Credential theft is a challenging vulnerability to mitigate since it exploits a feature – that users must be able to log on to networks – rather than a configuration or programming error. The best solution to this problem is the use of two-factor authentication and/or VPNs between trust levels, but the implementation of these technologies may either fall outside the areas we control or be too expensive/unsupported. Good progress can be made on this issue by focusing on improving credential management.
Credential management poses several challenges:
- How can a user reliably generate strong passwords?
- How can we ensure unique passwords are used for each account the user requires?
- How can the user remember these passwords?
- How can we securely store these unique and strong passwords
There is only solution to the above problems that does not require a significant outlay in time/money/effort to implement: the password manager.
Different password managers offer a different set of features, but the most important ones for our purposes are:
- High-entropy password generation
- Secure password storage
- Mitigations against key logging/screen capture
- Simplified management of large numbers of unique passwords
Finding a solution that does the above three well will simplify management of passwords. KeePass Password Safe ticks all these boxes. In addition, the password database is easily transferred as part of the deliverables in a project.
Entropy as it applies to password strength can be thought of as (number of possible characters) x (number of characters in a password). A eight character password using only numbers has much lower entropy than an eight character password using mixed case, numbers, and symbols. Also, since humans enjoy patterns and things that are easy to remember (and thus easier to guess), it’s best to let a computer do the generation.
Once our strong password has been created, it’s important to store them securely, for obvious reasons. As you’d expect, all password managers have a password-protected encrypted database as a primary feature. It is worth noting that encryption is only as strong as the key used to unlock the database.
Choosing a Master Password
The KeePass database is protected by a master password which unlocks stored credentials. Before unlocking the database, KeePass performs key transformation by encrypting the initial hash several times (6000 by default).
Key transformation makes brute force attacks on the KeePass database more difficult but a strong password is essential:
- Use a long passphrase that exceeds 20 characters
- Use a unique passphrase (not password123456789)
Having a strong, securely stored password is good only if you can prevent others from gaining access to it. Encryption will protect it at rest, but how can we protect it on the wire? First, avoid using unencrypted management protocols (HTTP, Telnet) in favour of encrypted ones (HTTPS, SSH).
Once the KeePass database has been opened with the master password in secure desktop mode, rather than viewing the password directly and typing it in, or copying and pasting the password into the target application, both of which are vulnerable to keylogging and screen capture, use KeePass’s built-in protections to keep your password safe.
Other Password managers of note:
KeePass in the past has been affected by a vulnerability (which is now patched) however this may make you look twice at the solution. Below is a list of some other great password managers that provide the same functionality: