0

I only need to store passwords for personal use, no classified info here. I have a poor memory and I prefer not to record numerous passwords as that creates a security risk itself. I don't want to use any kind of IT-based protection / storage system. If necessary, I could come up with say 4 passwords, assign one of those to each of my many logins, and create a document (in Evernote so I always have it with me) listing the logins and providing a clue (decipherable only by me) for which password applies to each. Anything wrong with doing that? I realise Evernote is probably not secure but no one will be able to decipher my clues.

PADJ
  • 1

3 Answers3

3

If, as you say, your password storage is decipherable only by you, I'd say it is good-enough encryption for you - in the sense that it serves the purpose.

However, using unique, complex and long passwords is not only for the purpose of someone stealing them from you. Your strategy works only if you reconcile to risks like these:

  1. One of the websites you use is hacked - and they crack your password due to a weakness in their password storage scheme (or a weakness in your password).
  2. The hackers then attempt reusing this password on other sites and succeed.

I don't know the why you're reluctant to use Password Managers. As Troy Hunt says "Password Managers don't have to be perfect, they just have to be better than not having one".

As an Infosec pro, I'm paranoid and skeptic (don't easily trust even reputed vendors). I use an open source password manager KeePassX. I try to stay aware of the residual risks, compensate with "constant vigilance" (thank you, Alastor Moody) where possible and accept the risks where it's not.

Of course, your needs might be different.

Sas3
  • 2,648
  • 9
  • 20
1

Major leaks of passwords or login-data, intended or not intended, like "Cloudbleed" earlier this year can and will repeat anytime. You shouldn't re-use your passwords. Period. You can store them in an encrypted folder on your smartphone and/or PC, if you don't like to use password-managers (I don't "trust" them either, as they are also vulnerable to incidents like "Cloudbleed").

It doesn't really matter whether your password is extremely secure, or not. Passwords from major sites or services will continue to be leaked, stolen or sold. That happens all the time.

Martin Fürholz
  • 840
  • 9
  • 21
  • 1
    A number of password managers are not vulnerable to "Cloudbleed" like weaknesses. I know most about Lastpass and it is the one I use myself. The server in Lastpass never sees you decrypted passwords as all the encryption/decryption occurs on the client. The master password is never sent to the server either, only a hash of the password is sent. This hash is enough to login, but not enough to read any of your secure notes or passwords. So nothing sensative goes across the wire. Please note I have no connection to Lastpass other than a customer. – David Waters Jun 04 '17 at 07:06
  • @DavidWaters yes it is vulnerable to issues like Cloudbleed, because users create an account (including masterpassword and security-question) on the website. – Martin Fürholz Jun 04 '17 at 07:46
  • Hi Martian, no Lastpass is never sent your master password, it is hashed on the client-side before being sent. Lastpass also does not use any security questions. There is an optional password hint which is transmitted to the server. Please read Was my master password exposed? Section from https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ – David Waters Jun 05 '17 at 03:08
  • @DavidWaters look at that page: https://lastpass.com/create_account.php where users create their accounts. The password is sent via simple POST / https. Also the page you linked is from 2015. I suggest you take a moment to look at what https://en.wikipedia.org/wiki/Cloudbleed is, and what it means. Because at an incident similar to that, it doesn't matter whether Lastpass stores the master password, it would be enough to simply **receive** it via a POST request, like the one on the account-creation page. But that's getting far off-topic. The point is: never use the same password twice. – Martin Fürholz Jun 05 '17 at 04:36
1

If you are really concerned about using password managers, or don't want to for other reasons then although it seems to go against all the advice given by the infosec community, I'd say use a different password for every site, but write them down on a piece of paper and keep that paper safe somewhere.

For some private individuals this is the sensible approach...

I'm a paranoid infosec professional too, but we need to understand the actual risk here. If you keep a list of passwords on a piece of paper in your house for example, the risk is that you are burgled (which, depending on your location may be very low) and that the burglar knows what they have found and then go on to exploit that before you have a chance to change your passwords.

If you use the same password everywhere because you can't remember different ones and you don't want to use a password manager then the risk - as others have pointed out - is that someone will compromise one of those passwords online using remote technical exploits and then attempts to reuse it on many more sites.

The risk of password compromise online is, usually, considerably higher than a burglar or other physically present attacker using your piece of paper with passwords written down.

To be extra safe I'd consider locking your piece of paper up safely or at least not keeping it somewhere on display!

If you can use two factor authentication along with this approach - such as Google Authenticator on your mobile phone to reduce the risk further then all the better. Most large sites now offer this option and you should use I whichever password approach you take.

So I know that this may get down votes from some people but I strongly believe that this is a matter of understanding and dealing with the actual risk. I advise my father to do this because otherwise I know he will use the same simple password everywhere and he is not technically experienced enough to use a password manager. For clients and IT trained people, and for an organisation's employees where you can enforce policy, a password manager and 2fa is absolutely required.

David Scholefield
  • 1,834
  • 12
  • 21
  • Thanks for all the replies! I'll ponder this as I work out which way to handle things. – PADJ Jun 05 '17 at 09:01