Passwords
The use of passwords is still unavoidable at the moment. This makes it all the more important to consider a system for secure passwords. The following points in particular should be considered:
- A separate password should be used for each service
- A password that can be remembered is usually not a secure password.
- Passwords should be stored securely
We recommend the use of a password manager for this purpose.
Password manager
A password manager offers the possibility to collect passwords in an encrypted memory. This memory is protected by a sufficiently complex primary password. Therefore, only one password needs to be remembered to gain access to the stored passwords.
The individual passwords can usually be generated securely with the help of an integrated password generator. Password managers usually offer some comfort functions that simplify the administration and use of the stored passwords.
Further information can also be found on the BSI website.
The security of the stored passwords is directly dependent on the quality of the primary password. Accordingly, the primary password should be chosen and stored with sufficient security (see Secure password thanks to password generator).
Recommendation: Keepassxc
We recommend using the password manager KeePassXC.
KeePassXC is a free and open-source password manager. It is available across platforms and can therefore be used on the most common operating systems. It can be downloaded from the manufacturer's website or directly via the following links for the respective platform. When using mobile devices, it is recommended to have the password database on cloud storage (Seafile) for synchronisation and to integrate it via DAV. Furthermore, it is possible to use different password databases at the same time, e.g. for business and private access.
In addition, there is the possibility to connect the KeePassXC database to the browser via a browser addon so that password fields (after unlocking the database) can be filled in automatically. The browser addons can be downloaded from the respective browser addon stores or directly via the following links.
Other sensitive data of any format that needs to be stored securely, for example X509 user certificates and key material or SSH keys, can also be stored in KeePassXC. When used for SSH keys, it can also be used as an SSH agent.
Instructions
FAQ
-
Is it advisable to save passwords directly in the browser?
No. Passwords that are stored in the browser are usually not well protected and can usually be read in the event of an infection on the end device. Although it is possible to secure the password memory, e.g. in Firefox, with a primary password, the encryption algorithms used are not sufficient. It is also possible to prevent the unintentional leakage of access data to third-party providers by means of synchronisation options.
-
How can I export passwords from my browser?
There are various options for password extraction from the password store of browsers. This can be particularly useful for a migration to KeePassXC as a password manager. Known to us are:
- NirSoft PasswordFox Windows/Firefox
- NirSoft IE PassView Windows/Internet Explorer
- github.com/firepwd Python/FireFox
- github.com/firefox_decrypt Python/FireFox
- github.com/ff-password-exporter node.js/FireFox
-
Can I use any password generator?
No. Only trustworthy password generators should be used. In particular, online password generators or similar should not be trusted. An overview of recommended password generators can be found here.