Secure access with password managers

You receive a message with a link to a site that you didn't even remember existed; you enter and they ask you to put your username and password ... In the best of cases, you remember your username and you put the password that you use for everything: a combination of letters, numbers and signs that make your access something secure (or so you think you); at worst, you don't even know what username you have, much less the password.

This scenario has experienced almost anyone at some time in their life, if not it continues to be a frequent episode on a day-to-day basis. We know that it is very important to have a secure password, but something like that is very difficult to remember, so "the most practical" is to have something easy that is not so obvious, the problem is that, unfortunately, doing the "less obvious" is often the same as what many thought and you end up with a highly insecure (and obvious) password. On the contrary, managing to create a secure password, difficult for others to guess but easy for you, is usually a single event, so you repeat that same password in all your credentials, which is not such a good idea.

As most security-conscious people agree, the best thing to do is use password managers. In general, there are two types: those that store your database on their servers in an encrypted way (in the best of cases) and those that create an encrypted local database (although there are services that move between the two categories at user's taste).

Synchronized password managers

The majority of commercial managers fall into this category: 1password, LastPass, Dashlane, and still others that charge a monthly or annual fee to manage your password vault. As its objective is to reach the majority of people (and most pockets), its philosophy is to be as practical as possible, so the easiest thing is to have applications for desktop and mobile phones and synchronize passwords through your own servers. In general they are closed source applications that are not auditable to check their security; Its purpose is also to generate a base of paying users to charge for making their lives easier and who incidentally give to continue with the business (although of course, there are exceptions such as BitWarden, which is open source and free).

Password managers out of sync

These managers do not synchronize on the Internet, especially with security in mind. Their argument is that the only way to be safe from hackers is keeping things offline And, since the password database is literally the master key of our digital services, the best thing is that the user takes care of the security of his own database. It has the disadvantage that it requires will and some knowledge on the part of the user, so it is not the first choice of the bulk of the population. The best example of this category is KeePass, free software, multiplatform and free.

Hybrid password managers

They are managers that give the user the option of having a local database synchronize on their servers, on Dropbox, Google Drive or another commercial service or even on private servers that the same user can manage (NextCloud or Owncloud). A good example is EnpassAlthough the code of its application is private, it only charges for the cell phone client, which makes it an economical and flexible option that adjusts to the wishes of the user.

Thinking about security, the best option is to have a local database or to have it on your own server, in that way massive leaks are avoided as when the site of LastPass was compromised. The obvious problem is that not everyone has a private server and does not want to have their database in commercial services monitored by governments or corporations, so what other options are there?

Less pass, a different password manager

less pass, more than a manager is an idea, the idea that there is only one way to have total security in a password database: not to have a database. How is it possible to have passwords without a database to store them in? Less pass generates Live strong passwords from site, username and a master password. With these three elements (known only to you), the generated passwords are always the same, which avoids creating databases that can later be compromised by somebody. hacker curious or by a massive attack on a specific service.

Its code is public and it is also multiplatform; it even has a version to use from the command line. The downside is that you need to always remember and be clear those three elements or the password will not match, which can be frustrating and make things more complicated rather than simple. Regardless of that, this option involves a small revolution in password management, so it is definitely an idea to keep in mind.


4 comments, leave yours

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   Modem said

    What I am, despite the LastPass leak a couple of years ago continued to use it because of the large number of passwords I use and there are several, I think that only now I keep 3 passwords only in my head.

  2.   Martin said

    KeePass should fall into the hybrid category (although I sync it manually via KDE connect). I recommend this configuration to take advantage of it to Mexico

    Linux:
    - KeePass v2.30 configured with the plug in
    - KeePassHttp and the AddOn
    - Passlfox (for firefox)
    Result, the username and password are completed on the web (not to be confused with KeePassX)

    Android:
    -KeePass2Android

    1.    babel said

      Yes, some can be moved between categories. KeePass is a popular choice precisely because of its flexibility and because it is open source; The recipe that you share with us is very good so as not to go crazy and be safe. Thank you.

  3.   Frank said

    I like KeePass especially because it does not sync online, this disadvantage can be turned into an advantage.