22

Background

Trevor posed a question about the nature and validity of using a password manager, given the current prevailing model of authentication on most web resources.

  • Caveat: this is not the naive question about whether password managers are insecure in general, Trevor knows that question has been asked and answered many times over (it's all about relative risk).
  • Caveat: this is also not the routine question of the relative risk profile between password managers and memorization and manual entry alone. Trevor is familiar with that discussion as well.

Questions

Trevor asked a question which calls into dispute whether password managers are obsolete on the basis of functionality.

If a user can reliably select "I forgot my password" on most web sites, and have a password-reset initiated and a link sent to their e-mail inbox, then isn't their e-mail inbox serving the same functionality of a password manager?

What is the benefit of trying to remember a password, or storing a password in a manager if a user can reliably get a password reset link every time they wish to login to the site ?

Note

This question is not identical to If I include a Forgot Password service, then what's the point of using a password?.

Although similar, this question is intended to uncover what relative advantage (or disadvantage) exists when the use-case is compared to a password manager.

In the other question, the use-case is compared to rote memorization, and does not identify the fact that a password manager may very well be equivalent to simply forgetting passwords and using a one-time login.

dreftymac
  • 371
  • 2
  • 9
  • 1
    That's actually a great question, though you might want to either reframe it to Web-only or extend it to different use cases. I'm tempted to encourage you to think of it as a problem of cost/productivity and a problem of appropriateness. The two discussions slightly differ. Is it cost-effective to reset a password (waiting for the email, loading multiple pages, etc.) or to have it automatically typed? What when passwords must be reset every other month? Then problems of appropriateness arise: do I need to login from places where I don't have my manager, or to share the account? Etc. – Steve Dodier-Lazaro May 01 '15 at 21:28
  • **//Then problems of appropriateness arise: do I need to login from places where I don't have my manager, or to share the account? Etc//** This is exactly one issue that seems to have prompted the question. What if the user has to login from a place where they do not have access to their password manager? It seems reasonable to conclude that access to email may be more plentiful than access to a (non-cloud-based) password manager. – dreftymac May 01 '15 at 21:49
  • 1
    This is a slightly understudied question, yes. There are a few other cases where password storage can be off-putting, e.g. passwords you have to change very often and use on multiple password-storage-capable devices, simply because the device may try to auto-login (since it has a password), and it may be hard to convince it to let you type your new password (yes, I'm thinking of you, Android email client!). Sometimes the hassle of having to do a tiny bit more work to fix the automatic login creates a higher perception of effort than typing the password (because the effort is more rationalised) – Steve Dodier-Lazaro May 01 '15 at 22:00
  • 2
    @dreftmac why should access to email be more plentiful exactly? Perhaps there is a firewall blocking your access. I have a copy of my KeePass on my cell phone, so I can take it with me without worrying about any system constraints. Your password db is also encrypted, some people sync to dropbox or upload to the Internet on a server, etc. – Eric G May 01 '15 at 22:04
  • **//why should access to email be more plentiful exactly?//** that's a good point. It depends on the architecture of the password manager application. The assumption was that people generally have better access to their email inbox since email is ubiquitous. Nevertheless you make a good point that this assumption is not always warranted. – dreftymac May 01 '15 at 22:14
  • 1
    possible duplicate of [If I include a Forgot Password service, then what's the point of using a password?](http://security.stackexchange.com/questions/12828/if-i-include-a-forgot-password-service-then-whats-the-point-of-using-a-passwor) – Mark May 01 '15 at 23:02
  • 1
    If you want to setup a scheme like this on your own website, see: https://hacks.mozilla.org/2014/10/passwordless-authentication-secure-simple-and-fast-to-deploy/ and also http://identity.mozilla.com/post/7616727542/introducing-browserid-a-better-way-to-sign-in, you can also check the comments there which are relevant. – Eric G May 02 '15 at 01:09
  • 6
    Now that you've told us about Trevor, what's your question? – tohster May 02 '15 at 01:42
  • I actually prefer the way StackExchange works...i just click with "log in with google" a wild instant pop up appears and disappear and i'm in ! I only let google remember me and use this on all sites i want...no waiting no writing no links...much better and secure for me – Freedo May 02 '15 at 17:46
  • Have you ever tried to reset the password of a Google account? It's a very long process. – Buge May 03 '15 at 03:47
  • 4
    Who is this Trevor character and why is his experience relevant here? – tylerl May 04 '15 at 01:25

6 Answers6

25

Your argument is contingent upon using a web based service. If you use your password manager for SFTP, encrypted drives, desktop apps, etc. then you don't have a self service reset option.

If we then want to continue the argument only for web apps, here are some issues:

  1. This requires you to use one email address, which may not be practical (work versus personal email should not be commingled) or may not be desired (anonymity concerns, organization, shared email for a club, etc.). If you use multiple email addresses this also reduces the impact of one of them being compromised.

  2. This requires the service provider to require an email address, not all services request or require you to provide an email address.

  3. I am not sure you want to count on reliability of a reset service. This may take significantly longer for the reset email to go through. The service provider may (should) rate limit such requests.

  4. Password resets are not designed for this purpose. A password reset may be part of a comprehensive analysis to put the account on a higher alert for monitoring. The account was just reset, this is unusual, so apply more monitoring and checks because the reset may indicate an account takeover. Password resets are not generally considered the norm.

  5. For a password reset there is often challenge questions, so these still have to be entered each time. This is needed because the email account cannot be known to be secure or isolated to the user. Depending on who you ask, this is sort of combining "something you know" (challenge questions) with "something you have" (the email account).

  6. I would personally rather the attacker had to break into my computer rather then find a flaw in the email providers system, internal networks, etc. I don't really feel like my email on the Internet is secure or private.

  7. Even if this was super fast, in every case and there were no challenge questions, its still tedious, requires switching tabs, etc. You may also get distracted by your other emails, things may accidentally go to SPAM. I use a keyboard shortcut for auto-type, very quick and transparent. My password manager also clears out my clipboard.

At the end of the day, I think I have more control over my desktop password manager, it applies in many more scenarios, and its easier and more reliable.

Eric G
  • 9,701
  • 4
  • 31
  • 59
  • 2
    You might want to add that even if you can reset the password, you still want the new password you enter to be strong/random even if you don't plan on remembering it. I guess the user could just mash keys on his keyboard to give something that is semi-random, but it won't be as good as a good RNG. – Leo May 02 '15 at 00:49
  • 4
    For 7. in my experience, it takes sometimes almost an hour for a password reset email to be sent. Probably not unintentional in some cases. Would people (mis)use this as a passwordmanager replacement, more sites would probably add delays as an incentive. – PlasmaHH May 02 '15 at 09:26
  • Wrt #6, if I abuse the password-reset I will never know my account has been hacked and there will be no reason for the provider to be suspicious either. When the attacker's password stops working, he'll figure my strategy out. – emory May 03 '15 at 13:57
  • 1
    About #5, I find thinking of the email account as "something you have" to be *quite* the stretch. "Something you have" normally refers to some sort of physical token (a key fob/RFID tag, cell phone, card of one-time passwords, ...). Access to an email account is not "something you have" in sense; it is based on "something you know" (the login credentials) which *might in turn* be tied to "something you have" through two-factor authentication or similar but I believe most email providers don't do 2FA. – user May 03 '15 at 14:05
  • @MichaelKjörling there are hard and soft tokens for 2FA. When I need to VPN i type a PIN into an app. You can gain access to an email account without "knowing" anything if they tab or desktop app is left open. If an attacker compromises a system and can read the plain text of the emails on the server, they don't need a password, they just need to have access. Challenge questions are a secondary mitigation against someone gaining unauthorized access to the account whether by knowing the secret or by having physical access, mitm, etc. – Eric G May 03 '15 at 22:58
  • 2
    8. Using password resets introduces a new attack surface to your login creds. Password reset emails can have their own security vulnerabilities in the process of resetting your password. An attacker could use those emails to gain access to your account. You could try to delete them from your inbox and your trash but if doing this for every login you're going to forget some. Plus that would just be annoying. – Paraplastic2 May 08 '15 at 19:44
  • @Paraplastic2 Excellent point +1. Also, if there were flaws in randomness or predictability this could lead to attacks. This gives more active attack possibilities. – Eric G May 09 '15 at 00:39
8

My answer would be no, they are not obsolete. Your scope is too narrow. You are thinking all passwords stored in a password manager can be reset. You do not account for:

  • passwords for operating systems
  • passwords to protect certificates
  • passwords to protect network equipment

These passwords cannot be "reset" with a simple reset link and require more interaction from the user. Therefore your statement is false.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
  • 1
    **//You are thinking all passwords stored in a password manager can be reset//** Well, if you read closely, the question says "IF" a user can reliably select. The question anticipates that this is not always the case. **//Therefore your statement is false.//** see above. – dreftymac May 01 '15 at 21:22
  • 2
    @dreftymac Your wording leaves room for interpretation. What you seem to be asking, then, is the case where there is a password reset link. – schroeder May 04 '15 at 03:08
4

I believe you are asking the wrong question. The correct question would be, in this day of 100 different accounts by each person (email, forums, websites, etc.) can you remember a different password for each one?

No, you realistically can't. And, with the prevalence of hacks that steal the password database (encrypted or not) from one website or another, reuse of passwords across sites is something that noone should be doing anymore. Ever. If you have an eidetic memory and can remember a different password for every site you visit, then by all means, do away with a password manager.

Don't try to use just 2 or 3 different passwords across all the services online that you use, because you're opening yourself up for a world of pain when one of those sites has crappy security and accidentally gives your password to the latest "Russian hackers". I guarantee they will try that exposed password on every financial institution to see if you reused it somewhere. It happened to me - thankfully I don't reuse passwords but since my username was the same they were able to lock me out of 3 of my financial accounts with failed login attempts.

Tony Maro
  • 271
  • 2
  • 2
  • Most of financial institutions have two-way authentication with SMS and a cell phone number...you should always look for that in high important accounts...also if you do have a strong password that can't be guessed i think you can reuse then with peace of mind – Freedo May 02 '15 at 17:30
  • 3
    @Freedom *"also if you do have a strong password that can't be guessed i think you can reuse then with peace of mind"* No, **just no**. It only takes a single site that stores your password in plain text. – alexia May 03 '15 at 10:30
2

What is the benefit of trying to remember a password, or storing a password in a manager if a user can reliably get a password reset link every time they wish to login to the site ?

This is roughly equivalent to Yahoo's passwordless authentication concept. It really only makes sense in scenarios where you authenticate rarely enough that going through an email loop is less of a hassle than the alternative.

The question of whether a password manager is relevant is completely unrelated, though. It's like asking whether password managers are obsolete now that Kayne West's new album is out. The one just doesn't follow the other.

Password managers make it simple to be significantly more secure online and offer significant protection from phishing. This value is in no way affected by the availability of email-based password resets.

tylerl
  • 82,665
  • 26
  • 149
  • 230
0

You're basically correct that an email account via which you reset your passwords each time you use them is functionally equivalent to a password manager. The only difference in terms of security is the possibility of the email account being compromised vs. the possibility of your password database being compromised.

The main advantage of a password manager is not one of security, it's one of convenience. Even assuming that it's possible to reset your passwords each time they're needed, consider what that usually entails:

  • Answer at least one security question
  • Possibly solve a captcha
  • Wait for the email, sometimes for several minutes
  • Log into the site
  • Enter a new password that satisfies the often silly requirements

Total time: several minutes even if the reset email arrived right away.

Compare this to a password manager:

  • Type one password
  • Copy/paste

Total time: a few seconds.

0

What is the benefit of trying to remember a password, or storing a password in a manager if a user can reliably get a password reset link every time they wish to login to the site ?

Because if you can log into your account with your known password you know that an attacker hasn't changed your password.

Password resets create noise. In logs on the target system (which can sometimes be viewed by the user), and in the mailbox of the user for the password reset email, and ideally an email notification that a password was changed on the account.

An attacker who had access to your mailbox could delete these emails, as well as using the link to change the password and login. However, if you cannot log into the system using your password stored in your password manager it is an indication that your account has been compromised in this manner. If you simply used a password reset link each time you are never going to know this.

Of course it is just a red flag, not a definitive piece of evidence on its own - you should ask the administrators of the service to provide logs of when your password was reset (or look yourself if they have this functionality). You can compare these logs with your own in your password manager to find out when your password was last changed. If you didn't change your password at this time you will know something is amiss.

For this reason, securing access with a password can ensure the integrity of your account.

SilverlightFox
  • 33,698
  • 6
  • 69
  • 185