Glenn Jones's Blog

A no-nonsense, sane and safe password management strategy

Firstly, I note down all my passwords and I make sure none are saved in any of my browsers. My passwords generally fall into one of two categories:

For these two tiers I have two password managers. The purpose of each password manager is to optimise for the usage of those passwords.

The “common passwords” password manager should be easy-to use, available as browser-plugin for multiple browsers, centralised across browsers/computers, so that it is easy to access the passwords in any browser, on any laptop. For these reasons, I prefer a ‘managed’ password solution. I use Lastpass here, but it could also be 1password or Dashlane. It doesn’t matter really. It is important to save the master password to this password manager in your ‘sensitive passwords’ vault, and that you have to enter the password only once per day / session etc.

The sensitive passwords need: to be as little as possible exposed to the external words, encrypted, validated to be safe, relatively easy shareable (for when something happens to you). This means it is preferably not a plugin, does not have centralised cloud storage, is open-source (validated by the community), and so, locally stores. For this I use keePass: an encrypted password manager that stores your passwords in one file that can be accessed through a master password. That “file” is your vault. The password to this file needs to be unique, difficult and long. This is also effectively the only password you will need in the future to access any of your passwords (sensitive or common).

On mac I use the macPass application to work with my keePass files, I can highly recommend it.

An extra step is to make sure there is a mechanism that your close ones have your passwords in case anything would happen to you. In that case, make sure the keepass file is stores in a cloud storage (OneDrive, Dropbox, GoogleDrive), and make a unique sharing link for one or multiple people that you trust. Share the link with them so they have access to it. Then, in your will, put the password to your vault. This is also the mechanism multiple of my family members (older generations) have started to organise themselves, and they have been using their vault to store more non-password-sensitive related data such as who to contact at their banks, things about their mortgages, etc.

Having a two tier password system thus allows me to relatively easily access the right passwords at the right time, while making it difficult for others on my laptop to access my credentials. This system struck the right balance between having to enter verification/master passwords/ease of use and safety.

comments powered by Disqus