How to handle passwords
Good passwords are important – but they are only truly secure if they are handled correctly.
- Use a unique password for every account
- Use a password generator for very secure passwords
- Never write down a password
- Never share your password with anyone
- Do not accept passwords from others
Use good passwords
- The longer and more unusual your password, the more secure it is.
- Passwords with >= 12 characters (incl. >= 3 character classes) are secure
- Character classes are:
- lower-case letters
- upper-case letters
- punctuation characters
- all other characters (whitespace/unprintable)
Do not use weak passwords
- Rows of characters on a keyboard such as
- Words that appear in a dictionary such as
- Words and numbers from your personal environment such as your name or that of your partner or pets or dates of birth
Real life tips to manage your passwords
Use a password manager with a very secure master password. See below how to build such a password, which is easily rememberable. This will be the only single password you have to remember - ever. Therefore it is crucial to use a secure password as explained under "Use good passwords". I recommend to use even more characters as the minimal password length mentioned in this howto. The longer the more secure it is.
Generate unique passwords for all your accounts and store them securely in the password manager.
You can later retreive them using your master password and copy/paste them. Modern password managers also have a feature called Auto-Type, which automatically copies the username/password combination to the appropriate login form.
The passwords are stored in an encrypted database file, usually with AES-256 (Rijndael), which is as of time of writing considered very secure. You can synchronise this file using your trusted cloud/storage solution to all your devices (e.g. ETHz Polybox).
How to build an easy rememberable secure password
To create a password from any string of at least 12 characters:
- Take a sentence you can remember easily. For example: In June 2017 I will complete my doctorate.
- Form a password from the initial letters, special characters and numbers:
To create a word group password:
- Think of randomly chosen common words that you can link with a personal mnemonic or story, e.g. Zermatt, fisher, complex, rainbow or Dog, tempo, eerie, typing
- Separate the words with a special character, e.g.
- Form your password:
Using a password manager
With an encrypted password safe, your passwords are stored in an encrypted database. The decryption is performed with what is known as a master password. In other words, this means the following:
- You only have to remember one password to gain access to all your passwords
- The master password has to be extremely secure (see Use good passwords)
- If you loose the master password, you loose all your passwords
KeePassXC (recommended password manager)
KeePassXC is a community fork of KeePassX, a native cross-platform port of KeePass Password Safe, with the goal to extend and improve it with new features and bugfixes to provide a feature-rich, fully cross-platform and modern open-source password manager.
- Command line interface
- Stand-alone password and passphrase generator
- Password strength meter
- Merging of databases
- Automatic reload when the database was changed externally
On D-PHYS managed workstations:
On unmanaged/private workstations:
Use the binaries/installers or distribution-specific packages from keepassxc.org
If there is no packaged version for your distribution available, you can build it from source.
Build on Linux
Set up build environment and dependencies on Linux (Debian):
(for other distributions see wiki)
apt install build-essential cmake g++ apt install qtbase5-dev qttools5-dev qttools5-dev-tools \ libgcrypt20-dev zlib1g-dev apt install libxi-dev libxtst-dev libqt5x11extras5-dev \ libyubikey-dev libykpers-1-dev apt update && apt upgrade
Download the sources from keepassxc.org and unpack them:
tar xf keepassxc-*-src.tar.xz
or pull them directly from Git (note: default branch is develop):
git clone https://github.com/keepassxreboot/keepassxc.git
this will use the current developement branch, to use a tagged version:
# make sure tags exist locally git fetch --all --tags --prune # show the list of tags git tag # checkout version 2.2.2 git checkout tags/2.2.2 -b 2.2.2
Now change into the source directory and run the following commands:
mkdir build cd build cmake -DWITH_XC_AUTOTYPE=ON -DWITH_XC_HTTP=ON -DWITH_XC_YUBIKEY=ON \ -DCMAKE_BUILD_TYPE=Release .. make -j8 make DESTDIR=~/.local install
This will build the KeePassXC binaries and install them to
~/.local. You can of course specify any other installation directory or omit
DESTDIR completely, in which case it will install to
sudo for that).
If you don't want to install KeePassXC at all, you can also run it directly from the build directory:
For more information see github.
Available open-source password managers
Linux, macOS, Windows:
|Platform||Cross-Platform||Cross-Platform||Windows (Linux, macOS)|
|Implementation||C++, Qt 5.2||C++, Qt 4.8||C#, .NET (Mono)|
|Database format||KeePass 2 (.kdbx)||KeePass 2 (.kdbx)||KeePass 2 (.kdbx)|
|Compatibility||1.x (.kdb), 2.x (.kdbx)||1.x (.kdb), 2.x (.kdbx)||1.x (.kdb), 2.x (.kdbx)|
|Origin||Fork of KeePassX||Port of KeePass2||-|
|Comment||recommended||Last update 10.2016||slow with Mono|
|Database format||KeePass 2 (.kdbx)||KeePass 2 (.kdbx)|
|Compatibility||2.x (.kdbx)||2.x (.kdbx)|
|Origin||UI ported from KeePassDroid||-|
|Comment||recommended||Last update 04.2017|