Password Managers

One of the more useful tools I’ve been using over the last few years is KeePassX, a password manager for MacOS.

There are many others to choose from but I picked it, specifically, because the KeePass database format can be read by multiple applications and programs on MacOS, Windows, Linux, iOS, Android, and more.

A good password manager helps me in several ways. I use KeePassX to generate ridiculously complicated passwords for use on websites where my information is crazy private or logins are crucial. I’m talking about passwords for financial, business oriented, medical, social media, email, Shopify stores, WordPress websites, shopping marketplaces like Teespring or Etsy, etc. I also use KeePassX to generate passwords for my OpenPGP keys and FTP logins. I’m also storing payment information, credit card numbers, and anything that I feel is important. How about a scanned PDF of my DD-214 encrypted as an OpenPGP text blob? They’re all stored within the encrypted database created by KeePassX, and that is secured with a relatively complicated password that I’ve memorized by key-stroke. One password to rule them all.

I will never use the same password and login combination for important websites. Most of you out there still do this. You know who you are. There have been multiple website breeches over the years, where logins and passwords have been stolen and sold on the so-called “dark web.” Seriously, click the link and enter one of your email addresses, and see what comes up. You may be surprised at who gave up the keys to the kingdom.

I’ve received several spam emails over the last two years alone, written poorly, and demonstrating that they’ve sToLeN mY GmAiL LoGiN cReDenTialZ and that if I don’t PaY tHeM iN BiTcOiN they are threatening to ReLeASe aLL tHe EmBaRasSiNg PhoToz 2 My ConTaCtZ in my Gmail account (or similarly hilarious spammed threats). They’re all old passwords that have been stolen in any one of those breeches and are useless with my current logins. Since the password for each website is unique, stealing my Facebook password will not give up my bank account’s password. Stealing my Netflix password won’t jeopardize my laptop’s Administrator password, or my OpenPGP key’s password, and so on.

In the majority of these cases, the passwords themselves are stored by websites as encrypted hashes (storing them in plaintext is incredibly stupid). The concept of a hash is a bit more involved than I want to get into here, but in overly simple terms, a hashed password is one that has been converted into a generally unique combination of numbers and letters. To attempt to crack a hashed password, one method would be to run the stolen password into a hashing algorithm to see what gets spit out. If it spits out the same hash, odds are statistically certain that the passwords matched, and therefore the password is correct. Short of that, one could try to guess the password itself in a so-called brute-force attack.

This is the beauty of KeePassX and other password managers. They can be used to generate random passwords as long as you want them to be, and with as many character sets as you choose, subject to a given website’s password requirements (some are far stronger than others). For example, my Facebook password is made up of a random combination of 62-64 upper and lowercase letters, numbers, and special characters from the ASCII character set. It looks something like this:


Don’t worry, I generated this password two minutes ago for this blog post

According to the GRC Haystack page, with a massive password cracking array of computers calculating 1 trillion (1,000,000,000,000) combinations per second, the password above could take approximately 1.34 thousand trillion, trillion, trillion, trillion, trillion, trillion, trillion, trillion centuries to successfully guess. Even if advances in computing power decrease that number significantly to one century to crack, who cares? You’ll probably be long dead by then anyway.

This gives one final advantage to you: privacy and plausible-deniability. Crossing the US Border and existing within about 100 miles of the border has proven to have become a lot more complicated these days with people reporting that Homeland Security and USBP are demanding that people turn their laptops and smartphones over for search, with the claim that they will not require your passwords without a warrant. Do you trust them?

No matter who demands, I can easily answer with perfect honesty that I cannot give my out my Facebook password because I do not know what my Facebook password is. As long as Constitutional protections are also in place, and these days it’s more and more doubtful, one cannot be compelled to give up a password as it could be seen as self-incriminating (speak with a good attorney about this).

By Adrian Feliciano

Adrian Feliciano is a portrait and event photographer based near Boston, Massachusetts. He specializes in headshot, live event, and boudoir photography. He also makes one hell of a delicious Filipino adobo. Feel free to ask him for the recipe! You can reach out to Adrian here, at anytime.

Leave a comment

Your email address will not be published. Required fields are marked *

1 × 3 =