nihilist@mainpc - 2024-06-16

Password Management 101 (How to use Keepass)

What is password management, and Why use Keepass?

If you have seen my Offensive Security blog section, or the numerous news regarding massive companies being hacked, you should be aware that no matter where you choose to put your data out there, nowhere is truly safe.

Now let's take the following example, Bob is being lazy (again), and he uses the same password for his laptop, all of his accounts online, and at some point he creates an account on "Spotify":

So Bob has one password for everything he does online. What happens when one of those services (ex: Spotify) gets hacked ?

First thing that happens, is that Bob's password gets leaked online publicly, his password may even end up in the popular password wordlists like in seclists.

This means, that a potential hacker may gain access in not only bob's spotify account, but also in all of his other accounts, since Bob used the same password everywhere.

This could have been avoided if Bob had a different strong password for every service. That way, if one of those services got hacked, only one meaningless password would have been revealed. That is why Keepass is relevant here, because it will remember all of those passwords so that Bob doesn't have to.

How to install KeepassXC

Bob can install KeepassXC using apt on debian:

nihilist@mainpc:~/Nextcloud/blog$ sudo apt install keepassxc

nihilist@mainpc:~/Nextcloud/blog$ which keepassxc
/usr/bin/keepassxc

nihilist@mainpc:~/Nextcloud/blog$ keepassxc

That way, Bob can have a unique, strong password for every website he registers an account onto. If one of them gets hacked, the adversary won't gain access to every other account that Bob has.

The only password reuse that there may be is only local to Bob's computer, where he uses a password to unlock his harddrive, and log onto his host OS, and open his keepass file. The rest of remote logins are now managed and remembered by Keepass.

Next, Bob learns to use PGP encryption using Gnupg.