6

Let’s say I use a password manager (like 1Password) on all my devices. In my personal opinion it makes sense to have some passwords in your head (you could still have them in the password manager, and they should be unique).

One example is the Apple ID Password or Google Account, whatever mobile you are using: Say your mobile gets stolen and you want to wipe/track it as soon as possible. If you know your Apple ID password, you can ask anyone around, log into your id on their phone and wipe your stolen device.

Are there other passwords which it makes sense to remember for certain situations?

I have read this question, but that asks if you should leave certain passwords out of your password manager, which is not what I’m asking.

theomega
  • 161
  • 2

1 Answers1

3

I think it depends on your threat model, how you use your devices, what services you need to use, and some other details. Personally I would not enter my passwords on someone else's device (a stranger on the street?), so I would not do what you suggested in case my phone was stolen. I'd just hope my screen lock prevented the thief from accessing anything, at least until I got home on my computer to track or lock the device. If my screen was not locked, well, uhm, let's say my mitigation of this threat is still in progress.

Anyway, here's a list of passwords that I think should be remembered in general:

  • Password for the password manager (master password)
  • Password for full disk encryption of your computer
  • Passwords for full disk encryption of your backups (external HDDs, USB sticks, etc.)
  • Password for logging in or unlocking the screen of your computer
  • Password to unlock the screen of your phone
  • Passwords to access the most important services (at least your main email account from which you could reset the passwords of most of the other services)

Note that most of the above passwords won't be difficult to remember, because you are forced to use them every day (to unlock the phone, boot your computer, etc). Also, if you use an online password manager, you don't really need to worry about remembering the passwords for your backups, because if your computer blows up you can always log in to your password manager from anywhere and retrieve the passwords. But in my case, since I use a local password manager, if my computer blows up I'll have to rely on my backups and be able to access them.

So as you can see, it depends. If your threat model requires you to be able to access a certain service quickly without using your password manager, then yes, consider learning that password (or change it to a passphrase you can learn and remember more easily).

reed
  • 15,538
  • 6
  • 44
  • 65
  • Nice answer! Would you say that your disk encryption password for your computer and backup disks could be the same? And for your computer's lock screen? That should make it a lot more practical to follow this advice with strong passwords, but of course the risk increases somewhat. I wonder whether it's worth it... – Luc Jan 09 '19 at 23:41
  • @Luc, I think you can use the same password for disk encryption and also for all the backups (that's what I do), provided that 1) the data to protect is the same (so there aren't problems with confidentiality) and 2) the backups are kept in different places that are unlikely to be accessed by an attacker (this is needed to guarantee the integrity). The password for unlocking the screen should be different IMO because you will type it very often, and so there are more chances it could be stolen (shoulder surfing, malware, etc.) – reed Jan 10 '19 at 21:46