2016-12-16

Password Manager Versus the Alternatives

Scope of this Post

This post will show how using a password manager compares in security and convenience to the other major ways of managing account credentials: the password manager is the winner in both categories.  This post will also cover some common objections to using password managers.

The bottom line is:
  • The case for password managers is strong.  Security experts use and recommend them.  The biggest choice is which password manager to use, whether to use browser integration, and whether you want to use a physically secure notebook for some of your accounts.

Note: by "password manager", I mean a standalone program dedicated to managing account credentials (username, password) and stores them in encrypted form, protected by a master password.  Web browser password managers will be addressed in their own section.

Also, I'd like to recommend 2FA for all accounts you have that are of even mild value. The security benefits are large and the inconvenience is small, regardless of whether you choose to use a password manager.


Convenience of Password Managers

Bottom line: once you've set up a password manager on your mostly commonly used devices, using the password manager is extremely convenient and useful.  In some ways, it's quicker and more convenient than going without a password manager and having all your passwords be simply "a".

Reliable Access to Your Passwords

One of the biggest fears I had about a password manager was the possibility that I'd be cut off from my password database at times that I needed to log in to one of my accounts.  So far, this feared scenario has never happened, and it seems it will be very rare in the future.

First of all, it's actually rare for me to log in to an account from a device I don't use regularly.  I sign in to accounts from my work PC, my home PCs, and my smart phone.  The only exception since I started using a password manager was one time (over a year ago) where I logged in to my medical services account at a doctor's office.

Secondly, your smart phone can access and use your password database at basically any place or time.  When I wanted to log in at my doctor's office, I enabled mobile data, opened the password database on my phone, and then manually typed the username and password on the doctor's computer.  If you anticipate not having internet access on your phone during a need to log in somewhere, then have a local copy of the password database on your phone, and update it from time to time.  (If you are changing credentials or creating new accounts very frequently, that sounds like even more of a reason to use a password manager, not less.)

Thirdly, if for some strange reason you won't have access to your password manager via any of your devices, you can always remember or write down a few passwords.  Or, you can ask for a password reset using access to your email (your email password will be one of the few passwords I recommend you remember or write down in a safe place).

Speed and Ease of Logging In

Many people resist using a password manager because they believe that a password manager results in extra time and effort to log in to their accounts.  I was also worried about this when I was trying out KeePass, but this worry quickly went away as I found that logging in to accounts was faster and less effort than before.

If you've set up browser integration for KeePass, then providing your credentials for an account can be instant (auto-fill) or a few clicks away (KeeFox icon, click credential).  Usually I set up KeePass such that it times out after 4 hours of KeePass inactivity, or 2 hours of computer inactivity.  This means I usually have to enter my master password 0-2 times at work, and then 0-1 times at home.  Typing your master password up to 3 times a day is relatively painless.

I would say that logging into accounts using a password manager is overall quicker and more convenient than manual entry even if all my passwords were a single character.

When logging in to something on your PC but outside of a browser (like logging in to Skype or Steam), password managers still have hotkeys and features to make it quick to paste your username and/or password anywhere you want.

Account Management Is Much Nicer

One of the benefits that I anticipated but underestimated was how nice it was to have a single, up-to-date place that listed all of my accounts, with optional note-taking.  I don't need to manage, sync, and migrate web browser bookmarks to all my accounts, nor do I need to remember what URLs I need to go to in order to sign in (ex: Exactly which webpage or even website do you go to in order to log in to your CitiGroup Mastercard?  In KeePass, you just double-click on the URL portion of the appropriate entry.  It's extremely hard to find my 401k login page without the aid of a bookmark or password manager entry, even though I know exactly what website to go to. And the list goes on...)

I don't need to remember which usernames and how many usernames I have with each account provider.  It's just surprisingly nice to have a place where you can see your accounts and all the relevant information about them (and complete history if you so choose).

It is easy to foresee that a password manager makes the headache of remembering passwords much, much less painful, but it also reduces the pain of generating strong, unique passwords.  The pain of changing an account's password and remembering the new password is 99% gone.  Using a password manager has majorly reduced my account-related stress level.  I feel like I am in firm control of my accounts, rather than overwhelmed by them.

I also put stuff like my car's lock box combination in my password manager too, because I have forgotten that in the past.  Password managers can be used to store more secrets than just account credentials.

Security of Password Managers

Many people have security concerns about password managers, and it is good to be careful with your approach to passwords.  The following discussion will discuss reasons why password managers are overall a huge improvement in account security compared to the feasible alternatives.

A lot of security objections to password managers seem to come from a double standard, and any shortcoming compared to magical absolute security is sometimes claimed to be a deal breaker.  Keeping our focus on password managers versus their feasible alternative helps promote a fair evaluation of what choice we make for dealing with passwords.

Unfeasible Alternatives

There are a few major alternatives I consider to be as secure or slightly more secure than using a password manager, but are unfeasible for most people:
  • Keep a paper notebook with your credentials locked up in your safe (or a locked drawer) at home.  All passwords are strong and unique; you only remember the absolute minimum of passwords; perhaps you have a few passwords written down in your wallet.  This alternative is unbearably tedious and restrictive to most people.
  • Magically remember all your credentials, with every password being strong and unique.  This alternative is basically impossible for most people's combination of memory and number of accounts.  If you think you can do this, I urge you to consider the possibility that you are overestimating the strength/uniqueness of your passwords and the ability of your memory.
  • Remember a few of your credentials (with strong, unique passwords); frequently use password resets for the rest (like every time you log in).  I think most people would find this unbearably inconvenient, and there will be accounts where the password reset strategy won't work.  There might be also some security risks of this approach that I haven't thought of yet.
To repeat: the alternatives listed above have small security advantages and huge usability disadvantages compared to a password manager.  If you come away from this post thinking that password managers are unacceptably risky, then you're basically left with the passwords-in-a-safe-and-wallet approach.  It's okay to choose that option.  My biggest warning is that it is very easy for human-generated passwords to not be as strong as you think they are.  Use some trusted source of randomness to help make sure your passwords have enough entropy.

Also, it is okay to do a hybrid approach where the most crucial account credentials are kept in a physically secure notebook at home and the password manager holds everything else.  It might be acceptable to you that you can log in to your crucial accounts (ex: financial institutions) from home only.

The Very Similar Alternative, Web Browser Password Manager

Web browsers like Chrome and Firefox have password management features, including having remembered passwords stored in encrypted form, possibly protected by a master password.  As I understand it, there are a few shortcomings of browser password managers versus standalone password managers:
  • If you're not using a master password (I believe Chrome uses your Google password by default and that Firefox uses no master password by default), then your passwords are being stored in a format with no security.
  • It's painful (much time, many operations) and less secure to use those passwords outside the browser.  Once you've laboriously dug into the browser password manager and copied the appropriate password, now you have the problem that the password is now in your clipboard history, which is not catastrophic, but is a security risk.
  • Makes it painful to use other browsers.  I use both Firefox and Chrome, and I don't want to be locked in to a particular browser, nor do I want to have to constantly sync stuff between browsers.
  • So far, browser password managers do not help you generate strong, unique passwords.  This is a big deal.  Humans need assistance in order to generate strong, unique passwords.  Lack of help also means you will be tend to make your passwords less strong and unique.
  • Browser password managers lack a lot of other nice features for managing your accounts, like versioned history, notes, icons, folders, and so on.
If you are using a browser password manager appropriately (using a strong master password; your accounts have strong, unique passwords; you're aware of the security risks) and you find the inconveniences acceptable, then I'm not going to yell at you that you need to change your ways.  The reason I have a bunch of posts pushing a standalone password manager is that it allows humans to safely store and use strong, unique passwords.  You don't have to accomplish that goal exactly like I do it.

Beyond the technical shortcomings, a big reason why I don't recommend using a browser password manager is that these shortcomings seem to lead humans to not use strong, unique passwords.

Much Less Secure Alternatives

My judgement is there is only one remaining category of notable alternatives to password managers: alternatives that are viewed as usable/convenient but are much less secure.

Simple File Containing Passwords

You have some spreadsheet, Word doc, or plain text file with account provider info, usernames, and passwords.

The comparison to a password manager is pretty straightforward: it's basically a poor password manager missing out on several important security and convenience features.  If your simple file contains password hints instead (and let's be generous and assume these hints don't significantly assist an attacker), it's very hard for you to also be achieving strong, unique passwords.

Remembering Many Passwords

You try to remember many or all of your passwords.  Due to the limitations of human memory, there will be some combination of reused and weak passwords.  Perhaps you have a tiered system where a password is reused across accounts of similar importance and security precautions.  For instance, throwaway accounts get one password; stuff like Twitter and Facebook get another; Amazon and eBay another; financial institutions and email get another or maybe each get their own.

This alternative is a clear loser in susceptibility to all of the biggest account security risks compared to properly using a password manager.

Password Generation Scheme

You have some algorithm where the the account provider name, some secret text, and maybe the username are combined to generate a password for an account.  For instance, the common secret text might be "4secretthing", and you combine that with the first four letters of the account provider name such that your passwords will be "AM4secAZretthing", "EB4secAYretthing", "GO4secOGretthing", for Amazon, eBay, and Google, respectively.

Simply put, this approach doesn't even work.  You can not have a single scheme work across accounts or over time.  Account providers have all sorts of password requirements that will contradict each other.  There are multiple blogs web pages dedicated to the madness of various password requirements (one, two, three).  The most notable example is some airlines and banks will give you a user id that is a number and let you choose a 4 digit PIN/password.  Many of the following are from the results of a Google image search for "password requirements".
  • Provider 1
    • Length: 6 to 10 characters
    • Letters and digits: allowed
    • Special characters: not allowed
    • Can't contain two separated numbers
  • Provider 2
    • Length: 8 to 20 characters
    • Lowercase letters: at least 1
    • Uppercase letters: at least 1
    • Digits: at least 1
    • Special characters: at least 1 of "!@#$%^&*()+?"; others are forbidden
  • Provider 3
    • Length: exactly 8 characters
    • Letters: at least 1
    • Digits: at least 1
    • Special characters
      • at least 1 of "@#$"; others are forbidden
      • not allowed in first or last position
    • No character can be the same as an adjacent character
    • New password can not be too similar to previous password.
      • New password that contains 3 characters in common with old password at same spot is unacceptable.
  • Provider 4
    • User id: a long number
    • Password: 6 digit PIN
  • Provider 5 and Provider 6
    • User id: a long number
    • 4 digit PIN
  • Provider 7
    • Length: exactly 8 characters
    • Letters: at least 2
    • Digits: at least 2
  • Provider 8
    • Length: exactly 12
    • Letters: at least 1
    • At least one digit or special character ("!#$%").
    • At least 6 characters must occur only once.
    • Can not contain any string that is also contained in the username (I wonder exactly how strict this is).
    • No common/sequence strings like "abcd", "1234", or "2468" (again, exactly how strict is this?)
Yes, there are some weird ones in there, but it is very common to encounter contradictory requirements on password length and special characters.  It's also not unusual to encounter a prohibition on having recognized words anywhere in your password, or a prohibition new passwords being similar to old ones.  I also have a few accounts that have weird username requirements (or long user ids that are assigned to me).  One scheme will not work for all of your accounts.  Three schemes still won't work for all of your accounts.

One scheme won't even work for one account.  You need to be able to change your passwords and PINs.  What do you do when LinkedIn forces you to change your password because of a security breach?  What do you do when LinkedIn rejects your new password for being too close to your old password?

With contradictory password requirements and changing passwords over time, you are back to remembering a lot of passwords, which doesn't work out well either.

I also worry about the strength and uniqueness of passwords generated by manual algorithms.  I have a few other worries as well.  Perhaps in the future I will elaborate on these worries.  In the meantime, I think this post does a good job of pointing out the shortcomings even when you have software do the generation for you such that each password is strong and unique.

Password Managers Are Not Perfect, But They Seem To Be The Best We Have

Password managers are not the perfect solution that eliminates 100% of risk.  What they do is substantially reduce your overall risk; most of the major risks are reduced; some of the smaller risks stay the same, and some risks are increased.  The big security gains in the most important areas outweigh the small security reductions in other areas.  There is no perfect solution, password managers just happen to be the the best option.

It seems like a lot of security experts consider password reuse and phishing to be the two biggest account security risks for individuals.   Proper use of a password manager solves the password reuse issue in a very direct manner.  A password manager can also reduce your vulnerability to phishing, because a password manager makes it easier to default to the https version of websites and a password manager won't be fooled by familiar-looking websites with familiar-looking URLs.  So, you'll be less likely to visit a phishing site and you'll have more warning signs and countermeasures if you get there ("Why doesn't my password manager say I have a login for this site?  Am I at the right place?").

For offline and online guessing attacks (which are still major risks), proper use of a password manager is again the clear winner in terms of you actually using strong, unique passwords that are resistant to these attacks.

The biggest downside of a password manager is you are putting many eggs in one basket.  If combining your eggs in one basket means you can protect your eggs a lot better, then perhaps one basket is the proper choice.  Just like storing valuables in a safe rather than scattering valuables around your house is a good choice.  The following sections will further illustrate why the one-basket downside of using a password manager is not much of a downside.

What If Bad People Get Their Hands On Your Password Database?

This is often one of the first questions raised once someone hears about password managers.  My password database file is encrypted with a high-entropy, unique master password.  My password database is also configured to take a lot of operations for each password guess such that guessing attacks are massively slowed.  Even with a massive password cracking cluster of today's GPUs, my master password should remain unguessed during my lifetime.  When technology changes enough to merit a password upgrade, I'll do that.  I change my passwords every 2 years anyway, so the strength of my master password is overkill by several orders of magnitude.

So, basically if some bad people get their hands on my password database file, I'll probably be fine.

My password database is stored on Google Drive.  If bad people got it from Google Drive, most of the time that means my Google account was compromised.  If bad people have control of my Google account, they can do a lot of damage without my passwords because my gmail account already tells them about my important accounts and lets them do a lot of password resets.  2FA can help a huge amount in this scenario (regardless of password manager or not).  So in a scenario that bad people compromise my Google account, they probably won't crack my password database within my lifetime, and even if they do, that does not cause huge additional damage.

Another possibility is bad people getting their hands on the unencrypted contents of my password database through password-manager-targeting malware on my computer or some exploit of my browser integration with my password manager.  Yes, it would be bad for malware or an exploit to expose my passwords to bad people, but if you have password-gathering malware on your computer, bad people are going to get a lot of your passwords (or account access through stored authentication tokens) regardless of whether you use a password manager.  Again, the additional damage from a password manager is not huge (and the benefits of 2FA are huge).

Why Should I Trust The People Behind The Password Manager?

For the same reasons that you trust Google, Microsoft, and/or Linux to a large extent.  Specific to KeePass, it's a long-lived, reputable, open-source password manager that has undergone serious security audits and has received recommendations from many security professionals and organizations.  If you really want a password manager where a company's financial future depends on providing a secure product, you can choose something from Norton, 1Password, and so on.

Expert Opinion On Password Managers

Using a password manager increases some very particular risks, but my semi-informed impression is that using a password manager is overall a huge decrease in risk versus the alternatives.  This endorsement of password managers also seems to be the judgment of the computer security experts.  Some very notable examples are Bruce Schneier, Troy Hunt, Per Thorsheim, National Cyber Security Centre of the UK Government and many other organizations.  Almost every article I read about password managers includes a recommendation to use them.  Even when I do Google searches for stuff like "password manager malware" and "password manager disadvantages", the people that discuss particular risks of password managers almost always still recommend using a password manager.

The times that people do recommend against password managers (one, two)...
  • Sometimes the option they recommend is the physical-notebook-in-a-locked-drawer option.  If that option is not acceptable for you, then a password manager is the next best choice.  Also, as I've said before, it is okay to do a hybrid approach of a physically secure notebook for some accounts, and a password manager for the rest.
  • Sometimes the option they recommend is the password generation scheme.  This doesn't work (see Password Generation Scheme section above), and plenty of other security experts disapprove of this methodology.
  • If you look closer at some of people that an article portrays as against password managers, a lot of the time they are just recommending against web-based password managers, or they recommend not using browser integration, or they advocate being careful about which password manager you choose, but they are still advocating using a password manager.
  • One anti-password-manager person (Simon Edwards) poses the question: if you were a bad person, would you go after a cloud-based password manager service, or would you go after popular websites?
    • Bad people have answered this question: they overwhelmingly go after popular websites.  I believe I would be in good company with plenty of security experts by asserting that Simon Edwards presents an inaccurate view on the prevalence of various dangers for users.
    • Not all password managers are cloud-based.
    • Even when LastPass was hacked, the bad people only got the encrypted password databases, and LastPass quickly noticed the breach.  With a good master password, your password database would be secure for a very long time, and a password manager makes it much less painful to go through your accounts and change passwords, quickly making your old passwords useless to the bad people.

Parting Thoughts

The case for password managers is strong.  The biggest choice is which password manager to use, and exactly how to use it (ex: browser integration? where to put password database? put some account credentials in a physically secure notebook instead?).

I encourage questions and counterpoints from readers.

Also, if I personally know you, it is likely that I will agree to sit down with you and help you start using a password manager if you ask me for help.  My post on how to get set up with KeePass on multiple devices is a good start.

No comments:

Post a Comment