My Approach to Password Management and MFA

There is a multitude of tools available for managing passwords, but, as is often the case in security, there’s a delicate balance between security and convenience. To effectively safeguard your digital identity, it’s essential to employ a multi-layered security strategy—a security onion, if you will.

Let’s begin by discussing Cloud-Based password managers, such as Dashlane, 1Password, and LastPass. I’ve personally tested these solutions and several others. They excel in addressing the most common issues in general password management—enabling users to easily generate and remember distinct passwords for various websites while seamlessly accessing them across devices. I highly recommend their use for numerous accounts and endorse their widespread adoption.

They do come with some risks that should be considered including the impacts of backdoors, service outages, and hacking. Despite these risks, cloud-based password managers remain invaluable tools for password management.

The second layer of defense is Multi-Factor Authentication (MFA). MFA comes in various forms. Traditional options include RSA Key Fobs, which generate time-based codes. More modern approaches include Google Authenticator and Microsoft Authenticator, which provide Time-Based One-Time Passwords (TOTPs). These offer an additional layer of security and are essential for critical accounts. However, it’s important to remember that relying on the same provider for both your password manager and MFA introduces a single point of failure (as well as vulnerability). For this reason, I recommend using separate apps on your phone for these purposes.

SMS-based 2FA/MFA is another option, but I advise against it whenever possible. Numerous security studies have shown that SMS-based 2FA is less secure than other methods. Even more concerning are websites that use Single-Use Passwords via SMS, which is highly insecure.

The third layer involves using public/private keys, commonly employed when connecting to remote servers via SSH for tasks like web development. These keys can also be used for various authentication purposes. I typically store them locally and maintain secure backups, including my 2FA backup keys, using an encrypted application called KeePass. Additionally, I back up these keys on my NAS, which performs block-level backups to my own S3-compatible cloud storage.

In 2023, Passkey, a public key-based FIFO2 passwordless scheme, is gaining popularity. It combines ease of use with robust public key cryptography. Its adoption will depend on practical implementation rather than just theoretical promise, making it an intriguing development to monitor over the next five years.

Furthermore, it’s worth mentioning that I employ Windows Bitlocker technology to encrypt data at rest. While this enhances security, it can complicate data recovery and requires trust in the TPM chip.

Lastly, I maintain a set of extremely strong, memorized passwords for specific, application-specific scenarios, such as Windows Login or Vault Master Passwords. A cursory examination of similar passwords online reveals an entropy exceeding 90, making them virtually uncrackable in a pre-quantum computing era, spanning billions of years.

In conclusion, safeguarding your digital presence in an increasingly interconnected world is a multifaceted endeavor. The tools and strategies we’ve discussed, including cloud-based password managers, multi-factor authentication, public/private keys, and emerging technologies like Passkey, form a robust defense against the evolving threats in cyberspace. By embracing a multi-layered security approach and remaining vigilant about the potential risks, we can significantly enhance our digital security posture. Remember, a strong security foundation is not only about protecting your data; it’s about maintaining peace of mind in an ever-evolving digital landscape.