37

I want to recommend a password manager to my non-tech friends and family and help them set it up and use it. One of the decisions I have to make is whether I recommend one that works on laptops or one that works on smartphones.

Smartphones:

  • Have much better application isolation. This is by far the biggest plus.
  • Are carried around everywhere, eliminating the need to even consider an online password manager since people always have access to their password manager already.
  • Are a pain to disassemble. Where cold boot attacks against desktops and laptops are extremely rare, I'd consider them even rarer against smartphones.
  • Are a pain to type on, limiting how long a master password can be. On the other hand, most non-techies probably don't type very fast on computers either.
  • Not a single smartphone password manager allows generating passphrases, which are much easier to type over into a computer than a random password, while being equally secure. (5 random words (43k-words dictionary) contain 75 bits of entropy, 12 characters (alphanumeric, mixed-case) contain 70 bits).

Laptops:

  • Might be compromised by clicking the wrong thing when browsing. I feel like smartphones don't have this issue as much, and even if someone installs a bad app from the store, it should be isolated.
  • Allow for copying the password rather than typing it over from a smartphone, allowing for stronger passwords. (I expect that 90% of the time, people will log into an account on their laptop, not on their smartphone.)
  • Have more password managers available. For smartphones, there is exactly one proper open source password manager whereas for laptops I know several.

I conclude that smartphones have a slight advantage, but I have to find a solution to generate passphrases, ideally by using a custom keyboard so they don't have to be passed through the clipboard.

Did I miss any (important) considerations?

Luc
  • 32,378
  • 8
  • 75
  • 137
  • 7
    I admire the desire you have here, and I think this is really a challenge we all have to help people with. I have struggled with this question many times. I do think there are exceptions to nearly every assumption you've made in your list, however. So, rather than pros and cons, I would focus on desired outcome which I'd argue is people using _something_ rather than nothing. When I think like this, I often go to two places. LastPass and KeePass. KeePass for Windows with secure desktop and obfucations is good, and saving to Dropbox, export to MiniKee on iPhone is complicated but doable. – beauk May 07 '17 at 17:09
  • I have been using enpass (which, by the way, has a feature that lets you generate xkcd-style "readable" passwords which are what I think you meant when you mentioned passphrases) for a while now and that works on both smartphones and computers, synching between them via Dropbox. I'm sure there are others that can also do this. So what am I missing? Why do you feel you have to choose one that works on only one or the other platform? Why not just use one which works on both? – terdon May 07 '17 at 22:14
  • Passphrases can be easily defeated with dictionary attacks. – ave May 07 '17 at 22:29
  • 2
    I just keep all mine in an actual notebook, written in a rudimentary code. Seems to work. I don't use my phone for a lot of stuff that requires passwords, though, so I'm usually at home when I need to look them up. – Jason C May 08 '17 at 02:04
  • 1
    @Avery You should chip in [here](https://security.stackexchange.com/questions/10294/can-a-dictionary-attack-crack-a-diceware-passphrase) (or a similar question) with details on that. – Kimball May 08 '17 at 07:57
  • I found a product which can eliminated the Problem: https://www.themooltipass.com/ Hardware Based Password Manager with the ability to enter Logindata (register itself as Keyboard) maybe this could be a good thing for that kind of problem – Serverfrog May 08 '17 at 09:04
  • 6
    @Avery, passphrases made up of *randomly chosen* words, which is what is meant by "xkcd-style" or "diceware" passphrases, are *not* easily defeated by a dictionary attack. You are correct that phrases selected from song lyrics or Bible verses can be easily defeated, but blanket statements like you made above are very misleading. – Ben May 08 '17 at 17:47
  • 9
    You forgot to answer the first question in security: **what is your threat model**? The threat model your non-techie friends and family care about protecting against most likely doesn't include any of the things you actually discuss. (You seriously think your friends and family are, without help, going to beat someone capable of performing a cold boot? You should probably be more worried about someone looking over their shoulder.) – jpmc26 May 08 '17 at 23:10

5 Answers5

41

I don't understand why you don't want a password manager that works on both? Your non-tech friends that don't use a password manager yet are too limited by your requirements. You seem to be running in paranoid mode. Your friends want something that is convenient.

If you can get them to move to Lastpass, that will be a huge improvement over their current security.

  • It can be shared on phone and laptop for free now.
  • It has 2FA, which is probably already much too complicated for many, and very inconvenient, but it does have this option. If setup properly, it prevents logins from unknown computers.
  • Lastpass has its own 2FA app, making it even easier.
  • If someone logs in from another location, you get an email about it.
  • Login can be limited to certain countries.

NB: I don't mean to limit this to Lastpass. Other password managers like 1Password probably have the same bonus. I don't use them, so don't know. Keepass is an offline option, but sharing the database in Dropbox or Google Drive makes it kind of online, but still more difficult to use.

Some questions:

  • What is your objection to Lastpass or similar solutions? I don't say that you have to use it. It's for your friends, who need to step up their security to use something instead of nothing. Lastpass is a lot more secure than nothing, in my opinion.
  • Why you don't mention the password managers you consider? It would make this discussion a lot more meaningful!
  • What is it with choosing between laptop and phone? So I can't use passwords on the phone that I use on the laptop? If your friends log on to Facebook, they need them on both the phone and laptop!
  • Non-techies can type at incredible speeds! Further down your question you talk about passwords that consist of normal words. Most people can type normal words at normal speeds.

I'm afraid that your solution will turn out to be dumped on the first occasion where inconvenience turns its ugly head. Be wise and choose the compromise!

SPRBRN
  • 7,449
  • 6
  • 35
  • 37
  • 6
    Not sure about the reference to "two different accounts" when using LastPass. Multi-device access has been free since November. https://blog.lastpass.com/2016/11/get-lastpass-everywhere-multi-device-access-is-now-free.html/ – Gary May 08 '17 at 02:32
  • Note that LastPass actually have their own 2FA app which does LastPass auth via push notification, making it as simple as hitting the big check mark instead of requiring copying a code. Still, I'd always just recommend people just use LastPass: in addition to allowing you to be more secure it's just really convenient. – CAD97 May 08 '17 at 05:16
  • Curious why you think €12 would be too much for many. That's just one beer in some places. – Lightness Races in Orbit May 08 '17 at 09:03
  • 3
    mhh.. Lastpass. That solution can be quite often found in News that other Users could get your passwords through different things (like XSS and so on) – Serverfrog May 08 '17 at 09:05
  • @Serverfrog: Really? That's quite a serious charge. Do you have a link to some evidence? – Lightness Races in Orbit May 08 '17 at 09:07
  • 2
    https://nakedsecurity.sophos.com/2017/03/29/another-hole-opens-up-in-lastpass-that-could-take-weeks-to-fix/ Is the first English link. Read it on a German IT News Site multiple times. – Serverfrog May 08 '17 at 09:09
  • 2
    @Serverfrog: Interesting. Still, the comments under that article explain well why this isn't necessarily as big a black mark against LastPass specifically as you're suggesting. – Lightness Races in Orbit May 08 '17 at 09:12
  • 1
    @BoundaryImposition - 12 euros is too much because everything is "free" nowadays. – SPRBRN May 08 '17 at 09:58
  • @Serverfrog - is that bug fixed by now? – SPRBRN May 08 '17 at 10:02
  • @SPRBRN: mm no wonder everyone feels so entitled nowadays lol – Lightness Races in Orbit May 08 '17 at 10:15
  • 6
    I like Keepass and use it, as you suggest, wtih DropBox. If that is too complex, there is a [web based version ](https://keeweb.info/). Since it is open source, I would hope that community review would have caught any potential backdoors or other problems. – Mawg says reinstate Monica May 08 '17 at 11:47
  • 1
    Well, the fact that it is open source is very good, but how do you know that your version is created from that code? Did you compile it yourself? If you compiled the code, are you sure you have unmodified code? On what system are you running this? Windows? Mac? Even if you use open source Ubuntu or Debian it is no guarantee that it's all safe. It's a matter of trust. And is the code safe? I can't review it. I don't have the knowledge, nor the time. – SPRBRN May 08 '17 at 11:53
  • 4
    I second @Mawg vote for KeePass. I've been using it for years & keep it in my Dropbox account. It's available for me everywhere (except work, which blocks Dropbox). I've not had so much success in getting family to use it, however... :( – FreeMan May 08 '17 at 13:33
  • 1
    Note: 1Password is not an online password manager like LastPass. You can put the encrypted password database in the cloud, but the clients are local, standalone applications. – Schwern May 08 '17 at 17:49
  • *"Another thing I don't understand is why you don't mention the password managers you consider?!"* Because product recommendations are not allowed here, which I feel is unfortunate on topics like these. But if more people, like me (and you it seems), feel like it's warranted here, I'd totally love to get specific recommendations and comparisons. – Luc May 08 '17 at 23:30
  • 1
    The security flaw mentioned by @Serverfrog has been fixed in the meanwhile: https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/ – Fabio says Reinstate Monica May 09 '17 at 01:04
7

Disclosure: I work for AgileBits, the makers of 1Password.

Passphrase generator on mobile

Not a single smartphone password manager allows generating passphrases

1Password does on iOS, though not in 1Password on Android.

Words are chosen randomly and uniformly from a list about approximately 18400 English words from 3 to 8 letters long.

If I may boast a little bit, my lame claim to fame is in reviving interest in Diceware-like generators, with a blog post six years ago that inspired a certain XKCD comic. The particular scheme that we use in 1Password today was presented at PasswordsCon in 2015.

Avoiding the clipboard

... so they don't have to be passed through the clipboard.

On Android, 1Password does offer a custom clipboard, but I don't think it does everything that you want. On iOS we (and other password managers) use application extensions to allow integration with apps that enable the use of these extensions. But none of these are complete solutions.

This is a difficult problem, which all password managers face and address in different ways. On the laptops, most password managers use browser extensions that somehow talk to something with the actual password data. (The "somehow" differs among the password managers, with advantages and disadvantages to each approach.)

On mobile, the application sandboxing (a good thing for security) makes this harder. One thing that we have been careful to do is to not use the clipboard without it being clear to the user that that is what is happening. That is, we don't silently use the clipboard.

Again, no one has a perfect solution, and we all approach the same sorts of difficult problems slightly differently.

Platforms

The question does a great job at evaluating the advantages and disadvantages of mobile versus laptop including the security of using a password manager on the platform, but the rest of the details seem to assume that for mobile you are only considering Android. That seems odd to me. Google has been making huge strides in helping people avoid malware and in helping people update their systems, but Apple is still substantially better in these regards.

As much as I guess you hate the cloud, people will want to have their password data available on all of the systems that they use. Having a password manager on just one of those systems is going to leave people in the same position that they are today. They will continue to reuse relatively weak passwords unless their password manager works for them where they work.

And this brings us to ...

Usability

You are looking for a password manager for "non-tech friends and family." Usability is more than just a pretty UI. It is about designing things to work with the grain of how people operate instead of against the grain. It is not a "usability versus security" question, but about making it easier for people to behave securely than insecurely.

If you want people to actually use the system that you set up for them, you need to take all of this into account.

Invisible features

Password managers face the same problems, and often we come up with similar solutions. But there are still substantial differences under the hood. What counts as "metadata" is one thing. What can a service learn about its users' behavior is another. What defenses it offers if there is a server compromise. What defenses are there against data tampering, and many more. These sorts of things are typically not visible to users (or even many people who review password managers).

I encourage you to look at these sorts of things. The 1Password security white paper still has missing sections (we are slowly filling those in), but it both goes into details and it talks about both the positives and negatives of various design elements.

Jeffrey Goldberg
  • 6,420
  • 17
  • 21
  • I suppose you could take care of some of the cloud storage worries by *only* storing them locally on your phone, and just keeping your phone with you. Then you don't need to store them on a server somewhere, since they're always in your pocket. – Jason C May 09 '17 at 12:03
  • 1
    Dang, I looked at 10 different password managers but 1Password ain't 1. Not sure how I missed that one! Just curious, why was the choice made to not support generating passphrases on Android while on iOS it's supported? | *"Apple is still substantially better in these regards."* Disputable, but anyway, I can hardly ask people to buy a new smartphone for this, and an expensive, high-end Apple device at that. – Luc May 10 '17 at 08:01
2

Yes, you are missing the obvious recommendation of having an airgapped laptop OR smartphone with Internet traffic turned off purely for password management and other sensitive tasks. While this is slightly more paranoid than usually warranted, it may be moving the goalposts far enough to convince some people to use password managers.

While you are at it, you can definitely remind the family member/friend to check her/his laptop/phone for trojans. After all, it makes no sense to install a password manager atop a keylogger.

  • 16
    I'm not sure that moving the goalpost further out will convince many people to make a step in the desired direction. – Emil May 08 '17 at 09:26
  • A password manager does have its uses when a keylogger is installed. If my laptop would have a trojan, and I generated a password in Lastpass, I don't type it. LP generates it, and pasts it into the password field. With LP I generated a unique password for each site, so even if it could copy one password and the trojan copies that, it would only be useful for one site. Maybe there are other ways of copying passwords, but then the trojan has to cover for that. I don't know much about trojans, which can do all that. – SPRBRN May 08 '17 at 11:43
  • 2
    The only way an offline phone would work as password manager is with something like bi-directional QR-code scanning. My generated passwords are +60 random characters. How are you going to type that? On rare occasions I have to do this, but it is not suited for daily use. – SPRBRN May 08 '17 at 11:50
  • A dedicated, airgapped device is both too expensive and too unconvenient even for most tech-savvy users, and here we are talking about non-techies. Furthermore, an airgapped device forces you to read your passwords and enter them manually, which can't be done for long, complex passwords, as SPRBRN said. Users would end up switching to very simple passwords, defeating the whole purpose of having a password manager. – Fabio says Reinstate Monica May 08 '17 at 13:42
  • @SPRBRN If you've got a trojan, a password manager isn't going to save you. Even if you don't type it, the data is available to the trojan, you've been pwned. – McKay May 08 '17 at 21:25
  • 2
    *"an airgapped laptop OR smartphone with Internet traffic turned off purely for password management"* - otherwise known as a piece of paper and a pencil. Btw, having to carry around an extra laptop or smartphone is going to convince literally no people to use a password manager. – Jason C May 09 '17 at 12:02
2

I would recommend placing the password manager on a USB stick, because that provides isolation from any potential attacks unless it is plugged in, and does not require the silliness of carrying around an air-gapped laptop with its NIC disabled.

DeepS1X
  • 321
  • 1
  • 5
  • Whenever it is plugged in, malware-infected computers that look for password databases will be able to steal it and capture the password/passphrase needed to decrypt it. And air-gapped computer with its NIC disabled would be much safer than a USB stick... but of course the former is not recommendable for an average user. Personally, I'm still looking for a Raspberry Pi-sized password manager where I type the unlock key directly into the device (not into the computer) and which acts as a USB keyboard to enter passwords -- basically that mobile airgapped computer. If you know any, let me know! – Luc May 10 '17 at 07:56
0

As suggested by others, there are good programs out there that can run on multiple devices. I strongly recommend Norton Identity Safe. It is free and easy to use. It has a web interface, a Windows application, and apps for IOS and Android. They do have a Password Generator on their site, but not in the app.

  • 3
    Their lack of 2FA and [two passwords](https://identitysafe.norton.com/faq) requirement is a big downer. – Martheen May 08 '17 at 03:52
  • Ah, I'm seeing some different interpretations of *2-step verification*, which Google considers to be synonymous with *2-factor authentication*. I do think [this write-up](https://www.securenvoy.com/two-factor-authentication/what-is-2fa.shtm) gives a thoughtful distinction of these terms, but they also say the 2nd factor can be "a piece of information that only the user knows". So if you do not interpret that as a distinct factor, as Norton did, then you might make it yet another password. But if the 2nd factor was something that only you owned and of a distinct nature, that seems more secure. – Spencer Williams May 08 '17 at 13:26
  • 4
    Having 2, or 100 passwords just to open the vault isn't a plus because attackers can just keylog them and we won't know about it. 2FA makes it harder for the attackers to actually gain access without more obvious manouver like stealing the token – Martheen May 08 '17 at 13:30
  • Oh man, that does make total sense. Yes, then I guess that second step is really not too unlike the first. I'm almost compelled to petition them to use OAuth to start or something, like requiring the user to associate another online account (social media, email, etc.), but it is a legitimate question to ask why their army of PhD wielding computer scientists have not considered this point. – Spencer Williams May 08 '17 at 13:41