7

I'm a firm proponent of using a password manager like Keepass to generate and store secure passwords. I also encourage others to do the same.

But there's always one person who says they'll never use it because it keeps all their passwords in one place, so if an attacker breaks into their Keepass database, they will then have all their passwords.

I've been pointing out that the same thing can happen with their email accounts, and that the attacker can just use the "forgot your password?" option to get all their passwords, but it usually doesn't help, and I'm a bit curious about this myself.

Does anyone have any more in-depth rebuttals to this?

3 Answers3

16

In my opinion, there's a long answer to this question, and there's a short one. The short one goes something like this:

Most of the exposures (of usernames and passwords) we see are not targeted attacks against an individual, but they can result in an individual's credentials being exposed. A password manager helps to limit the impact on a single user by allowing them to use different passwords across all websites they access, while minimising the risk that they will forget them.

From my experience, people who oppose the use of a password manager are afraid of a targeted attack against themselves, rather than the opportunistic attacks I described - but they are correct: if someone gets access to their password repository, it's game over.

Now, there's a "right" and a "wrong" way to use password managers. Here are some tips:

  1. Make sure you do your research before choosing which password manager you want to use: you want to ensure that you know where your data is being stored and how it is being encrypted. You also want to make sure you're using a reputable product.
  2. Make sure your master password is sufficently complex. Whether you choose to use a secure passphrase or a complex password, you want to make sure it is strong enough to protect your database. If somebody guesses your password (or manages to crack it), all of your passwords are exposed.
  3. Never access your password database from a public computer. And, if you have to, change your master password (from a private computer) afterwards. Public computers may have keyloggers, and all kinds of other fun things which may expose your master password. Even worse, if your database is an offline database (e.g. KeePass) you're not actually deleting it from the disk when you send it to the recycle bin.
  4. Make sure that your private computer has adequate anti-virus/malware protection. Same logic as number three: you don't want to give people access to your master password under any circumstances.
  5. Use multi-step authentication whenever possible. Most popular email providers offer this now, and it's a great way to minimise the likelihood of your account being accessed, even if someone does discover your 128 character password.

Lastly, my personal preference is to avoid any "public" online password managers (e.g. LastPass). I don't mind password databases being online (e.g. putting your KeePass database in Dropbox - not that I do this), because this would take a targeted attack for somebody to find your passwords. But, I'm sure attackers would love to get their hands on the database of one of these service providers - for no other reason than to say that they did. From there, is just a matter of an opportunistic individual getting lucky, and all your passwords become theirs.

James Lambeth
  • 311
  • 1
  • 3
  • 2
    LassPass does claim that your passwords are encrypted and decrypted locally and the key isn't ever sent to the server so it's probably on the same level as putting an encrypted keychain online. – tangrs May 24 '14 at 03:51
  • 2
    I agree to an extent: it would be the same as everyone uploading their encrypted keychain _to the same place_. That's what worries me: if I was an attacker, and I knew that everyone had uploaded their entire list of passwords (encrypted or not) to one place, I would consider that a very high value target. If was able to get my hands on that database, I don't need to get _everyones_ passwords. Just the few who didn't use a strong enough password to encrypt their keychain. – James Lambeth May 31 '14 at 01:11
  • 1
    @tangrs What if a hacker targets the LastPass developer account, and modifies the code to send all passwords to them? Browsers like Chrome update extensions automatically, and silently. What if the LastPass developer was bribed millions of dollars? – Chloe May 27 '15 at 17:01
  • @Chloe that's certainly a risk that should be considered. Personally, I don't use LastPass for this very reason (and prefer to opt for software like 1Password). However, this is besides the point of the question which was asking whether to put all your eggs in one basket. – tangrs May 28 '15 at 00:36
2

It depends on the alternative. If the person who argues against KeePass instead remembers dozens of good passphrases, then she's right with her critique. In reality, however, people tend to be lazy and keep reusing the same set of weak passwords. In that case, KeePass is much better, because it at least protects against “blunt” attacks where somebody finds an SQL injection vulnerability and downloads all user data from a website.

Attacking KeePass is somewhat harder. If the database is kept offline, then the attacker needs to actually compromise this particular system. And in that case, it's pretty much game over, anyway. The attacker might as well try to get the passwords as you type them in.

Fleche
  • 4,024
  • 1
  • 17
  • 20
1

I agree, all you passwords are in one place, this makes Keepass a single point of failure.

However, most users already have two other single points of failure:

  • Email address - usually all your accounts use the same email address, and if an attacker takes control of your email, they can use the forgotten password process to access all your accounts.
  • Laptop - most users have a main laptop they use to login to all their sites. If an attacker gets a keylogger on this, they can get all your passwords.

If you have multiple email address or laptops, then you should probably have multiple Keepass folders.

So, introducing a single point of failure is nothing new, and the benefits of a password manager are significant, so most users will do well to use one.

paj28
  • 32,906
  • 8
  • 93
  • 130