Christmas morning 2012, one of my Gmail accounts was hacked. The good news was that it wasn’t my main account. The bad news was that it was one I used for a fair amount of work-related communication. I was lucky that I caught it quickly and was able to button it up within an hour or so, but it was a surprisingly intense experience, leaving me feeling violated, humbled, vulnerable, and silly.
The first thing I did, after changing all of my passwords, was to switch on two-step verification with any service I used that supported it. At times, it’s been kind of a drag, like when Chrome won’t remember my Twitter login, but on the whole, I appreciate the security two-step provides.
The other thing I did was commit to using a password manager to create unique and secure passwords. I checked out some web-based tools, but I didn’t like the idea of having all of my important passwords someplace I might not be able to them access down the line. Also, although I know most web-based password services take great pains to make sure they cannot see any passwords, it still seems like a point of vulnerability.
With web-based clients ruled out, I looked to clients, settling on KeePassX, which is the basis for quite a few password management tools.
It’s basically a secure database. It stores logins, passwords, URLs, and notes, in addition to generating secure passwords. It uses a password and gives the user the option of also using a key file, with the two working together to open the database, which means if someone gets a copy of the database file and your password, they still need the keyfile to open the database. It’s probably an unnecessary precaution, but it makes me feel better.
KeePassX generates secure passwords, with users able to choose the parameters and security of the password. It will also do things, like autofill passwords, but I haven’t bothered to configure it, since it’s not a huge deal to copy-and-paste.
KeePassX cannot be opened from the GNOME launch area. To be honest, I’m not sure if it’s a security measure or a bug, but assuming it’s not a bug, it means you have to know it’s on a machine to open it (it can be opened via a terminal or alt-F2).
As mentioned earlier, when looking into password managers, I checked out some web-based ones. One was LastPass, which uses browser plugins to manage passwords for you. Ultimately, I didn’t trust it enough for important passwords, but it’s actually been pretty helpful in terms of generating and remembering secure passwords for sites that ultimately aren’t that important. It’s also great for generating secure passwords for sites you might not ever visit again. It also will run some diagnostics on your passwords, letting you know if there are any issues, in terms of repetition or security. I make sure everything in LastPass is backed up in KeePassX, though, just in case there’s ever an issue with LastPass. LastPass is robust, but I can’t justify investing time in a tool that could disappear. There’s a premium tier, but even that feels risky to me. It’s one thing to entrust my RSS feeds to a service that could be gone tomorrow, but I’m not willing to risk my passwords. And just to be fair, LastPass does allow you to easily export your passwords, so the risk is somewhat tempered — it’s just not an ideal fit for me.
I’m not a security person (nor am I a high-profile target), so I’m really not sure if things are more secure than they were in December, but if nothing else, I can easily see all of my passwords, and easily change the important ones if/when an account is compromised. Things are better, but I’m still shocked how reliant we are on an inherently insecure security system. I’m counting the days until two-step verification is a standard, rather than an exception. And until then, I’m taking the extra 30 or so seconds it takes to be secure.