How to handle passwords

Good passwords are important – but they are only truly secure if they are handled correctly.

General guidelines

• Use a unique password for every account
• Use a password generator for very secure passwords
• Never write down a password
• Never share your password with anyone
• Do not accept passwords from others

Use good passwords

• The longer and more unusual your password, the more secure it is.
• Passwords with >= 12 characters (incl. >= 3 character classes) are secure
• Character classes are:
• lower-case letters a-z
• upper-case letters A-Z
• numbers 0-9
• punctuation characters \`_~!@#$%^&*()+={}[]|;:"\<>,.?/
• all other characters (whitespace/unprintable)

Do not use weak passwords

• Rows of characters on a keyboard such as asdfghjkl or 1234567890
• Words that appear in a dictionary such as secret1 or P4ssw0rD
• Words and numbers from your personal environment such as your name or that of your partner or pets or dates of birth

Real life tips to manage your passwords

Use a password manager with a very secure master password. See below how to build such a password, which is easily rememberable. This will be the only single password you have to remember - ever. Therefore it is crucial to use a secure password as explained under "Use good passwords". I recommend to use even more characters as the minimal password length mentioned in this howto. The longer the more secure it is.

Generate unique passwords for all your accounts and store them securely in the password manager.

You can later retreive them using your master password and copy/paste them. Modern password managers also have a feature called Auto-Type, which automatically copies the username/password combination to the appropriate login form.

The passwords are stored in an encrypted database file, usually with AES-256 (Rijndael), which is as of time of writing considered very secure. You can synchronise this file using your trusted cloud/storage solution to all your devices (e.g. ETHz Polybox).

How to build an easy rememberable secure password

To create a password from any string of at least 12 characters:

• Take a sentence you can remember easily. For example: In June 2017 I will complete my doctorate.
• Form a password from the initial letters, special characters and numbers: IJ2017Iwcmd.

To create a word group password:

• Think of randomly chosen common words that you can link with a personal mnemonic or story, e.g. Zermatt, fisher, complex, rainbow or Dog, tempo, eerie, typing
• Separate the words with a special character, e.g. ? or -
• Form your password: Zermatt?fisher?complex?rainbow or Dog-tempo-eerie-typing

Using a password manager

With an encrypted password safe, your passwords are stored in an encrypted database. The decryption is performed with what is known as a master password. In other words, this means the following:

• You only have to remember one password to gain access to all your passwords
• The master password has to be extremely secure (see Use good passwords)
• If you loose the master password, you loose all your passwords

KeePassXC (recommended password manager)

KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.

• Features
• Screenshots
• Download
• Documentation

Notable features:

• Command line interface
• Stand-alone password and passphrase generator
• Password strength meter
• Merging of databases
• Automatic reload when the database was changed externally

Installation

On D-PHYS managed workstations:

If KeePassXC is not installed on your D-PHYS managed workstation, please contact us. You can also use a portable version for Windows or for Linux.

On unmanaged/private workstations:

Use the binaries/installers or distribution-specific packages from keepassxc.org. If there is no packaged version for your distribution available, you can build it from source.

Available open-source password managers

Linux, macOS, Windows:

• KeePassXC (github) <- recommended
• KeePassX (github)
• KeePass2 (github mirror)

Android:

• KeePassDX (github) <- recommended
• Keepass2Android (github)
• KeePassDroid (github)

Additional information about password security

• ETHz Information Security Awareness Campain

Build instructions for KeePassXC on Linux

Set up build environment and dependencies on Linux (Debian):
(for other distributions see wiki)

apt install build-essential cmake g++
apt install qtbase5-dev qttools5-dev qttools5-dev-tools \
    libgcrypt20-dev zlib1g-dev
apt install libxi-dev libxtst-dev libqt5x11extras5-dev \
    libyubikey-dev libykpers-1-dev
apt update && apt upgrade

Download the sources from keepassxc.org and unpack them:

tar xf keepassxc-*-src.tar.xz

git clone https://github.com/keepassxreboot/keepassxc.git

this will use the current developement branch, to use a tagged version:

git fetch --all --tags --prune     # make sure tags exist locally
git tag                            # show the list of tags
git checkout tags/2.2.2 -b 2.2.2   # checkout version 2.2.2

Now change into the source directory and run the following commands:

mkdir build
cd build
cmake -DWITH_XC_AUTOTYPE=ON -DWITH_XC_HTTP=ON -DWITH_XC_YUBIKEY=ON \
    -DCMAKE_BUILD_TYPE=Release ..
make -j8
make DESTDIR=~/.local install

This will build the KeePassXC binaries and install them to ~/.local. You can of course specify any other installation directory or omit DESTDIR completely, in which case it will install to /usr (use sudo for that).

If you don't want to install KeePassXC at all, you can also run it directly from the build directory:

./src/keepassxc

For more information see github.