even more complex and cruddy with failed security practices and poor communication efforts by the likes of LastPass who suffered a breach that should — if the world was a perfect place — put them permanently out of business.
So, this weekend, your challenge is to get your credential house(s) in order. The first newsletter section will deal with what that actually means. The second is a guest piece by friend-of-the-Drops Noam Ross, who explains how he securely managed credentials across devices.
Credential Spring Cleaning
Thanks to Phil, Spring is still six weeks away, but that doesn't mean you shouldn't get a jump on tidying up your credential management practices. As noted, the mid-section provides some guidance on using a particular password manager, but your first job will be to actually use a dedicated password manager (well, one that is not LastPass, anyway). I use BitWarden, lots of other cybersecurity folks I know use 1Password, and scads of others use a healthy mix of diverse options.
If you can get away with it, using a "local only" password manager (e.g. no centralized syncing service) is your safest bet. However, most folks use at least two computing devices, which inevitably means syncing credentials across devices. Again, the mid-section provides a clever and 100% controlled-by-you solution. While I have a BitWarden server, I still (lazily) rely on BitWarden's syncing service until I'm finally ready to migrate (I do switch between my provider and BitWarden's provider in certain credential contexts). Unlike LastPass, BitWarden does what they say they do on the tin (in terms of service security).
After you've made your choice of credential manager, the next most important task to complete is choosing a secure master password. This is literally the most important step. That Mastodon post link has a bunch of technical jargon in it, one of which is PBKDF2. The "KDF" part is super important, and stands for "key derivation function" ("PB" stands for password-based). KDFs are cryptographic algorithms that, essentially, turn passwords, master keys, and other values into secret keys. This is how password managers create a key to protect your password list.
When you create a password for a website, the website doesn't just save it as is. They add extra information, like random characters, to protect it from people trying to guess it. This is called "salting." The website then takes the salted password and changes it in a way that makes it hard for someone to reverse and find out what the original password was. This process is called "hashing."
KDF does something similar to salting and hashing, but it makes it even harder to guess a password. The higher the number of rounds, the more difficult it is to crack the password. Common KDF algorithms include PBKDF2, Argon2, Scrypt, and Bcrypt (all those terms are Kagi-able/Google-able). These algorithms slow down the process of guessing the password, making it more expensive and time-consuming for someone to get into your password vault.
There's been a mini-kerfuffle in cyber-land about the perceived importance of the KDF iteration count (which the aforelinked Mastodon post discusses). Suffice it to say, most decent credential managers let you select stronger values than the defaults, at the expense of speed.
However, I am in agreement with the cyber-folks who believe the master password itself is far more important, and it's not fair to expect the average user to be cyber wonk-ish enough to micromanage KDF settings.
Once you've picked a manager and a good master password, now's the time to get all your credentials into it. This step is going to take all weekend, even if you're migrating from one manager to another because I'm also going to ask you to do two other things when you perform this exercise.
First, take advantage of a feature of most credential managers: notice of a compromise credential. Don't just let that 🚨 sit there, change those credentials. There are enough, regular breaches occurring that it is likely you'll need to change at least one credential pair a month, depending on the number of services you use.
Next, go to each service with a credential pair and triple-check that they offer multifactor authentication (MFA) for their site. If they do not, or they charge extra for MFA, try to ditch the service for some other one that has MFA support. We'll talk more about MFA in a bit. Also, consider whether you can delete as many services as possible. I sign up for so much stuff every year that I have to do this at least annually. Getting rid of unused services will absolutely help reduce your attack surface.
Once you've gone through all the credentials for all your services, go to all your browsers on all platforms and remove all the stored passwords you've let them save over the years. Yes, that sounds scary, but you really want to rely on one source of truth, and you should never trust browser creators, even ones you pay for. They're too easy and plentiful of an attack surface.
The last items to take care of in your credential manager are ensuring it locks based on time and on events, such as system sleeping, browser restarts, etc. You can enable biometric unlocking, just realize that if you choose your fingerprint, or (worse), face, law enforcement — in most places — can and will use this to unlock your passwords if you ever find yourself in such a situation.
Finally, if you've picked a credential manager that includes support for multifactor authentication, please do use that unless you're like me and delight in pain. I use Duo for all my app-based MFA (apart from two scenarios) since it has epic Apple Watch support. Try to avoid relying on SMS for MFA if at all possible.
By the end of the weekend, your credential house should be in tip-top shape!
Self-Supported Secret And Safe KeePassXC Syncing For Fun And Profit
As mentioned in the intro, this is a guest post by friend of the Drops, Noam Ross.
You can avoid putting your passwords in the trust of any online service by using a local password manager that keeps your passwords and associated metadata in an encrypted store in your computer. KeePassXC is a local password manager favored by the paranoid. It keeps all your data in an encrypted
*.kdbx file and comes with the bells and whistles you expect from a password service and more: encrypted notes, images, browser autofill, GUI and CLIs, mobile clients, YubiKey support, and the ability to store and serve private keys to your SSH agent
A local password manager, though, forsakes the convenience of accessing your passwords from any device. With KeePassXC and its ilk, you can keep your password files in sync across devices using a service such as DropBox or Google Drive, but then you are relying on these cloud storage services as well.
Enter Syncthing, a peer-to-peer file sync service that provides Dropbox-like sync between your devices without files being hosted on any central services. Syncthing lets you selectively sync any folder with any subset of machines. It has support for Linux, macOS, and Android, with third-party clients for Windows and iOS. Once you have introduced your devices to each other by sharing a key or QR code, they can sync any folder, one-way or two-way, via an encrypted direct connection. Syncthing runs "discovery servers" that help your devices find each other's IP via anonymous device IDs, not unlike how services like how cloud VPNs like Tailscale do NAT traversal. If you use a Tailscale VPN, though, or only need devices to sync occasionally when on the same network, you can turn off using the discovery services entirely.
I keep a
~/.keepass/ folder with my encrypted password store in sync between devices this way, and the KeePassXC apps have no problem dealing with background changes. Syncthing is useful way beyond passwords, too: I use it for config files, to sync photos from my phone to my laptop, and to keep an "active documents" folder in sync between work and home machines.
With recent development by Apple, Google, and Microsoft, we'll be covering hardware devices that support safer access mechanisms in an upcoming edition.
Folks are encouraged to drop questions or more "hygiene" recommendation in the post's comments. ☮