On Using Password Managers

For a long time, I was reluctant about using a password manager. One of the advantages of using one is the ability to have a strong and unique password for each service, without having to memorize each password. It drastically improves security.

xkcd #936 – Password Strength

Without a password manager, we unavoidably start reusing (bad) passwords across several services. Sometimes those services get hacked, and our info gets leaked, and you already know how this story ends.

A password manager nicely addresses those problems, but it also introduces new issues. Now, the reason why I was reluctant to use one was twofold:

  1. Trusting a third-party with all my passwords;
  2. Being unable to log in a specific service because I don’t have access to my password manager app.

The second reason is also why I use two-factor authentication very selectively — only on services that offer a reliable recovery method and/or are critical for me. And by a reliable method I mean one-time recovery codes. Using SMS as a recovery method is not always the best option for me because I travel abroad quite frequently nowadays and I can’t count on being able to receive SMS.

Sure, I can always reset my password and change it temporarily in case I don’t have access to my password manager (as long as I have access to my email account).

But it would also be annoying if I wanted to access something on my mobile phone for instance, and having to type a long random string doesn’t sound very fun. So it would be good to have a mobile app to sync my passwords across my devices.

Having passwords stored in a cloud server weaken a lot the security factor of such services. Even though my info will be encrypted using industry standards (well, at least I have to trust they are doing their best), that means my passwords will be stored in an external storage and will probably be jumping around other servers in multiple backups and so on.

A chain is only as strong as its weakest link.

Even having the best technologies, the most secure servers, and strongest security features, none of this really matters if you don’t trust the company behind the service. Social engineering is known to be one of the most effective security attacks. There are many examples out there, for example when an attacker used social engineering to trick a Namecheap support employee to gain access to an account protected by two-factor authentication.

You also need to trust on their processes and personnel.

This year, when Troy Hunt announced the partnership between  1Password and haveibeenpwned.com, I thought about giving it a shot. I’ve been using it since then, and I never looked back.

1Password is such a great product, and it still amazes me how much thought they put into some of its features. For me, the best thing about 1Password is the browser plugins, so you can log in just by hitting the shortcut ⌘ + \. This is so convenient and just works.

The second best thing is the ability to have 2FA stored inside my 1Password vault:

1Password 2FA integration

This is awesome because if I lose my phone, I don’t need to set up all my 2FA again or go through all recovery process. Also, the workflow is so smooth. After you hit ⌘ + \ to log in, it will automatically copy the one-time password to your clipboard, so you simply press ⌘ + V after that to complete the authentication. After you are logged in, it will automatically restore your clipboard with whatever was there.

Another cool thing about it is that you can store secure notes, credit card pin code, software licenses, and serial keys.

To be fair, I don’t trust all my stuff there. Especially my main email accounts that are used to register to other services. For those, I keep unique passwords stored only on my mind. That way, even if I lose my recovery key from 1Password, I’m still able to regain access to the software and services that I use. But other than that, it’s been my standard way of storing sensitive information. 

How I Use Trello

I am not exactly a Trello power-user, but I use it on a regular basis, especially when I am juggling multiple tasks and projects.

I keep a separate board for each side project I am working at the moment and the main board for my 9-to-5 work. For the most part, I use them alone.

Basically, I start new boards the same way: a To-Do, Doing, and Done lists. After a while, I start breaking down the To-Do list into different lists, depending on what the work is about. If I am going to use a particular board alone, I eventually drop the Doing list. Otherwise, I keep it for visibility.

For example, for my Python & Django blog I have a Posts Backlog list for ideas for future posts, I also have a Improvements list for existing posts I need to address some issues (some changes on Django or someone suggested some improvements that could be done on the post).

For my 9-to-5 work, I have a list for my Ph.D. related tasks, a list for the project I’m currently working on, a list for tasks related to papers I’m working at the moment, and another list for general administrative tasks.

I try to always set a deadline for all the tasks. Except for cases that do not make much sense, for example, my ideas backlog for the blog, I usually just pick one idea and write about it.

So far so good. But here is where the problem arises: What to do with a card once it is done?

Here is what I do:

I use Trello Power-Up called Butler. It is a utility plugin to automate tasks. I create two simple rules:

  • When the due date is marked as complete in a card, move the card to the top of the list “Done”;
  • Every Sunday, archive all the cards in the list “Done”.

Butler: Trello Power-Up

It works pretty well for me. The process of clicking on the tasks and marking them as complete give me some sort of energy boost and a perception that I’m progressing and achieving something. It is like a small victory in my day. I used to archive the tasks right away, but keeping them on the “Done” list for the week is incredibly motivating. It gives a good overview of how the week progressed. Then after the end of the week, Butler will archive everything in the “Done” list, and on Monday the board is ready for a fresh start.