53

I have always thought that you are not supposed to use a password manager but to keep your passwords in your head, but lately I have thought about the pros and cons of having a password manager.

Some areas might be: password length, key logger prevention, entropy between passwords, accessibility.

(I'm not asking how to create hard but memorable password! It might be a part of the solution but not the whole question.)

Finally, is there any way of combining them: keep a half in the manager and typing the other, to avoid key loggers.

caelyx
  • 310
  • 1
  • 5
KilledKenny
  • 1,662
  • 4
  • 19
  • 28

4 Answers4

46

I wrote this last year on the pro's and cons of password managers:

Pros:

  • Great balance of convenience and security - people tend to choose simple passwords and the reuse the same password (or base) because there are so many of them and you have to enter them so often. With 1Password or Lastpass you can generate a truly strong password (at least for your critical accounts) but still have the convenience of having it auto-filled or at least available written down on your phone. A real benefit is also in things like secret questions, this is commonly a weak point where a really strong password has a 5 letter dictionary word as a secret question answer. You can now generate strong secret question answers also

  • Portability - the problem with using your browsers save password function is that unless you combine it with something like Google or Firefox sync it is not portable. Even then it is currently not available on your phone (at least not the iPhone, not sure whether the Android browser has Google sync)

  • Secure storage - your sensitive information is encrypted in storage and protected by a master password. This is a lot better than just writing it somewhere or storing in a note or unencrypted spreadsheet

  • Not just for passwords - you can store bank details, insurance numbers, credit cards, passport numbers, etc which can save you time entering in these details and provide you secure access to the details on move. You can also store files like scans of your documents or your private keys

  • Improve your memory - on sites I hardly ever use, and government sites with those complicated usernames I can never remember these details. Launch up the iPhone, 1Password and everything to hand with easy search

  • People also add anti-phishing / anti-malware to this list but that one I don't agree with. You still have to enter your master password which malware can capture, if you have it on your phone and enter the password again it can be captured. If you launch websites from the tool I guess it could be anti-phishing but that's the same as typing it in directly or using your bookmarks

Cons:

  • Single point of failure, keys to the kingdom - if you sync your keychain to your phone or have it on your desktop or laptop some could get access to that. If your master password is weak then you lose everything in one go. As far as I'm aware 1Password does not offer a hardware based two factor authentication option for the master password which would reduce the risk of this significantly. Lastpass does offer a using a yubikey as a two factor mechanism but because Lastpass has a web application it can suffer from web application vulnerabilities (e.g. XSS) which could leave your account details and at worst case passwords exposed.

  • Terms and conditions - it is still technically 'writing a password down'. This maybe against the terms and conditions on things like your Internet Banking site. This may reduce or remove any protection you get in case of a fraud. You can always check this and not store the password for these sites

  • Trust in the cloud - it is supposed to be encrypted in storage but if you do synchronize the data some people will never trust that 1Password or Lastpass does not have a backdoor, potentially allowing a malicious or disgruntled employee access. All software has vulnerabilities, again a serious one could allow an attacker access to your data

Another option is to use a password vault stored in a hardware encrypted device like an Ironkey. Versions come with a password manager loaded in. It is a little bit less convenient as you have to attach it to a USB drive and have read access to this but it is definitely more secure. It mitigates some of the risks highlighted above, it is hardware encrypted and only stored on your device. Also if your Ironkey is on your physical key chain you are far less likely to lose it than your phone or laptop. You can also remotely destroy it if you do manage to lose it.

For the online remote destruction you need the enterprise version of the key. The remote destruction is a feature in the management console. When the key is plugged in it, it phones home. If the destruction has been activated, at that stage it becomes unusable and all data is effectively lost (believe by trashing the decryption keys). There is also an offline mode (similar to an iPhone), where you can set it to auto self destruct after 10 failed master password attempts.

Conclusion

Overall I believe the pro's outweigh the cons. If you have no option for two factor authentication then having a strong password is your only defense. Using a password vault just makes this a lot more practical and convenient.

There is no reason why you could not keep half the password in a password manager and remember the rest, it would make it more difficult for a key logger to capture your password, however the trade-off for usability may not be worth it. A better option maybe to use two factor for your really sensitive information and a password manager for the rest

Rakkhi
  • 5,803
  • 1
  • 23
  • 47
  • 1
    +1 This is definitely true - the single point of failure, keys to the kingdom. If you are the sort of person who likes to keep all his eggs in one basket and watch that basket like a hawk, a password manager is probably for you. OTOH, if you are the sort of person who likes to guard against his own ineptitude by keeping his eggs in several poorly secured baskets, avoid password managers. – user1971 May 02 '11 at 15:07
  • 1
    Incident in news today (05-May-2011) highlights this centralised risk point: http://blog.lastpass.com/2011/05/lastpass-security-notification.html – Rakkhi May 05 '11 at 10:00
  • They say Yubikey would protect you, more support to use two factor authentication for master password if you use a password manager – Rakkhi May 05 '11 at 10:01
  • @Rakkhi: Can you clarify how you can remotely destroy the contents of an IronKey? – jrdioko Jul 20 '11 at 21:54
  • @jrdioko added more detail on this. – Rakkhi Jul 21 '11 at 13:41
  • @Rakkhi: Thanks! Didn't check out the enterprise edition. – jrdioko Jul 21 '11 at 17:20
  • for Portability - with Chrome released for iOS, this is now available on iPhone. Passwords are synced across devices, including iPhones. – YetAnotherUser Jul 17 '12 at 15:21
  • Missed a con of Password managers- too easy to change to passwords to a non-password hence forcing you to full reset on the site. – user2617804 Jan 02 '20 at 01:09
7

If someone has rooted your box, then I think they can get your passwords from either method with not too much effort. They will be able to get your password file for the password manager and the password to that file via a keylogger. If you just use remembered passwords, they will collect your passwords over time as you key them in.

If someone has physical access to your machine to install and retrieve a keylogger, then they can log on to your machine if they have physical access for significant time. If they don't have enough time for that, then you would be safer with the password manager as they don't have your password file (only the password to it). If they do have time to get root access to your box and enable remote access to use at their leisure, then you are in the same position as in the first paragraph.

When you think about it like this, there is very little if anything that memorization holds over password managers. And that you and your passwords are hosed if someone nefarious has physical access OR can root your machine remotely. Preventing these two attacks is key.

You first need good physical security to prevent physical attacks. Then you need to prevent remote attacks - implement good network perimeter security, enable a minimum of services and have good security practices for the ones that you have no other choice but to enable. And also practice safe browsing habits, keep your machine regularly updated etc. i.e. the preventative measures that prevent you getting rooted in the first place. And you need to have backups in case you do get rooted. If you do get rooted, then you should assume that you need to change every password whether or not you use a password manager.

About the only thing memorization buys you IMO is perhaps a bit of time before someone logs your important passwords. You sacrifice a lot for this. Memorization is not scalable. The more sites you use (and as the web permeates our lives, need for more usernames and passwords grows), the more things you need passwords for. And they increasingly benefit from being strong. To make them strong requires a lot of effort on the user's part, along with making memorization difficult. Or if you write them down on a sheet of paper, you have the same problem as the password manager, except that it's harder to backup and sync, more conspicuous, easier to misplace, in plain text, etc. And you have to type them in all the time, rather than copy and paste.

At least using a password manager gives you the ability to have very strong and different passwords to every site on the internet you use (which may be many). And also the ability to easily remember the different usernames, along with notes about the specific sites. If you memorize a strong password to your password manager, they have to be able to get your keystrokes somehow to make use of your file, or they need your file to make use of your keystrokes.

user1971
  • 783
  • 6
  • 9
2

Things changed a lot in 10 years. So almost all the answers are outdated in previous post. In these recent years, I definitely use a key manager instead of remember keys for online services. But keep local secrets in a separate way/place. There are 2 major directions that your secrets can be comprised.

  1. From internet. That means the online services you are using have been hacked or forced to reveal your pass.
  2. Your local system has been compromised: malware, physical theft, robbery ...

It is hard to tell which direction is more risky nowadays in general. But I have to say the 2nd risk is far less for a responsible user. A responsible user will not do:

  1. keep secrets on any devices as plaintext.
  2. let others use your own accounts.
  3. forget to keep backup of your secrets in an encrypted way.
  4. use the same password for more than 3 months
  5. disable your firewall and antimalware software for convenience
  6. forget to upgrade security patches for your system ...

If several devices have been obtained by perpetrators. They still cannot unlock anything in a short period of time (several years) since they do not have your master keys. So after this, a responsible user will just change his passwords ASAP (in few days). Then everything back to normal. One would ask, what if we have been forced to give up master pass? Well, in this case, we messed up anyway. They can even force you to transfer your assets directly without bothering to squeeze you for passwords. If you feel that you are always in that risk, there is only one thing you might find helpful: using plausibly deniable encryption.

In other hand, the 1st risk is not what under our control. And this happens a lot in recent years. You cannot really avoid this. The only thing we can do is minimizing the damage. In theory, nobody can remember more than dozens of passwords and keep change them every few months. So if we do not use password manager, it is more likely you have to share similar passphrase across different services. This gives the perpetrators chances to easily get into your other accounts after successfully attacking one service. Therefore the risk here is very high. By using password manager you can generate random characters for password every few weeks. Even you wouldn't be able to guess out your password. So we restricted the lost in just one account. @Rakkhi was worried about multiple copies of keychains on different devices can compromise everything after been physically accessed. This risk is very low in recent years, since we mentioned in the 2nd attack direction. Moreover, you do not even need to keep your keychains on other devices anymore. In idea situation, you only keep your password managers on your master PC at safe location. All other devices can use application/device pass provided by your service provider. The app password is a random passphrase generated by your service provider like MS, google, facebook, etc. These app passwords are saved on your device encrypted by your device unlock/lock mechanism. Normally each device will have different sets of random app passwords. You can revoke those passwords from the webpages of your service providers. So even someone managed to get into your one mobile device, they might gain access for a few minutes, but you can disable the access of that device to your accounts ASAP. If you properly set up your device encryption like finger print or drawings, they won't even be able to access your data in long period as we mentioned in the 2nd risk.

So the conclusion is: you should definitely use password manager on a master device, setup app password for other devices and be a responsible user.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Wang
  • 131
  • 4
0

Rakkhi makes a very good presentation of the pros and cons of password managers. To add to this and to answer your question on whether approaches can be combined, there's an easy way to do so. You can use a password manager to write down complex passwords which would be too hard to remember but add an extra measure of protection by memorizing an easy algorithm to transform your passwords.

One such algorithm is to concatenate part of the service name with your password (some call it salting, but I am not sure if it is appropriate in this case).

As an example, let's say your password manager gives you "Aw!eI10." as your Facebook password, your actual password could be "FB-Aw!eI10." . The cost of such a method on usability is simple (remember to type in your algorithm, then paste your password from your manager) and it might discourage someone who got their hands on your password manager, or at least give you enough time to go reset your passwords if you realize your manager has been compromised.

Bushibytes
  • 454
  • 3
  • 4
  • What does this actually buy you? It might be simpler just to set an auto-lock on your password manager along with one long and strong password you have memorized to prevent other people from having access, if that is what you are concerned about. If someone can determine the strong password to your PM, they have an automated means of determining it. And if they have enough savvy to log keystrokes, they have enough savvy to find a well-used login like FB, search the key log file for that login, examine whatever follows, and crack the elementary code. – user1971 May 02 '11 at 15:01
  • It buys you extra time, at a very low cost. There's not much you can do with a determined attacker, who has physical access to your box and if your box has a key logger. However,suppose that you have lost a usb key (or mobile) with your password manager. Should your manager be forced open, your passwords as-is would not be useful, which would discourage most attackers (who are not specifically targeting you). It also offers mitigation against unlocked managers, but auto-locking your manager is a great suggestion. – Bushibytes May 02 '11 at 15:34
  • Length matters more than complexity. Your 7-8 character password can be cracked in 60s. `2^10 >> 10^2` – Chloe Jan 06 '18 at 02:05