Recently, I was browsing https://haveibeenpwned.com/ and found that one of my old email addresses had been involved in a data breach. Looking into it more, it seemed that the company involved (adobe, go figure) had done a poor job of securing the passwords so there is a good chance that my password was compromised. Like everyone else on the planet, I used to use a couple of passwords for all of my accounts.
Since this old email address predates a lot of my knowledge of good computer security, there is a very good chance that it shares a password with other older accounts. So, I decided to go ahead and add all of these old accounts to my password manager.
To be clear, I do regularly use a password manager. We use one for our passwords in my library, and I use one personally. However, I have never gone back and found all of the random accounts that I signed up for over the years and changed the passwords to something strong and unique. This prompted me to write about how I use a password manager in my library.
Keepass is a free and open source password manager that works on all major OS’s. It has a number of nice features (though nothing that the other password managers don’t offer). The main things that recommend it to me are that it is open source, so you will never have a company turn a formerly free feature into a premium feature, and that it works cross platform.
Keepass keeps its passwords in an encrypted database that is separate from the keepass application itself. This is very nice because it means that backing up your passwords is as easy as making a copy of the file. It also means that you can keep your passwords with you on a thumbdrive. It is even nicer because Keepass allows syncing between multiple files making it easy to keep your backup copies up to date.
I keep my personal keepass database on a thumbdrive on my keyring, but also have a copy on my laptop at home. I regularly sync the two files to keep my backup copy in line with my main one. We also use this feature at the library. There we keep our main database on a shared drive so it is accessible by any staff computer. I keep a copy of that database on my keyring too, so I can access things if I am not on our network. In addition to this shared database, a number of staff members keep personal databases on our shared drive of passwords that they use for work.
Keepass allows using either a password or a key file to unencrypt the database. This allows me to use passwords or phrases that are personally meaningful to me for my databases, but use a key file for the shared database. People who need access to the shared password database get copies of the keyfile either on a thumbdrive or on their laptop. If you have some passwords that need to be extra secure you can use both. Then you have two factor authentication for your passwords.
It doesn’t have to be keepass, but you should be using some password manager. It is simply impossible to have good unique passwords for every account that you need today. Not only remembering them, but even coming up with them is a major challenge. Keepass includes a password generator which is honestly my favorite feature. Offloading this task from my meat brain to a computer which is much better at that type of task is a huge relief. The alternative is to reuse passwords and risk compromising many or all of your accounts if one company fails to take security seriously enough.