The proliferation of online login accounts has made our lives easier and more convenient to gather information, pay bills, etc. However, it comes at a cost. Our password management hasn’t changed much – and that creates a vulnerability that can really hurt.
Read on to see the pros and cons of password management systems.
Password management is the selection and utilization of strong credentials to access online resources. Although the number of reasons to create a login has exploded over the years, our password management is sub par at best and outright egregious at worst.
The Current State of Affairs
The current state of affairs is untenable. An abundant array of accounts with weak , simple, and easily guessable passwords exist. Many more are reused across many different sites and not regularly changed.
What most people do is try to pick a password they think they can easily remember. The password is likely <= 8 characters, usually is or contains dictionary words, and follows some mnemonic. Common and easy to crack passwords are the norm instead of the exception.
Our brains were not designed to generate strong unique passwords.
Writing down passwords in a notebook would be a better practice than the status quo.
Vendors Are Not On Your Side
If asked, most companies would say their website encourages strong passwords and assists the user in doing so. Unfortunately, this is not the case. A University of Plymouth study showed that password guidance by organizations requiring a login have barely improved over a decade.
It doesn’t help that major technology companies like Google, Amazon, Facebook, Wikipedia, Reddit, Yahoo, Twitter, Instagram, Microsoft Live, and Netflix are among the list.
What is a Passsword Manager?
A password manager is nothing more than a software application used by individuals to organize, encrypt, store, and retrieve their credentials. Often they are synchronized between multiple client devices you own (ex. your laptop and iPhone). Most have both console applications and a web client interface.
To access you passwords you must remember only one password to get access to them all. One password to rule them all!
Enterprises must take this very serious as well. We must be very careful managing service accounts, privileged accounts, and keeping credentials confidential. For business a few good password management systems are: LastPass, CyberArk, Keeper, and Dashlane. Some can also help protect against keyloggers and other malware targeting the password management system.
There are many more but these are very popular ones.
Why Use a Password Manager?
I am strongly in favor of them. When I get into a debate about password managers I get a lot of weak arguments. Here’s my analysis:
Pros of Password Managers
There are some compelling reasons to use a password manager:
- People choose weak passwords – password managers can help you always make a strong complex password.
- It will remember your passwords for you and usually be available across multiple devices
- Then can generate and store security questions – this is important because if the password is strong but the security questions are not then that can make it easier to reset your password.
- Read my post on Knowledge Based Authentication for more details
- Prevents password reuse
- Make it easier to change your passwords to keep them fresh
- Check out this interesting article from the University College London. A study links password lifetime (expiration) to password strength to create a positive feedback loop. The strong the password the longer it can live.
Until you have gone through brute force password cracking you may not know just how bad most passwords really are.
Cons of Password Managers
To be fair, there are some possibly downsides to password managers.
- It is only as strong as your master password for the vault
- A single point of failure – making this a highly desirable target with high payout
- System vulnerabilities – Windows has a habit of storing passwords in clear text and in memory. Underlying infrastructure could be compromised.
- Interception in the cloud (if you are using Dropbox or iCloud to transfer the key vault.
- XSS, browser bugs, and existing malware on your machine are a threat.
If you forget your master password you will lose access to all of them. No one can retrieve them for you – not you or the vendor.
Yes, it is possible that password management systems could be compromised. However, as we will discuss below, that isn’t the right frame for the subject.
Invariably people argue with me that they have some secret method for generating strong passwords. I often laugh when I hear their technique because it is very insecure. Compound that with the hundred of logins that you probably have and you’ll see very quickly the folly.
I look at people who suggest they have a secret method for generating strong passwords just like those who want to roll their own crypto.
One must consider their attack threats. Just because there are vulnerabilities doesn’t mean we don’t try to take precautions. For example – arguing against locking your front door because, theoretically, a tank could come through your living room.
Don’t discard “good enough” because of unattainable perfection.
Password managers don’t have to be perfect – just better than our alternatives. After assessing the pros and cons I think that using a password manager is far superior to not for most people. Remember, your brain is a poor password generator. Cognitive psychology tells us that most people’s memory can only hold 8 bits of information in short term memory at a time.
Most adults can store between 5 and 9 items in their short-term memory.https://www.simplypsychology.org/memory.html
Weighing the Pros and Cons of Password Managers
Security must balance with usability for most people to achieve both. Even with all the known vulnerabilities it is still a choice of risk aversion and the probability of something bad happening to you.
Check out this white paper – Password Managers: Under the Hood of Secrets Management. It talks about known vulnerabilities and discovered that there are exploits to get the password even when the password management system is locked (a lot of this is due to using Windows). This was explored in various states of operation:
- Non-running state – the password management system is not running
- Unlocked and running state – copying the password into memory
- Locked and running state – failure to scrub obfuscated master password from memory
Even with these concerns, password managers are a superior option to the status quo.
Here are some general principles to help you choose a strong password:
- Choose long and diverse passwords
- Do not use personal information (like your dog’s name) or any dictionary words
- Do not reuse credentials on multiple sites
- If you have to write it down then use a hint instead of the actual password
- Make the password for your email the strongest – this is a powerful point of attack and often contains account resetting and multi-factor authentication
- Change the password every so often (monthly, quarterly, bi-annual, etc.)
- Use MFA wherever you can
- Consider salting your passwords with a few characters. This way if the passwords get stolen they will not have the actual full password!
- Example: for password X289eJWsas27 add a prefix of suffix to a piece of it to remember: X289eJWsas27_ThisIsYourSalt. Do not store the salt.
Recommended Password Management Systems
There are many to choose from but I recommend one of these two:
- 1Password – proprietary, pretty cheap for what you get, multiple devices and family sharing, cloud sync with Dropbox and iCloud.
- KeePass / KeePassX (first for Windows second for OSX / Linux) – FOSS solution, stays local with no cloud data flow.
When in doubt – make the passwords a long phrase with character substitution. My favorite example of this is from XKCD
In short, the pros of using a password manager outweight the cons.
People typically choose weak passwords and reuse them across many sites. A password manager solves this problem in a secure and convenient way. If you are not using one then please try out 1Password of KeePass(X) right now!
Thanks for reading and stay safe online!
If you liked this post then you might also like: Why You Need a VPN – Protect Yourself Online.