SelfHoster.dev

Password Management

Published: 2022-08-30

Servers are always online, often contain sensitive information, and are linked to your name. This makes them valuable targets for hackers. In turn, it is important to secure your server. By secure, I mean: Put in reasonable efforts to secure the server. There is no such thing as perfect security and the required security level depends on the risks. When setting something up, ask yourself what you want to protect and what would happen if worst case scenarios occur, and how bad those scenarios would be. To avoid panicking, try to objectively calculate the hours or costs involved. A hacker taking over your server to mine crypto would be annoying but fixable in a few hours if you have data backups. However, losing all your family pictures would be bad. (Unless you feel relieved since you can now never lose them again now. That's also a way to think about it.) For more details about thinking about your treats, see the excellent guide about Threat Modeling at Privacy Guides.

A basic line of defense against hackers is to set up proper passwords and not re-using them. Re-using passwords is risky because a password that you use at one spot could become compromised and allow hackers to log in to other places too. Furthermore, make sure to store any generated tokens or encryption keys. Using pen and paper for this would work, but also be cumbersome. Imagine having your servers going down while you are on vacation and you need to log in to fix things. It wouldn't be a safe idea to bring a list of all your passwords, tokens, and keys with you.

As a solution, password managers were created. They require on master key or master password and store all your passwords, tokens and keys in one place. A password manager essentially moves a lot of attack surface from various places to one place. Without it, hacking one account could provide access to another or hacking an account would be easy thanks to an easy password. With a password manager, all accounts get a unique and complex password. Stealing these passwords from the password manager itself is quite hard because security is their main selling point.

I won't recommend a specific password manager here. Some existing ones are:

When choosing a password manager, make sure that it can be used from your smartphone(s) as well as your computer(s). Also, ensure that they have a browser plugin which allows you to quickly fill in passwords from the vault and ensure that you can export your secrets. Use the export functionality to manually backup your secrets every few weeks or make automatic backups. This all might sound a bit extreme, but it is worth it. Losing all your secrets would take hours if not days to recover from, so that's why making backups is important.

Once you've set up a password manager, you've established a solid foundation to building servers. No need to reset servers or reset databases after having lost the keys. Just drop the secrets in the password manager.

The text is licensed under CC BY-NC-SA 4.0 and the code under Unlicense.