My Thoughts - Password Wallets

Before we even get into the topic of password wallets, we need to cover password hygiene first.
This is going to be broken into two sections; 1) Basic password hygiene and 2) Advanced concepts.
At minimum, EVERYONE should be following the basic password hygiene rules laid out below.

Basic password hygiene:

1. Never, ever, EVER use the same password twice... EVER!!!!
2. Use Alpha-numeric, cryptographic passwords.
3. Use passwords that are AT LEAST 15 characters long.
4. Securely store your passwords.

Advanced concepts:

1. Salt and Pepper your passwords.
2. Never store 2FA credentials or backup codes in your the same password wallet as your passwords.

Now that we have gotten that out of the way, lets get on to the discussion of password wallets...
I have been using password wallets for almost 20 years now. I started with SplashID and as both my needs, and the software category, evolved, I "upgraded" to the newest and greatest options.
There are three "main" types of password wallets to consider in my opinion; 1) online wallet, 2) offline wallet and 3) secure & encrypted notepads (I personally use a combination of all 3).
In the world of password wallets, you will get a lot of conflicting info and business pitches. My approach to InfoSec in general is fairly straight forward and you can read about it HERE. However, applying that knowledge, what you run into with most password wallets is that in order to have any sort of quality cross-device sync functionality, you are forced into using servers of some form or another. I have a number of issues with this, but the biggest ones are as follows;

1. Most of the "breaches" or "hacks" of password wallets come from an attack on the host server and/or poor maintenance/practices with company InfoSec.
2. If the company goes out of business and you have not maintained an active local backup, then all you passwords are gone! For example, at present, I have 1005 active password stored in my personal password wallet, all of which use unique, cryptographic passwords. If I were to lose the database, there is literally no way I can recover all of my accounts.
3. Ultimately, you do not own your passwords. As such, you are at will of the company.
4. You are typically locked into paying some absurdly high monthly or annual premiums just to maintain that data.

Realistically, most of these issues boil down to opposition to my personal InfoSec Imperatives, outlined in the aforementioned article.

Lets breakdown the 3 types of password wallets mentioned above;

Online wallet:

An online wallet is one that is hosted by a third party. Typically, this allows for maximum usability and a clean end-user experience that allows for people with little to no technological aptitude to take advantage of. Arguably, this is good as EVERYONE who uses the internet should use a password wallet!
The downside though is that there is typically a recurring cost and you have no custodial rights over your data.
Another concern here is that, in my experiences, most of these services have an atrocious export process. I have very specific requirements when selecting software and hardware for my tech stack, and Frictionless Onboarding/Offboarding is a critical factor in that. I have experienced varying degrees of unmitigated disaster in exporting data from most of these services, further locking you into the service. There are exceptions that we will get into at the end of this post, but, in general, most of these are crap.

Offline wallet:

An offline wallet is one that you maintain custodial rights over your password database. This is ideal from an InfoSec standpoint, however, the flip side is that then everything falls to you. Do you know how to organize file structures? What about accidentally deleting your password database? This is realistically for intermediate and advanced users.

Secure & encrypted notepads:

First off, NEVER EVER store your passwords in a normal text file, word document, spreadsheet or anything else along those lines.
If this is your preferred method, invest in a secure & encrypted notepad or document service. There will be a cost involved, yes, but there are plenty of options out there for this so you can shop around a little. This blog for example is hosted on the encrypted notepad service, Standard Notes.

How I have my Password system setup is as follows;

I use Bitwarden as my main password wallet. This is an online wallet and it offers free services for the core functionality. I ONLY have passwords that are on active accounts on this wallet. I would suggest upgrading to the "premium" tier to enable 2FA. Upgrading also provides other benefits, but at the cost of $10/year... yes, you read that right, ONLY $10/YEAR, not only are you going have the maximum protection, but also you support a really great company doing a great service to the world.
I then maintain 3 Offline wallet databases using the KeePass protocol. 1 database is for any login credentials that are old and no longer in use, 1 database is for 2FA backup codes and 1 database is for unencrypted .csv backups of my Bitwarden wallet, which I export monthly, as a fallback in the event my Bitwarden wallet is no accessible. These three encrypted databases are stored on my NAS, but you could easily use an encrypted Online, Offsite storage service to store these as well.
Finally, I keep my master passwords for both Bitwarden and my KeePass databases in an encrypted Notbook, specifically, Standard Notes and pin & obfuscate that note within the notebook so I can access it on-demand but still have it hidden away from prying eyes.

Anyway, those are my thoughts on password wallets and the setup I use personally. If you have any questions, please feel free to ask and if you like what I am doing, please consider supporting me through one of the links in the header of My Blog!