![]() No company going out of business can take away your password vault. The best thing about this is that it’s yours forever. ![]() Importantly for our purposes, it doesn’t use the cloud at all – the password vault is saved to a file on your hard drive, which we’ll sync between our computers using Syncthing. ![]() This is an open-source password vault recommended by the Electronic Freedom Foundation that’s actively maintained by volunteers who check each other’s work. I’m recommending KeePassXC for its ease-of-use, browser integration, and cross-platform compatibility. So in writing this guide I’m trying to make everything as straightforward as I possibly can if you get stuck, let me know in the comments and I’ll see what I can do. If using software the right way is hard, people will find a way that’s easy, and it probably won’t be secure that’s why people write passwords on sticky notes and reuse passwords across websites. Obviously security is important for something like this, but so is ease-of-use, and I feel like not all developers get that. I looked at a lot of different password vaults as part of writing this. So let’s set up a password vault that won’t have that problem. They take security seriously, and have various measures in place to rebuff attackers, but storing all the passwords for thousands of customers is certainly painting a big target on yourself. Vendors like LastPass and DashLane keep your password vault in the cloud, where you (or someone claiming to be you) can access it from anywhere. “‘Tis a scam! How do I know the password vault company won’t get hacked?” And you know what, fair point. Not only is this more secure, it’s more convenient, because you don’t have to remember all those passwords any more. All of your site-specific passwords get secured behind a single master password which you use to access the vault. A password vault will auto-generate a strong, unique password for each website and then remember them for you. The consensus among security researchers is that the best way for the average joe to protect against this is to use a password vault. Exploiting password reuse in this way is called “credential stuffing”, and it’s now the dominant paradigm for breaking into people’s accounts. Sometimes people will add small variations to the password, like adding “boa” to their Bank of America password those usually aren’t too hard to guess, because if they were, they’d be hard to remember. So now that the hacker has your username and password for one site, they’ll try that combination on a bunch of other sites to see what they can get into. Most people have a small number of passwords that they reuse across a bunch of websites. These days the cool hackers will just break into a site and steal their password database. This is because in hacker land, guessing people’s passwords is no longer the new hotness – it’s expensive and it doesn’t scale. Until that glorious day, the single best thing you can do to keep yourself safe online is to use different, random passwords for every website and keep them in a password vault. Someday we will ascend beyond the need for passwords. Now that you can securely synchronize information between your computers, let’s build something on top of that! Part of my series on hardening your personal infrastructure.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |