Hidden Gems of Password Managers

How to make Password Managers more secure?

·

13 min read

Hidden Gems of Password Managers
Play this article

Password manager is a tool without which nobody can imagine their life in IT. It makes us more secure, private, and productive. Even being such a useful piece of software, we may not be using it to its full potential. And that's what we'll unveil in this blog post. We will first explore a few nitty-gritty tips and tricks that will make you more private and productive. Then in the second half, I will tell you about some features of password managers that you might be not aware of. And, I am sure you will definitely find something new to improve in your password manager. As you read, just keep a note of tips and features in your task manager or notepad, so you do not forget them.

Double Blind Password aka Horcruxing

While threat modeling for security and privacy, it is always best to assume the worst case. In the case of a password manager, there could be three worst-case scenarios on which we don't have any control. First, what if a threat actor gets access to your password manager? Secondly, what if the password manager itself goes rogue? And the last one, what if there is a zero-day in the password manager? So, To prevent all these kinds of attack vectors, we use Double-Blind Password.

In Horcruxing, while creating or updating an account password, instead of solely relying on a password generated by an automated password generator, we take a layered approach: begin by generating a random password utilizing a password manager. Then append a passphrase to the generated password. The outcome? Your vault retains only the password manager's generated portion, while you remember the second half in brain memory.

For instance, I am creating a GitHub account.

  1. Random Password Generation: Initiate account creation with a randomly generated password from your trusted manager, e.g., e95hJ[2Bif$N7B.

  2. Adding a Personal Passphrase: Strengthen the password by appending a personal passphrase—like vampires-exists. The combined result is e95hJ[2Bif$N7Bvampires-exists.

    e95hJ[2Bif$N7B + vampires-exists = e95hJ[2Bif$N7Bvampires-exists

  3. Split and Store: Store only the first half in the password manager, ensuring the second half remains memorized by you.

This trick is quite famous. Privacy and Security professionals use it when they do not want to put 100% trust in password managers, but at the same time, they are also avoiding many worst-case scenarios.

Mistakes to Avoid

  1. Do not overcomplicate stuff just use one or two secret phrases for every account.

  2. Do not take the overhead of placing the crux in between. Just paste it at the rightmost or leftmost of the base password.

  3. Do not select too long, too short or extremely random string as a secret phrase because you will have to remember that.

  4. Use a simple, uncommon, 8-12 characters long passphrase.

Manage Non-Deletable Accounts

If you are like me, who has hundreds of passwords in the vault, then you might have stumbled upon an online service that does not allow account deletion. They tend to stay there forever, and you forget about them. This is definitely a real issue 'cause there is no proper solution around this situation. And, just leaving information on the internet is not a good practice because these online services will keep sharing your data with 3'rd parties, and sometimes this data includes our financial information like credit card details. That's why it is crucial to remove and reduce your online footprints. There are a few ways to minimize this factor if not mitigate it completely.

Step 1: Forge as much information as you can. Change name, address, username, e-mail etc.

Step 2: Create a separate folder as non-deletable in your password manager. That will hold the credentials of these online non-deletable accounts.

Step 3: Keep track of these accounts periodically e.g. 3 or 6 months. So in future, if any of these services add the deletion functionality, you can delete them, and then you should delete the corresponding entry from the password manager.

Step 4: A foolish advice, Why don't you just check if any online service allows deletion before signup? Do I do it? No. Should you do it? Yes.

Handle Different Types of Credentials

Password managers are not just good at storing passwords and usernames. They are also efficient at handling complex authentication mechanisms. For instance, S3 bucket Passphrase, API keys or Secrets; all need to be stored somewhere securely. That's the reason there is a redundant extra field named Notes or Description. Ya! This is my favorite place to store extra credentials associated with a particular account.

I also use this Notes field for other purposes, like for my SimpleLogin account. I save three or four just in case of temporary e-mail addresses provided by SimpleLogin, so I do not have to log in to SimpleLogin again and again. Convenient Nah.

Few more uses where the Notes feature can be quite helpful, like:

  • SSH keys

  • API Tokens

  • License Keys

  • Security Questions and Answers

Should you store recovery phases in the Notes field?

Storing account recovery passphrases and recovery codes in the password manager can come quite handy when you cannot access your OTP or you completely lose access to your account. And, There is no issue with that if you trust your password manager. But I do not. I blindly do not trust any online password manager because in the end, nothing is 100% secure, and they could be vulnerable to zero-day exploits. Also, It breaks the Trust boundary on which I rely. I don't trust Password managers completely, but I still use and recommend them because I rely on 2FA (2-Factor Authentication). So, if in the rarest of the rarest cases, my Password manager goes rogue, they still cannot access my accounts because they will not have my 2FA code to authenticate.

And that's the gimmick If you store recovery passphrase and recovery codes in a Password manager, you're unknowingly but willingly giving full access account to your Password manager. In only case, I would do this, when I am using an offline password manager. So, there are two solutions that I can think of:

  1. Paste all the recovery passphrases and recovery codes of every single account in a text file then encrypt it, and now you can store it in the Password Manager as an attachment.

  2. Save them offline and have backups at multiple SECURE places.

Pro Tip: I usually store recovery codes in KeePassXC (an offline password manager). Because it encrypts them with AES-256. And then I store the KeePassXC database somewhere at a secure location.

Special & Powerful Features Of Password Manager

Now, we are done with the personal tips and tricks section. So, it is time to focus on Features that you are not using or aware of. And some features can take your productivity to 10X.

Two-Factor Authentication Integration (TOTP)

Yes, Many password managers allow 2FA functionality as well, which makes a login process more convenient. Password manager will also autofill the OTP that you usually copy-paste from an authenticator app. This functionality will not work if you use SMS-based OTP. If you do not know the TOTP setup process, then you can follow articles one or two. If you are using a different password manager, then do not worry the process would be the same for them too.

  1. Bitwarden Authenticator (TOTP)

  2. How to use 2FA in Proton Pass

But I, security and privacy experts do not recommend this. , the answer I already explained above is that by handing over username, password and OTP, you are putting 100% trust in your password manager. And, If you do trust your password manager, then what would you do in a situation where you forget to lock the password manager and a threat actor gets access to all your accounts, including their OTPs.

The only factor that gives me the confidence to share my passwords with some companies is OTP, and by doing this, I will lose that confidence. Again, On one condition, I would prefer this feature in the case of offline password managers like KeePassXC.

Custom Fields

The Custom field is one of the most ignored features. In most cases, Username, Password and URL fields are enough, but in some situations, you might require an extra field that you can autofill. For example, In ProtonMail, you can set two passwords, one for login purposes and the second one to decrypt emails. In this, if you want to store the second password in the Password Manager, then you will require an extra custom field. You can use Note sections too, but then you will miss the autofill functionality.

Few more use cases where the Custom Field feature can come in handy like:

  • API Tokens

  • License Keys

The general rule of thumb is if you require an autofill field, and you use it multiple times you should use Custom fields otherwise for long strings or input fields with multiple options stick with the Notes section.

Pro Tip: It is crucial to verify that your Password Manager encrypts all fields including the custom field and the same goes for Note's sections.

E-Mail Aliases

If you are not aware of this feature, then you're missing a lot not just in Privacy and Security but in terms of fighting against spammers. Before I explain this, I want you to know e-mail aliasing or e-mail relaying is an external feature and can be used standalone without any password manager. Now, let's talk about what the hack is this E-Mail Relaying. Simply put, It's all about creating temporary or fake e-mail addresses but in a much more effective way. I will explain this with the example of SimpleLogin, an e-mail relay or aliases provider.

So, When you sign up for a SimpleLogin account, they will provide you with 10 e-mail addresses for free. You can delete or create new e-mail aliases with just one click. The benefit you get is that whenever somebody sends you mail on any of the 10 e-mails that you have created on the SimpleLogin account will be forwarded to your original e-mail account that you signed up with. So, you don't have to use your real e-mail address, and this is especially helpful for newsletters or signing up different accounts with different e-mails, but they all will be forwarded to real addresses. Just like illustrated in the below diagram from SimpleLogin.

SimpleLogin E-Mail Relay Illustration SVG

Now, Imagine this feature is integrated directly into the password manager. Sign up anywhere without worrying about potential E-Mail leaks.

Emergency Access, Prepare Password Manager For Dead

Who will cry when you die? The ones who will not have access to your password manager because that is where you store online banking, social media, and all other credentials. That's why we need to prepare our password managers for the dead or for any emergency situation where you can't access it, but your family members should be able to. Different providers use different approaches to give emergency access to the vault to your trusted individual. It is also possible to share a vault with your family members where you keep credentials that are common to each other. So, If you trust them, you can also store banking details there, but this model is not suitable for businesses and in cases where you require full access to the vault e.g. social media accounts. In most password managers, this is a Premium feature.

Honorable Mentions

I didn't cover a few niches, but they are worth mentioning here. I didn't include these features because most people know they exist, but they don't use them often because they are hidden behind paywalls.

Password Auditing

This is one of the most marketed features of many password managers for selling premium. This feature helps you to stay aware if your credentials have been leaked in a data breach. I never felt I needed it because I use a strong and lengthy password. But this could be a good feature from the security standpoint of view for an enterprise to audit password policies. One thing to keep in mind is that If you're purchasing a password manager for this particular purpose, then always verify that they also protect against Darkweb leaks and other types of credentials like Credit Card, E-mail etc. Because some organization is charging you for just password leaks then it's just useless. You can do it for free on HaveIBeenPwned, and if you aren't comfortable pasting your credential on a webpage, then you can use a utility Check-Breach that I wrote. Check-Breach checks for password leaks on HaveIBeenPwned Database without sending original password and hash digest, it achieves this via K-anonymity method. Few password managers also provide these features for free like Bitwarden.

Encrypted File Storage

There are very niche cases where you will store attachments in a password manager. Having a separate encrypted file storage provider would be a much better option. Of course, in the business world possibilities are endless. For personal usage, of course, you can store recovery codes pdfs, but first I don't recommend it as discussed above in the, Should you store recovery phases in the Notes field? section, and secondly, I could just copy and paste them in a secure notes section if I really want to. But you can save your driver's license or government ID telling the password manager exactly who you are. Security isn't the only thing I care about, Privacy is also important to me, which ends up making me paranoid.

My Password Manager Recommendation

Yep! Everyone's most favorite and never-ending topic, Top 5 Password Managers That Will Make You Super Secure. The First position in this list goes to:

S.NoPassword ManagerFree TierOpen-SourceDescription
1.BitwardenAll Major Features In Free Tier
2.Proton PassBest E-Mail Aliasing Integration
3.1PasswordBest Suited For Businesses
4.KeePassXCOffline Password Manager, Highly Customizable, For High Threat Models
5.PassOffline Password Manager, Only For Nerdiest Guys, More below

Password managers that I have used by now are: LastPass, RoboForm, NordPass, Bitwarden, KeePassXC, and Pass including OffSync my own stateless password manager, I know that's stupid you should never use your own password managers. I do that for my understanding purpose of password manager. Keeping this aside, for me the combination of Bitwarden and KeePassXC always works the best.

Btw, OffSync is still an active project; I'm just letting you know if you want to poke around it. But I STRICTLY DON'T RECOMMEND IT FOR PERSONAL USAGE. It's just my hobby project.

Password-Store aka Pass

Pass is a bit different from other password managers. It has definitely the highest learning curve. Usually, only minimalist Linux nerds use this. Pass has some info exposing issues like the number of passwords stored in a database or access to encrypted files etc. Pass only focuses on password security, that's why you won't get many features discussed above.

But they're not well discussed in the community because of two reasons. First, very few people use this and second; it's an offline password manager, so if someone has managed to get access this far, then I believe you will have more things to worry about. Because in the end, your passwords will still be safe because they are encrypted with PGP encryption. If you want to know more about Pass security, you can check out (In)Security of the "Pass" password manager.

But that doesn't mean Pass could not have any good usages. I personally don't use Pass for storing passwords, but I use it as a 2-factor Authenticator. So, If you're interested in that, you can check out this blog post How to Setup and Autofill OTP Using Pass-OTP?

Resources

Pro Tip: Use keyboard bindings to autofill creds instead of mouse. Do that a few times and you will never touch the mouse again.


So, That's all for this time. Stay safe and start using a good password manager if aren't doing so by now. And, If you're already using one. Then it's best to start implementing the features and tricks that we have discussed. If you have any suggestions or anything important thing I forgot to mention, please let me know in the comments section or on my socials.

Bye!!!