Installing the KeePass Password Manager

Today I want to walk through installing the KeePass password manager on Windows 10. This post will explore downloading, installing, and first steps to using a local password manager. The end result, for those who follow these steps, will be an encrypted password generation and storage mechanism.

Setting Up KeePass

Download KeePass

The first step in the process is downloading the installer. From the KeePass download page, there are options for both the installer and the portable package. While this post will be focused around installing the software on Windows 10, the portable option provides a good solution for users who need their passwords on multiple machines.

KeePass Download Page

Choose the installer and then save the file to disk

Save Installer

Once downloaded, navigate in Explorer to wherever the file was saved. Usually, this is in C:\Users\$USER\Downloads. Double clicking the installer will launch the process. After Windows User Access Control confirms permission to proceed, the KeePass installer will launch. The following series of images illustrates the install process.

Installing KeePass

First, select the install language.

Select Language

The license agreement is next. Be sure to read this before selecting “I accept the agreement”, which is required in order to proceed.

Accept License Agreement

I generally don’t mess with the install path, but if you have a desire, the next dialogue allows for definition of where KeePass will be installed on the system.

Choose Install Path

Another area that I typically don’t mess with, the component selection dialogue lets users take more control over what components of KeePass are installed.

Select Install Components

Yet another menu that requires no changes, the options pictured below ensure that KeePass recognizes the .kdbx file extension, as well as letting the user decide if a desktop and/or Quick Launch shortcut should be created.

Additional Tasks

With all the options configured, take a moment to look over the install configuration before proceeding.

Confirm Install Options

And we’re off to the races! In a few moments KeePass will be installed on the local system.

KeePass Installing

Once installation completes, launching KeePass will take us into the next steps to configure a password database.

Launch KeePass

Using KeePass

Launch the Program

If you accepted the install defaults, there is an icon on the desktop. Otherwise find the launcher in the start menu and KeePass walks users through the basic steps of setting up a database.

Configuring New Database

Select the path and file name that will become the password database file.

Select Password Database Path

The next step is to define the master password. This is the one password which users need to remember to access all the other passwords. Generally, I encourage users to use a passphrase rather than a password, for increased security.

Configure Master Password

Presuming both entries match, selecting “OK” will take us into some additional database settings. Again, since we’re just covering the basics of KeePass, I won’t be covering these today, but I encourage users to explore these other options.

Additional Database Settings

The last step in the setup is to print the KeePass Emergency Sheet. Print this off, fill out the details, and keep it safe as this will contain the details to gain access, should someone need it.

KeePass Emergency Sheet

And finally, we’re presented with the KeePass interface. In a later post, we’ll work with creating, editing, and using various entries, and how to put KeePass to work generating, and protecting, your passwords from prying eyes.

MyDatabase Running

There are several default entries and categories within a default KeePass database. I highly recommend exploring the entries that are available, learning the options, and making some mistakes with passwords that don’t matter before you start entering passwords on which you depend into KeePass.

Conclusion

If you’ve followed along at home, we’ve successfully installed, configured, and started using the KeePass password manager. While this post was written to demonstrate the process on a Windows 10 machine, KeePass also runs on Linux and Mac. In the next post, I’ll cover some notes on general usage of KeePass and the use of online alternatives. The goal here is to get readers to understand the benefits of using a password manager, and to illustrate the ease with which they can be implemented. I hope you’ve found this post to be informative and I appreciate the time you’ve taken to read it. Remember that we live in a hostile world and it is important to take measures to protect yourself!

OpSec in the Real World

Operations Security

What is OpSec?

Operations Security (OpSec) is the action of protecting information which might be used against one in a hostile encounter. OpSec forces a person, or organization, to perform threat modeling to determine potential vulnerabilities which might be exposed to adversaries and establish controls aimed at anticipating and defending possible attacks. Identifying attack surfaces and hardening them reduces risk and increases the difficulty an adversary faces in launching a successful attack.

“All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”  – Sun Tzu

Operational Security OpSec

 

Why OpSec

Allow me to put my tin foil hat on for a moment to explain why OpSec matters. It is a harsh, cold world out there today and adversaries are everywhere. In a world that is constantly connected, where people share and over share everything, it’s important that we’re taking steps to protect ourselves, our data, and our friends/family. It can be something as simple as thoughtlessly sharing a photo to Facebook. Without thinking, you could expose someone to risk, There could be a stalker out there just waiting for information that could lead them to their prey. A Facebook group I belong to recently proved this threat as someone posted a photo in the group which exposed the license plate of another person who happened to be trying to escape an abusive spouse. Thankfully, the victim was gone before anything bad could happen but this mishap did put a dangerous person on the trail of someone they had been trying to find for nearly a year!

The sad fact of the matter is that there are so many bad situations we can find ourselves in today that makes OpSec more important than ever before. Keeping data safe means implementing consistent OpSec practices. My hope in writing this is that you’ll think about your own operations security and will find ways to make changes that make you and your data more secure.

How to OpSec?

Creating an effective OpSec program requires 5 steps:

Identify Critical Information

Critical information is a specific fact related to intentions, capabilities, or activities that could be used by adversaries in an attack. If Critical Information is obtained, the adversary would be able to impact the mission. The first step of the OpSec process is developing a Critical Information List (CIL) which defines any sensitive data which might be targeted.

Limitations

In the case of organizational risk and corporate espionage, learning the limitations of a partner or competitor could be invaluable. Learning what cannot be done is just as valuable as knowing what can. For a hostile threat agent to understand the limitations of a target

Operation Plans

Getting visibility into planning operations poses a significant risk to both organizational and personal OPSEC. Attacks against operational plans include the who, what, when, and where components of the planning phases and can wreak havoc upon the forward momentum of operational plans.

Personal Information

In 2007, stolen email accounts were worth anywhere from $4-$30. In 2008, prices fluctuated between $0.10 and $100. Compare this to 2009, when the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10.

Credit card information, on the other hand, has not depreciated in recent years. In 2007, credit cards advertised around $0.40 to $20 per record. Sale price would depend on factors such as the brand of card, the country of origin, how much metadata is provided, volume of purchase, and how recently the card data was obtained. In 2008, the average asking price for credit card data, according to my research, was slightly higher–$0.06 to $30–and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card records fluctuate between $0.10 and $20 per record. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cyber criminals trade in volume.

Where we saw healthcare records fetch $200-$500 for a single record in 2015, today prices are more in the range of $1.50-10 depending on the type of data and who’s buying it.

Analyze Threats

With critical information identified, we now have something to protect. The next step is to determine the individuals or groups that represent a threat. There may be multiple adversaries, and different pieces of information may be targeted by different groups. In this stage, the capabilities, use for the information, determination and resources must also be analyzed.

Analyze Vulnerabilities

Vulnerability analysis is one of the most challenging pieces of the OpSec puzzle. Basic vulnerability exists in innocent day to day tasks like conversations or phone calls in public or posts on social networking sites. But society has become more reliant on technology and a complacency has put us in the position of exposing our email conversations and web pages which can provide insight for a threat agent. In the most extreme cases, communication intercepts and espionage may come into play. Each level presents it’s own risk and has it’s own consequences. This is why threat modeling is important.

Assess the Risks

First, planners analyze the vulnerabilities identified in the previous action and identify possible OpSec measures for each vulnerability. Second, specific OpSec measures are selected for execution based upon a risk assessment done by the commander and staff. Risk is calculated based on the probability of Critical Information release and the impact if such as release occurs. Probability is further subdivided into the level of threat and the level of vulnerability. The core premise of the subdivision is that the probability of compromise is greatest when the threat is very capable and dedicated, while friendly organizations are simultaneously exposed.

Apply Countermeasures

Protected communications

Implement controls over your personal communications. Use encryption wherever possible. Email can be encrypted using PGP. Text messages and mobile phone calls can be encrypted with services like Wire and Signal respectively. If you have a service you’re using, there is probably a way to encrypt the data. Learn how and make it happen!

Protected Web Browsing

Modern web browsers offer methods to force the use of HTTPS while browsing. One way to accomplish this is with the use of browser plugins or extensions Adding this functionality to your browser will force encryption to be used during browsing.

Physical Controls

OpSec doesn’t solely apply to the internet, there are many concerns in the physical world too. While you operate in daily life, there are some considerations to keep in mind:

  • Be alert
  • Be suspicious
  • Be aware

Finally, consider the threat when you:

  • Use the phone
  • Talk to strangers
  • Disclose in public
  • Use social media

Each of these present their own unique risks to personal OpSec and should be addressed to reduce the risk of attacks.

Conclusion

OpSec is a necessity for anyone who has anything sensitive that needs to be kept confidential. Obscuring information, skewing facts, and offering misinformation can all be useful in protecting personal operations. Making sure to be consistent in these practices will eliminate the likelihood that information gets leaked to unauthorized parties, reducing the overall attack surface. Protect yourself out there- no one’s going to do it for you!

New Year, New Vulnerabilities

Well, we got to ring in the new year with some major excitement, haven’t we? 2018 has met us with a nasty 1-2 punch combination, no doubt! First, the exposure of a vulnerability that effects millions of GPS tracking devices. Security researchers were able to access location history, send commands to the device (the same commands that would be sent via SMS), and activate or deactivate geo fencing alarms. All this was said to be possible with no authentication needed.

This was immediately followed up by the Meltdown and Spectre vulnerabilities in what is essentially anything device connected to the internet. From mobile phones, to tablets, to laptop and desktop PCs, these flaws do expose us to some pretty significant risk. But the world is not, in fact, over. Not yet at least.

The RedLegg team has been fielding calls from clients, friends, and family about these vulnerabilities that have been drawing a lot of attention this week. There is significant implication as to the damage that could result from successful exploit of these issues, but we wanted to present some additional facts for consideration. Here’s what we know:

Meltdown

This vulnerability allows any application to access all system memory, including memory allocated for the kernel. Patches are being , and in some cases have been, rolled out and should be applied as soon as possible. So far, research indicates that only Intel chips have been shown to be vulnerable.

Spectre

This vulnerability allows an application to force another application to access arbitrary portions of its memory, which can then be read through a side channel and affects nearly every CPU built on the x86 architecture. This vulnerability may require changes to processor architecture in order to fully mitigate. According to leading research, this vulnerability impacts Intel, AMD, and ARM chips. Due to the development life-cycle implemented by processor manufacturers, this issue will likely be around for a very long time.

Exploitation is possible. Security researchers produced and release proof of concept exploit code within roughly a day. There is no reason to believe that the bad guys will be working feverishly to weaponize these and deploy them for nefarious means. And while there definitely is significant risk associated with these vulnerabilities, there is no proof or reason to believe weaponized exploit code is in use in “the wild”.

Consider taking an inventory of all your systems by processor type, be sure to apply vendor patches as they become available, and track the progress of the updates as they’re released.

  • Microsoft has issued a patch for Windows 10, while other versions of Windows will be patched on the traditional Patch Tuesday on January 9, 2018.
  • MacOS 10.13.2 mitigates some of the disclosed vulnerabilities, but MacOS 10.13.3 will enhance or complete these mitigations.

For anyone using Qualys Vulnerability Management, Qualys will continue to release QIDs for any vendor patches that mitigate this vulnerability. A list of currently-released QIDs is being maintained in this Qualys Support article.

It’s an increasingly interesting time to be in the world of security, and an increasingly dangerous time to fall victim. Take the time to read the information that’s out there on these issues, there is a lot. But be sure to understand what you’re reading. Proof of concept exploits for these issues continue to surface, and with each release the potential for a weaponized exploit increases. Considering the number of devices impacted here, we really need to be watching the horizon as the research develops.

Happy New Year. Stay safe out there!

 

My New Year’s Resolution

How did we get here?

As I was enjoying the Christmas holiday with family, a revelation washed over me. My affinity for technology, once a healthy hobby, had devolved into a sick dependency and an addiction. This experience sparked some intense reflection into how I used to love getting my hands on the keyboard and getting online but now the internet is ubiquitous and ingrained into pretty much every aspect of my life. The joy had faded into an expectation and now, when I’m not connected, I find myself wondering what’s happening. I had to acknowledge that I’d fallen prey to FOMO.

I started to become more conscious of this over the days since and I started to see how much time I’d spent on some digital device looking at social media. But it was worse. After spending all day with my face in a screen, rather than have conversations over a meal I would thumb through Facebook and continue to evade the human connection. I started to look back on how many times someone would post something on Facebook or @ me on Twitter when we were in the same room.

How does it happen?

The root of the problem is that we are all, at our base roots, drug addicts. You may not drink. You may not smoke. You may avoid caffeine. But you’re human and therefore you’re an addict. There are some really great articles which explain this in deeper detail than I’ll cover here, but the fact is that we are all driven to seek satisfaction. With the internet, twitter, and texting we now have almost instant gratification of this desire to seek. We no longer have to leave a message on someone’s answering machine, wait for them to get home to listen to the message, and wait for a return call. Now you can just shoot a quick text. This increased level of instant gratification can create a dopamine induced loop. The dopamine starts you seeking, which leads to rewarding satisfaction, which sets us on another search. It becomes harder and harder to stop looking at email, stop texting, or stop checking your cell phone to see if you have a message or a new text.

Taking action

Well, now that I’ve realized how big this dependency has become, I have to do something about it. And being on an endless quest for knowledge and growth, I’ve devised a plan to not only break me from my obsession, but to use the opportunity to level up my skills in psychology and situational awareness.

Cutting the cord

The first step in my plan is to delete the social media applications from my phone. Not only will this help to my aim of breaking the compulsion to be connected, but also from the perspective of fewer distractions from the notifications associated and increased battery life on my smartphone. When I saw this tweet on the topic, I knew I was on the path to doing something right.

Filling the silence

As I’ve been mentally preparing myself for this endeavor, one that I admittedly expect to be quite challenging, I started forcing myself to slowly stop using the phone. When I become conscious that I’m surfing social media, I force myself to put the phone away and reinsert myself into real life. This has helped me to realize how I was getting the added benefit of escaping what was in front of me. Faced with this increased opportunity to engage people I have been enjoying more conversations where there used to be nothing but silence.

And hacking…

As with all things, one only takes from an experience what they put in. While this New Year’s resolution will certainly allow me to get closer with my friends and family, there is also a more nefarious method to my madness. In my continuing quest to improve my social engineering techniques, I intend to increase my use of various tactics during these random encounters with strangers. While these skills might be used for evil, my intent will be more to exercise my conversational techniques so that I might apply them in the field during penetration testing.

Using conversational signals, and techniques like projection, I’ll be working to learn more about how to profile people during random engagements, how to read them on the fly, and how to find the combination of conversational tactics that bring them to a place where I can extract a piece of data.

Conclusion

Today, I delete these apps from my phone. I’ll only be using social media from my laptop, when I’m online and connected. With every day that passes, I feel more and more like I’m living in a society prophesied in the movie Idiocracy. People are simultaneously becoming increasingly harder to deal with and decreasingly smart, and social media on demand only makes it worse. My intention is to learn more about people, learn more about myself, and generally become more present in the moments I have the privilege of experiencing as I navigate the choppy sea of life. Here’s to growth and adventure in 2018!

A Christmas Rant

Please allow me to rant for a moment…

I was engaged in a conversation recently when I was met with a statement that someone “had to buy me a gift, so it might as well be $thing.”

O____________________O

Let me get one thing absolutely straight, for anyone listening.

You are not *REQUIRED* to buy, make, or otherwise procure a gift for me for any reason other than because you want to. I conform to many social conventions to be congenial but I abhor the social requirement of reciprocal gift giving.

If I haven’t impacted your life in a manner significant enough to make you feel like showing your appreciation, don’t phone it in. If you haven’t come across something that just screams me, save your hard earned money. If you’re just buying the biggest canned gift basked that fits within your allotted gift amount because you’re obligated, please don’t.

The fact that someone might be forced into giving a gift totally sucks any enjoyment out of receiving said gift for me, as the recipient, and it puts me in a bit of an angry state when the tables are turned. Gifting used to mean something, and sometimes it still does. But more often than not in this consumer driven world, we use stuff as a substitute for substance. It is not!

I hope this doesn’t come off as me being a jerk- that is not my intent. But the commercialization of holidays like Christmas have completely destroyed the true meaning and have become disgusting perversions of what they’re supposed to mean.

I promise, I will get more joy out of spending time with people who matter, disengaging from a pretty much constant work culture, and finding some time to actually relax, than I will in another tie or reindeer boxer shorts or that knock off android tablet that you won from work.

CAVEAT: Bourbon. Bourbon is always accepted and appreciated.

Introduction to Password Manager Software

Using a Password Manager

password managerI’ve had several conversations recently where I’ve mentioned responsible password management and people make it clear they have no clue what I’m talking about. With the number of sites with which we interact, and with the increasing probability that one or more of those sites are or will become compromised, using a password manager is more important than ever!

What is a Password Manager?

More often than not, when I have these conversations with people, I learn they don’t even know what a password manager is. I can’t rightly blame someone for what they don’t know, but as much as we depend on accessing information on the internet, I feel compelled to do what I can to spread the word and raise awareness.

So what exactly is a password manager? A password manager, or password vault, is software that stores your passwords – crazy, eh?. Most modern password managers have password generator functions which allow for unique, strong passwords to be created for each site and provide mechanisms for copying passwords from your database to paste them into the application- this is nice because it circumvents the need to manually type long, complex passwords. Stored locally, or online, these databases collect all the credentials for sensitive services and they’re all protected by one “master password”.

Picking a Password Manager

As with most things these days, there are several solid choices in password manager software. I highly recommend putting several through the pace and determine which is right for you. As with any other software solution, there is no right answer, no “silver bullet”. Each solution has it’s own positive and negative points and it’s up to you, the user, to decide which one works best for your needs.

Each year, there are several reliable sources who publish their “best of” list for pretty much everything and password managers are no exception. While there are many lists published, a few of the sources I tend to follow closely are PC Magazine, Tom’s Guide, and PC World. I recommend taking the time to read these articles and do your research as you pick two or three options to test. Then, when you have a couple contenders, put them to use.

Considerations

As you start choosing an option for a password manager, there are several things to consider. Planning ahead can allow a more realistic test and will also ensure you’re evaluating candidates based off of features you want.

User Interface

One feature to take into consideration is the user interface (UI). Once you start using your password manager regularly, you will find that you spend a lot of time interacting with it. Having a decent UI is important because the interface is the front line of the user experience. If you don’t like the interface, you won’t like the software.

Confidentiality

How is the data stored? How is it protected? What controls are in place to keep your passwords safe from prying eyes? If you interact with sensitive services, like insurance or banking for example, you want a certain level of certainty that these passwords won’t be available to the world.

Integrity

On top of keeping out those who don’t belong, what does your password manager do to ensure your data can’t be manipulated by anyone other than the authorized parties? This becomes a concern when you have multiple people accessing the data. Make sure the password manager you pick gives good control over users and the level of access to the data.

Availability

One of the biggest struggles I’ve had personally, has been the availability of my data. I’ll explain in a future post the methods I use to manage my credentials, and you’ll find that even as someone who has spent years improving my credential management my system has faults and isn’t perfect. As you evaluate password managers, make sure you are able to access your data reliably. This may mean across multiple devices or operating systems, may require having an offline solution in the event of no internet access, or may even depend on multiple users or collaboration features.

Other Features

I’ve outlined a few of the key features that have proven important to me as someone who manages hundreds of passwords. While these certainly aren’t all of the important features they are certainly good food for thought. As you test potential candidates, take time to note things you like, things you don’t like, and things you can’t live without

 

Types of Password Managers

Another consideration as you evaluate potential password manager solutions is the type of software. As of the time of this writing, there are two basic types of password managers.

Locally Installed Software

Password managers are commonly found on the user’s personal computer or mobile device in the form of a locally installed software application. These applications can function offline, the password database being stored independently and locally on the same device as the password manager software. Alternatively, password managers may offer or require a cloud-based approach, the password database depending on an online file hosting service and stored remotely, but handled by password management software installed on the user’s device.

One good example of a locally stored password manager would be Keepass. I’ve used Keepass personally, a topic I’ll expand on in later posts, but it seems that locally installed solutions are coming to be less favorable to their web-based counterparts.

Web Based Services

Online password managers are web applications which securely store credentials. They are a web-based version of the what used to be more  common locally installed software. In recent years  we’ve seen the popularity shift from the locally installed applications to these hosted solutions.

There are several advantages to online password managers over desktop-based versions such as portability (they can generally be used on any computer with a web browser and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC – also the same risk is present for the server that is used to store the users passwords on. This is nothing new as we should all be in the habit of backing up our data by now!

The biggest disadvantage of online password managers lie in the requirements that the user trusts the hosting site and the computer used to access the site isn’t compromised. All too often our compensating controls are circumvented due to poor security practices. All too often users forfeit security for convenience.

With the increased security of these applications, their popularity has skyrocketed to surpass that of the locally installed counterpart. These hosted solutions resolve many of the concerns that users have to address on their own, or just go without. I have begun to explore web-based password managers, choosing LastPass as my first test subject. In future posts, I’ll aim to share my experiences and then compare the two.

Why Use a Password Manager

It is important to use a password manager because responsible password management without help is difficult. People are certainly capable of creating complex passwords but the way passwords are managed often introduce vulnerability:

Password Reuse

Using the same password for multiple sites and/or never changing passwords. is called password reuse. This practice is often the downfall of organizations during compromise. More often than not, when I’m performing penetration tests, a single compromised account leads to further access and additional stolen credentials.

Simple Passwords

Simple passwords are short in length, use words found in dictionaries, don’t mix in different character types (numbers, punctuation, upper/lower case), or are otherwise easily guessable. Unfortunately, password policies are often ineffective. According to NIST SP 800-63, updated password best practices include:

  • Minimum of 8 characters
  • Maximum of 64 characters
  • Applications must allow all printable ASCII characters, including spaces
  • Applications should accept all UNICODE characters including emoji

Note: This is just a few points and NOT a comprehensive list of password best practices. Please refer to NIST SP 800-63 for detailed information.

Using a password manager allows complex, unique passwords to be generated for each application.

Poorly Secured Passwords

Another big weakness is how users store and secure their passwords. In the field, I often find passwords on sticky notes on monitors, in a notepad by the computer, or in a document on the computer. There are many ridiculous places people think their passwords are secure but they are not. Using a password manager eliminates the need to worry about where or how this data is stored and allows responsible storage of credentials in an encrypted database file.

Shared Passwords

Users often tell each other passwords, send unencrypted emails containing passwords, or contractors use the same password for all their accounts. Using a password manager can provide a safe way to share credentials that can be tracked and audited.

In addition to all these points, using a password manager can also defend against phishing attacks by recognizing malicious login portals and preventing submitting credentials to an illegitimate source. Password managers also combat keyloggers by eliminating the keystrokes during authentication.

The Dark Side of the Moon

If the passwords are stored in an unencrypted fashion, it is still generally possible to obtain the passwords given local access to the machine. As a general rule, if a password manager doesn’t use encryption, it should be avoided.

Some password managers use a user-selected “master password” to generate the key used to encrypt the protected passwords. The downside to this method lies in the complexity of the master password. If the master password can be easily guessed, or if the master password itself is stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable.

As with any system involving a user entering a password, the master password may also be compromised using key logging or other nefarious means. Some password managers offer virtual keyboards as a compensating control but these are still vulnerable to key loggers which take screenshots as data is entered. Because of the many ways passwords can be captured, it is always wise to implement multi-factor authentication wherever possible.

Web-based password managers, which run inside the user’s browser, are particularly worrisome. Here are a few of the security concerns associated with web-based password managers:

  • Authorization flaws – One possible problem is mistaking authentication with authorization. Several web-based password managers had, at one point in time, such flaws. Several web-based password managers were found to insecurely allow users to share credentials with other users. For the most part, these issues have been resolved as well.
  • User Interface flaws – Some password managers will ask the user to log in through an iframe which is known to be insecure. This method trains users to fill in her password while the URL displayed by the browser is not the one of the password manager. This could be exploited in a phishing attack by creating a fake iframe and capturing the user’s credentials. A more secure way to do this would be to open a new tab where users can login to the password manager.
  • Web flaws – General web vulnerabilities can also be present in web-based password managers. Issues such as XSS and CSRF vulnerabilities may be exploited by attackers to steal a user’s password.

As a final consideration, password managers have the disadvantage that any attacker just needs to know one password to gain access to all of a targeted user’s credentials and that such managers have standardized locations and ways of storing passwords which can be exploited by malware and unauthorized users alike.

Conclusion

To sum it all up, the password manager is just one layer of the onion that is a personal password management policy. Getting away from bad password generation and management habits are extremely important! If you’ve read any of this post and thought “hey, I do that”, please change how you do passwords! Even if you think you have a pretty strong password management process, implementing a password manager can only make a good thing better. I also plan to explore password aging , multi-factor authentication, and other layers of this onion that will help make password management make better sense while keeping you more secure. Until then, be aware, stay alert, and protect yourself!