Do you have a password you use everywhere? Be honest, we’re friends here.
Good password security is critical, but few take it seriously. I understand why, life has become too complex to keep track of everything inside your head.
Security / Convenience — Pick One!
Consider the Github list of the top 100 most commonly used passwords, sorted by frequency.
Here are the top 10:
- 123456
- password
- 12345678
- qwerty
- 123456789
- 12345
- 1234
- 111111
- 1234567
- dragon
“Dragon” appearing as #10 surprised me, but the rest are sadly predictable and fall into an obvious pattern — quick & easy keyboard entry.
The problem is clear, people with weak passwords are likely to maintain that habit forever. Most online accounts take an email address as a username identifier, so any security breach that reveals an email address + weak password pair is ripe for future abuse.
I won’t mince words: if you’re using any of these passwords, you should feel terrible about your choices and immediately take steps to fix it.
Password Managers
Luckily for us, modern cryptography has been developed to be extremely usable and secure with some minor up-front work.
Enter the password manager. Many browsers offer a password vault feature, but I recommend disconnecting your password store from your daily browser, simply because the separation makes it easier to switch either your browser or your password manager without significant heartburn.
To pay you back for the extra effort of setting up a password manager, it will make it very convenient to keep your passwords synced across multiple devices, automatically fill login and other information on websites, and check your passwords for weakness or prior exposure and data leaks.
Bitwarden — The Best 3rd Party Solution
I use Bitwarden (sort of, more on this later). If you have no desire to host your own setup, I recommend creating an account with Bitwarden and using their plugin. Then, simply create a strong master password, then generate random passwords or pass phrases on each website you visit. Easy!
Bitwarden provides desktop clients, mobile clients and browser plugins.
How Does Bitwarden Work?
If you want to read the technical specifications, please visit Bitwarden’s own Encryption page. All password data is encrypted prior to storage, and all encryption/decryption of that data occurs on the local client.
Why Use Bitwarden?
Bitwarden offers some useful features that make my life easy. The primary feature is secure storage and random generation of passwords, along with URL detection to keep me from accidentally exposing a password to a look-alike phishing website.
In addition to storing secure passwords, it can also store files and notes securely, and can manage shared items between multiple users.
My wife and I use Bitwarden and maintain login credentials for important accounts.
Password Manager Best Practices
First, the point of a password manager is to type in a secure “master” password, and then to have that unlock all of your other passwords. Since you only have to remember one password, I recommend making it a good one. Visit the GRC Password Haystack Checker to experiment with various master passwords and their associated brute force timing requirements. The best password is (in general) a long one, so make it count. A shorter password can be more secure if it contains mixed alphanumeric types, but the general rule of thumb is longer is better.
Once you have a secure master password, start replacing all of your short, weak passwords with randomly generated long passwords that are stored in your manager.
I have roughly 500 passwords stored, and I don’t know any of them. They are all randomly generated with as many characters as the particular website will allow. Bitwarden has a 128 character password limit, so I always try that first.
I also rotate my master password often to mitigate keylogger attacks.
I also have a separate account with a separate password for any work computers, since I don’t trust that a keylogger is not installed.
Self Hosted Solutions
If you’d rather not involve Bitwarden’s servers at all, you can self hosted it. They publish a set of Docker images for the whole Bitwarden stack HERE, though I think their installation stack is a bit overblown for a single user or small team.
An enterprising developer has started a project known as Vaultwarden, rewriting a Bitwarden API-compatible server in Rust. The advantage of this approach is that the official Bitwarden clients are still used, only the backend is changed. Rust is known for being quite efficient and fast, so the resulting speed and memory usage is very compelling (30MB vs 1+ GB for the official install).
Installing Vaultwarden
Using the Vaultwarden Docker page, we can formulate a docker-compose.yml
file to bring up our service.
version: "2"
services:
bitwarden:
image: vaultwarden/server:alpine
container_name: bitwarden
restart: unless-stopped
environment:
- WEBSOCKET_ENABLED=true
volumes:
- data:/data
labels:
- traefik.enable=true
- traefik.http.routers.bitwarden-ui.entrypoints=websecure
- traefik.http.routers.bitwarden-ui.rule=Host(`bw.example.com`)
- traefik.http.routers.bitwarden-ui.service=bitwarden-ui
- traefik.http.services.bitwarden-ui.loadbalancer.server.port=80
- traefik.http.routers.bitwarden-websocket.entrypoints=websecure
- traefik.http.routers.bitwarden-websocket.service=bitwarden-websocket
- traefik.http.routers.bitwarden-websocket.rule=Host(`bw.example.com`) && Path(`/notifications/hub`)
- traefik.http.services.bitwarden-websocket.loadbalancer.server.port=3012
volumes:
data:
networks:
default:
name: bitwarden
A few notes on this one:
- The
docker-compose.yml
assumes that you have a Traefik reverse proxy running. If so, make sure to add that reverse proxy to thebitwarden
network. - The Vaultwarden container exposes two services. One is the web UI, and the other is a WebSocket that desktop clients and browser plugins read to be automatically notified of updated passwords. The Traefik labels above will split the incoming requests appropriately.
- The default setup uses SQLite for a database. If you want to use a database instead, read the wiki entries for MariaDB/MySQL and Postgres
Bring the stack up with docker-compose up -d
and visit the appropriate URL to create your account login.
Browser Plugin Setup
Once you have the service running, it’s simple to configure the browser plugin or desktop client to use your personal instance instead of the official service. Simply click the gear icon before inputting your login information and fill in the URL for your Vaultwarden instance.
Thoughts for Security
If you’d like to take an extra security step, you could connect your server and clients together using an overlay network like Tailscale, Nebula, or ZeroTier and communicate using an internal IP. This way, your password manager would be even more secure against brute force and keylogger attacks.
Now get out there and stop using terrible passwords!