The use of password managers is gaining traction as people realise the intractability of storing unique long passwords in memory. There are some challenges related to password managers that you need to consider.
Until very recently, the most authoritative advice on password security was based on 1980’s research [may be behind paywall] and made passwords extremely unpleasant to use. Times have changed a little for the better. The American National Institute of Standards and Technology (NIST) has changed its password security guidelines [easier to read link] to make them more friendly for users: It no longer recommends that passwords be very complex and unmemorable. It also does not recommend that passwords be changed periodically. What it does recommend is that passwords should be checked against known “bad” passwords and disallowed if they are in the list. They have also recommended enabling users to use really long passwords and letting them copy and paste using password managers.
Password managers come with their own risks:
1. If you lose access to the password manager, you no longer have access to any of your passwords.
2. If someone else gains access to your password manager, they have access to everything.
Losing access to the password manager
Password managers can be web-based or locally installed. Web-based password managers seem like big bulls-eyes for criminals to go after. However credentials are typically encrypted using the users’ master passwords that are not stored in the password manager servers. More likely than an attack on the password database itself is an attack that tries to steal data from the browser extension of the individual user. A bigger concern would be that a web-based password manager comes under a denial of service (DOS) attack that prevents users from accessing the service. Or that the user does not have internet connectivity at all times when the passwords are needed. Some web-based password managers maintain a local copy of the passwords for offline use to remedy this.
The problem with locally-installed password managers is that the passwords may only be accessed from the one device. You may not have access to that particular device at the moment when you need your passwords. On occasion, people have used ingenious solutions, such as storing the password database on a Dropbox or Google Drive and connecting to it from their various devices. This might not work for all situations.
Password manager security starts with having a long but memorable (to you) master password for the password manager. Something like “Iliketowriteaboutsecurity” (don’t use that) would be very hard for someone else to guess but easy for the creator to remember. If necessary, write it on a piece of paper and keep it in a safe.
What happens when you lose your master password? This happened to me recently and it could have been disastrous. My (web-based) password manager gave me options. I was still logged into my password manager on some devices when I realised the problem. I accessed a computer on which I was logged in and managed to get a one-time token to change my password. If that had not worked and I had been logged out of all my devices I also had the option to revert to my old password with their support. The consequence would be to gain access to an older version of the database that lacked the newest changes. A quick review of help pages revealed that most password managers offered few options for forgotten credentials. Locally-installed managers are unforgiving of forgotten master passwords. If you lose the master password, you lose all your credentials.
Securing your password manager against others
In this previous article I have explained 2-factor authentication (2FA) as one way of securing access to a password manager. 2FA or multi-factor authentication (MFA) is a proven method of hardening your accounts against attack. It requires that you add “something you have” (a physical token, software token, etc) or “something you are” (biometrics) in addition to “something you know” (password, typically the first factor) in order to authenticate a person.
There is a flipside. If you set up 2FA to access your accounts and then lose the 2FA, you would lose access to your accounts. An early solution to this challenge was to have a set of backup 2FA codes printed out in case you lost the primary 2FA solution. This stopped being a solution when more and more services gained 2FA capabilities and had 2FA enabled. Sloppily-stored 2FA tokens could be gained by people with or without malicious intent. Printed 2FA backup codes are an option if you have only a few of them. It is not generally advisable for securing most of your accounts today.
There is a software option. I used Google Authenticator as my 2FA for a number of applications. The problem: it can’t be installed and synchronised over two devices. Another software called Authy solved that problem. Authy allows 2FA tokens to be synchronised over multiple devices. Lose one device, you still have access to the other.
This is a smart solution, but naturally there are weaknesses. Optimally, the password manager and the 2FA solution should not be installed on the same machine. If the machine is compromised, it puts both software at risk of compromise. The more devices you have installed 2FA on, the higher the risk of it getting compromised, but the lower the likelihood of you getting unintentionally locked out of your credentials. At the same time, if you have installed 2FA on only two devices, you probably do not want both to be with you at the same time (e.g. it shouldn’t be on only two phones if you are carrying both phones with you). It would be unhelpful to ruin both phones in the same rainstorm and lose access to your accounts.
What are the lessons here? Consider the trade-off between the availability of the credentials to yourself, the means by which you can best protect your credentials and your 2FA tokens, and the actual likelihood of you being a target (as opposed to being at risk from opportunistic attackers – we all are at risk; not all are targets). Make your password manager and 2FA choices based on these trade-offs.