Passwords on USB stick?

[DeagleMaster]

I really have to get better at keeping myself secure by using different passwords. I know services like lastpass exists, but I would like to achieve my online security without relying on a company. My idea is to start using strong  unique password on every single different account and having these password stored on an encrypted USB drive. What are the prose and cons of this?

[RAS_3885]

3 minutes ago, DeagleMaster said:

I really have to get better at keeping myself secure by using different passwords. I know services like lastpass exists, but I would like to achieve my online security without relying on a company. My idea is to start using strong  unique password on every single different account and having these password stored on an encrypted USB drive. What are the prose and cons of this?

Lose the flash drive and you lose all your passwords. That seems like a pretty big downside to me.

[DeagleMaster]

Just now, RAS_3885 said:

Lose the flash drive and you lose all your passwords. That seems like a pretty big downside to me.

Multiple flash drives?

[TotallyNotGigabit]

Just now, DeagleMaster said:

Multiple flash drives?

What if you lost those too? I'd dedicate a notepad of passwords and keep it somewhere safe where you know where it is.

[RAS_3885]

2 minutes ago, DeagleMaster said:

Multiple flash drives?

That would make it less likely to find yourself without one, but now you also have to remember to clone/copy any password changes to all copies of the USB drive.

[BlazerBuddy]

17 minutes ago, TotallyNotGigabit said:

What if you lost those too? I'd dedicate a notepad of passwords and keep it somewhere safe where you know where it is.

Note pad all the way, Easy place to keep password.

[jj9987]

You can use pass or KeePass or some other tool and store the password database wherever you want. Actual password manager can bring certain benefits over just storing passwords in an encrypted format. For example automatic password generation tools based on your requirements, copy passwords without exposing them, browser integrations to avoid having to copy/type them, additional checks to notify you of reused or leaked passwords (using HIBP or similar), audited code, cross-platform compatibility etc. KeePass also has the option to require a password + a keyfile. KeePassX supports YubiKey in addition to the previous methods.

One thing is reliability indeed - flash drives do not have very long life in terms of write capacity. Having multiple ones requires you to keep them all in sync, which is not very convenient. Other concern is where are you planning to use it - do you need mobile device support? How much do you move and need to carry the stick around? Do you use unknown devices or do you only connect it to known devices? If the former, how are you storing/encrypting the contents of the drive? Do you expose them all at once or all separately? Are any passwords/keys going to be stored in memory?

 

It all comes down to your threat model - what are you protecting and from who? Are you a target and for who - who are you worried about? Random script kiddies or national/government level hackers? It's a matter of security vs convenience - where is the ideal balance for you.

 

And as said above, always think ahead to not lock yourself out. Always use multi-factor authentication - you can secure your passwords, but if it's the service fails (data leak, vulnerability, social engineering), it won't be any help.

 

I have used KeePass for years and have not had issues with it. I prefer having more control of the database than the online services offer. I have the database file in my personal/self-hosted cloud.

[NineEyeRon]

Do you have somewhere where you can access a service like Dashlane, Keypass or Lastpass? 
 

I have found them extremely useful.

[DeagleMaster]

Just now, Grumpy Old Man said:

Brains

Correction *big brains

[Draeconix]

8 hours ago, jj9987 said:

You can use pass or KeePass or some other tool and store the password database wherever you want. Actual password manager can bring certain benefits over just storing passwords in an encrypted format. For example automatic password generation tools based on your requirements, copy passwords without exposing them, browser integrations to avoid having to copy/type them, additional checks to notify you of reused or leaked passwords (using HIBP or similar), audited code, cross-platform compatibility etc. KeePass also has the option to require a password + a keyfile. KeePassX supports YubiKey in addition to the previous methods.

One thing is reliability indeed - flash drives do not have very long life in terms of write capacity. Having multiple ones requires you to keep them all in sync, which is not very convenient. Other concern is where are you planning to use it - do you need mobile device support? How much do you move and need to carry the stick around? Do you use unknown devices or do you only connect it to known devices? If the former, how are you storing/encrypting the contents of the drive? Do you expose them all at once or all separately? Are any passwords/keys going to be stored in memory?

 

It all comes down to your threat model - what are you protecting and from who? Are you a target and for who - who are you worried about? Random script kiddies or national/government level hackers? It's a matter of security vs convenience - where is the ideal balance for you.

 

And as said above, always think ahead to not lock yourself out. Always use multi-factor authentication - you can secure your passwords, but if it's the service fails (data leak, vulnerability, social engineering), it won't be any help.

 

I have used KeePass for years and have not had issues with it. I prefer having more control of the database than the online services offer. I have the database file in my personal/self-hosted cloud.

Everything here is spot on. Convenience versus security. Always a balancing act. I personally use LastPass and it has been wonderful. Like KeePass, it lets you store passwords, randomly generate passwords, has browser extensions and has a mobile version. It can also be set up with multifactor authentication with various services like Google Authenticator, Okta and I think Yubikey but don't quote me on that. The nicest thing about it, though I think you have to pay for the feature, is being able to fill passwords on mobile apps and web pages. I run LastPass on my phone and it has been so convenient. I have it protected by biometrics on the phone as well.

[WereCatf]

I use Keepass to keep all the passwords in an encrypted database and Nextcloud to keep the database synced between all of my phones, tablets, desktops, laptops and servers. Nextcloud makes sure the database is, indeed, always in sync, regardless of which device I use to modify the database and Nextcloud also keeps several older versions of the database accessible by default, so if I were to e.g. corrupt the database, I can just pick the previous version and continue using it. In addition to all of this, I take a weekly backup, as well.

 

Presumably, one could just as well use Google Drive or Microsoft's OneDrive or similar, instead of Nextcloud.