E.Snowden who has shown us the US.gov and other big governments of the world, does not want us ( personal sector ) to deploy harden security practices.
https://en.wikipedia.org/wiki/Edward_Snowden
We used passwords everyday, and in some case the same password across multiple systems. This is due that we can't manage hundreds of passwords and not all systems MFA enabled.
If you have no OTP ( one time password ) mechanism for a login , your at risk if your password is ever lost or the system was ever compromised. Mail.com had this happen with million of email-user accounts btw.
Here's a sure want to use passwords and make a strong password lengths and complexity and then you secure the data with a x509 certificate. You should avoid reusing passwords across multiple systems by all means. Yes it's tempting but in reality poor security execution.
So let's dive in....
example 1
You have a cool password for gmail.com, but you can remember it since it's so long and so cool . Just encrypted it and then only you the owner of the matching private key can decrypt it
NOTE: that is not password , so don't try to use it
Okay example 2
You need to make a long IPSEC PSK of 36byte bytes & that is random to share with a vendor and who in the h#ll will remember it?
No problem encrypted the data by using a x509 pub-key
NOTE: You can do this and send encrypted keys to others if they have a existing PKI-infastructure and issue user certificates
This allows for you to make very strong keys and with no risk if they are ever lost or stolen since they are encrypted. You only have to manage your certificate and ensure that you have a strong passphrase.
All of my traveling laptop have a aes128 loopFileSystem and with my encrypted keys stored. This way I can have my mail, bank, forums, alarm code, pin, account#s, and others systems passwords close by and 100% secured
! And only need to manage one single master passphrase for decryption. !
TIP: You can add subject headers for the SMIME headers to help provide pointer on what the password is for. Do not but sensitive information in this field
Example:
Subject line was added that describe this data contains.
With openssl , you can easily encrypted with des / aes128 -thru- 256 or a few others ciphers. keep in mind your data is always at risk if your passwords are compromised.
lastly, store the pass-phrase for your private-key in your memory or a vault. A good rule is passphrase made up of 8 words or more.
example
Bad "This is a key"
Good "This is Much STonger K3n is S0 Sm@rt! "
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \