7

The benefits of a password manager are clear. Still, it seems that there might be a case to keep at least some passwords out of it:

  • Your primary e-mail, to minimize the "single point of attack" problem, as well as potential two-factor authentication lock-out problems;
  • Your bank account(s) and accounts with financial information, to avoid terms-and-conditions violation;
  • Access codes to physical hardware.

This answer suggests that such accounts should be picked based on (a) level of vulnerability in case of account compromise and (b) level of trust in a password manager.. If all excluded accounts are protected with two-factor authentication and passwords at least as strong as the one protecting the password manager, however, wouldn't exclusion be useful for risk disaggregation as well?

Is there a different trade-off than risk aggregation vs. convenience?

  • 1
    If the terms on your bank account say you cannot write the password down, then using a password manager which stores an encrypted copy of the password could be considered a violation. But if the password manager instead generate the password by hashing master password along with some site-specific data in order to generate a password, then using the password manager would not be violating the terms. – kasperd May 08 '15 at 21:32

3 Answers3

12

The vast reduction in risk you enjoy simply by using a password manager (no password reuse, stronger passwords, phishing resistance, etc.) dramatically outweighs any minuscule additional risk of keeping your email password in the same vault. That is, assuming you protect the password vault with a strong password.

Additionally, those accounts are the ones I try to most protect, and a password manager makes it easier to do so. The password for my email account and banking accounts are the strongest I can make them, and I rotate them somewhat regularly. There's no way I could remember four or more 50+ character passwords that are rotated two to four times a year.

Stephen Touset
  • 5,774
  • 1
  • 23
  • 38
  • 1
    Your points are well-taken, but there is a case where this fails: You use LastPass with Google Authenticator 2FA and your laptop (trusted access) + cell (2FA generator) are stolen. The way to deactivate LastPass 2FA is via e-mail - but if your strong password is unknown to you, there is no way to do that. This results in a loss of account control, with no intentional breach on an attacker's part. – Simon Podhajsky May 09 '15 at 21:57
  • 1
    This sort of scenario is precisely why you should *always have backups*. That said, Google allows you to print out recovery codes that can be used in this type of event. Additionally, you can link your cell phone number (which you can use once you've acquired a new phone) to use to recover you account as well. – Stephen Touset May 11 '15 at 06:29
5

I'm going to disagree with your premise that it makes sense to keep some passwords out of a (secure and non-proprietary) password manager.

While it might seem like some passwords might make sense outside of it I think those might be limited to two types:

  1. A full-disk encryption key on a device which contains your password manager itself. This is mostly because you'll need that password to get into the password manager itself. For generating this password use something secure and random like a 7-9 word diceware password.

  2. The password to the password manager itself. Only because it is irrelevant to do so, not for any security purpose.

I'll also respond to your proposals:

  1. Primary e-mail: If you're password manager is compromised you are most likely already screwed on the email login. Assuming a route of attack that let someone into your password database (keylogger, screen capture, whatever) you already have a significant vulnerability that almost definitely includes access to your email password. Why not just include your email password(s) for security purposes? On the note of two-factor auth problems it might just make sense to use another diceware password for your email so you have it memorized too. The cost benefit favors keeping your password in a secure database strongly.

  2. Bank Accounts - Any bank that isn't stuck with its head in the sand should LOVE that you are using a password manager. Financial data should always be protected by randomized keys. I'm not sure what terms violations you would run if you did this. Especially if these are your personal accounts we're talking about. If they are other accounts with financial information that isn't yours I'd say you have an ethical (if not legal) obligation to protect the data as well as you can. This means using random generated passwords from a password database.

  3. Access codes to physical hardware. While I understand the idea behind this, if you actually have to deal with physical hardware a lot and want secure codes you also want a secure method of storing the codes and making them strong. If you resort to using bad codes or the same mildly good code everywhere you'll end up doing more harm than good. If you need to, get a netbook or secure phone and put the password database on there.

You ask: "Is there a different trade-off than risk aggregation vs. convenience?"

I would encourage you to think of password managers less as convenience and more as tools to maintain good security. Breached password managers would indeed be a problem, but the problems they prevent are quite substantial and the likelihood of their failure with proper setup are minimal.

Fernando
  • 715
  • 5
  • 17
  • Thank you for the diceware suggestion - somehow, I have not heard of it until now. Indeed, remembering a complex passphrase for mission-critical accounts while keeping it in a password manager seems like a good compromise. – Simon Podhajsky May 09 '15 at 22:12
2

Why not just store all passwords in a password manager but don't store the whole password? Make it so that, on their own, compromised passwords are useless. You do this by just remembering a prefix, suffix, infix, or combination of the three. I think of my password list as just the random salt for my single password which stays in my mental password manager.

bob
  • 21
  • 1
  • This doesn't answer the question that was asked. – Mark May 09 '15 at 02:55
  • @Mark although the answer doesn't address the question head-on, it does address the underlying problem expressed. "Store all passwords, but obfuscate." It might not be the best answer, but it is a valid approach to deal with the problem. – schroeder May 09 '15 at 16:29