3

I have just started using a password manager and was wondering what is the best practice regarding where to draw the line regarding what is stored in the software.

Ideally I could store Windows/Unix user password, sudo passwords for remote servers, passwords for SSH keys, email account passwords and online banking passwords as well as passwords for websites but which of these is it safe to keep in the password manager?

J Guvar
  • 39
  • 1
  • 1
    This depends on a lot of factors. What does the software do to protect the credentials? Where is the software storing the credentials, and how is that location protected? How sensitive are the servers that you are storing credentials for? And, ultimately, how much do *you* (or perhaps more appropriately, *the owners of the servers*) trust that software & storage location's security? – Iszi Mar 18 '13 at 18:03
  • Information in this thread may also be useful: http://security.stackexchange.com/questions/19236/does-lastpass-multi-device-functionality-significantly-compromise-its-security/19238#19238 – Iszi Mar 18 '13 at 18:10
  • This is also quite similar to [this question](http://security.stackexchange.com/q/32536/2213). –  Mar 18 '13 at 18:29
  • // , Did you read the other question? – Nathan Basanese May 03 '18 at 17:36

2 Answers2

3

When you use a password manager, you are creating a single point of failure. If you store all of your passwords in one system and that system is compromised, then all of your passwords are exposed. This is the same problem as with single-sign on. However, you can store different sets of passwords in different master databases to provide some segregation where possible. You could also store less frequently used or more secure passwords off-line on a USB disk.

Also, as a point of clarification, you want to make sure you are using an encrypted password manager (e.g., KeePass not just something built into the manager. I am also skeptical of web service based password managers because you don't know if you can trust your browser for the entry, your network for the transmission, or the provider for secure storage. There is also a much more limited risk if you sync your database using something like dropbox, but only because its in more places - though that does prevent the risk of a self-inflicted DoS if you loose your only copy of your password database.

With most encrypted password managers, you can further limit exposure by setting timeouts which lock the database after a time frame, when your screen saver goes on, or when you manually lock your system. You can also apply multi-facotor authentication such as certificates, smart cards, biometrics <- depending on software compatibility. You also want to ensure that the encryption is strong and has been implemented correctly. You should keep tabs on your password manager developer's website for any security updates, etc.

Of course, if someone were to use something like a browser's storage or somehting with no or weak encryption (password protected excel file), you are more or less storing the passwords in a plaintext file.

Eric G
  • 9,701
  • 4
  • 31
  • 59
1

I store everything on my password manager. I like the idea of a single point of failure, it greatly simplifies the overall process of securing my data.

I have a horrible memory. Very horrible. The alternative to a password manager will probably be weak passwords for every service I use. This is obviously a very bad thing. I keep all my randomly generated passwords secured in a password database using a key file.

This should be quite safe if you take a few precautions. Do NOT open your password database on an untrusted machine. All the encryption in the world will not save you if you unlock your database for the nice little keylogger hidden in the machine.