3

If you use the same email and password for every site, one breach and all your accounts are hacked. This is why I like to create a unique password for every site.

This causes a problem since the passwords become more complex and harder to remember. So I want to know what's best, password managers or password generators?

What are the advantages and disadvantages to each of them?

This is what I can think of:

Password generators (such as masterpassword...

  • Data is offline, meaning hackers have to target my computer

  • Generated by using an algorithm. Means they are not stored anywhere

  • If you forget the length of password or mistype it, you cannot recover the password

  • You need to manually enter the password, or copy it to the clipboard which could be accessed by 3rd party apps

Password managers (such as 1password)

  • Syncs across multiple devices

  • Autofill so you don't need to enter password manually or copy it to clipboard. Can also be a disadvantage because if someone else logs into my computer, they can log in to the account.

  • Stored on well known servers. Could be an ingesting target for hackers.

What other points are there? I would like to know the advantages and disadvantages of each so I can decide what I think is best.

iProgram
  • 1,187
  • 3
  • 9
  • 15

3 Answers3

2

Both have pros and cons. IMO there is a main reason to use a password manager instead of a password generator:

  • To store assigned passwords.

In the particular case of Master Key, it can be stored anyway using your master key as an AES key and encrypting the assigned password. The problem with this approach is that as soon as you need to store an assigned password your password generator turns into an hybrid password generator + password manager. Why do you need 2 solutions for the same problem? Even more, if you need this feature then you have the worst of the two worlds

The other (Argable) reason to use a password manager is usability. In the case of a password manager you just remember your master password and it's it, you can use it. In a password generator (Just talking about Master Key specific needs) you need to remember your master password, your name (You shouldn't forget this though), the type of password and the password counter PER APPLICATION!. It may not be a problem for a few sites, but as soon as you have 50 applications it can be messy to remember the values for each one

About password managers, personally I don't like online password managers, I prefer offline ones like Password Safe, the reason: I trust myself more than a server with an unknown process to protect my passwords. Also, an attacker trying to break into my vault will need access to my master password and the vault, instead of just my password (Unless using 2FA)

Anyway, all the three options are good enough if you understand the risks

Mr. E
  • 1,954
  • 9
  • 18
  • Thank you for your detailed reply. So would you say that the main risk of a password manager is if it's online? If so, how likely do you think hackers would be able to get into my account with AES encryption? I ask this because 'Password Safe' is not available for my platform and I would like to sync account information between accounts. – iProgram Dec 06 '16 at 22:04
  • What I say is that offline password managers have the risk of someone obtaining your vault and bruteforce your password offline. To achieve this the attacker needs to get access to some computer you used to store your vault. In the case of the online password manager you delegate your security into the company that offers you that service and their security systems (Something you usually don't know, that's why I don't like it). Password generators have a common risk with online passwords managers, if someone obtains your account and your password then he can impersonate you – Mr. E Dec 07 '16 at 00:29
  • There is no perfect solution, you should use the one that better fits your needs. All have similar security level, just use the one that is more comfortable to you but try to understand the risks for the one you choose – Mr. E Dec 07 '16 at 00:31
1

A password generator (like masterpassword) has no inherent advantages over a more traditional password manager, and has one disadvantage. The way it works is via a real-time cryptographic operation using a single key, which is similar to traditional password managers. It is not any more or less secure than a database-type manager, because once you need to access a password, it is subject to exactly the same intercept risks as a more traditional password manager. And once you enter the super secret Master Key, it's exactly as subject to theft as the decryption key used by a password manager.

As mentioned, a generator has one significant drawback, and that is it cannot be used as a database to store an arbitrarily assigned password or other security related data. For example, let's say your employer has a combination lock on a door to the server room. All the admins know and use the same combination. A generator has no way of securely storing that combination. The same problem exists with a shared secret key used to access an HSM. In a secret sharing scheme, each person is given a set of bytes to act as their part of the key. These are not bytes that you can randomly generate, these are generated by the sharing mechanism, and must be kept secure. A generator cannot help you there.

It may interest you to know that online or offline shouldn't really enter the discussion, as long as your database is encrypted with a high quality algorithm. You can keep your encrypted password database on pastebin and post links to it from facebook, and it will remain exactly as secure as someone's ability to guess the password. Nobody is breaking AES-256 mathematically today; nobody's even close.

If you use a password generator, assume that your attacker knows your name and at least one URL you visit. After that, the same level of effort of password guessing is required to break a password generator, except the attacker doesn't need a database, he just needs the ability to test passwords against that site.

All vulnerabilities in either system would be at the endpoints, where the passwords are entered to encrypt/decrypt your password manager's database; these vulnerabilities are the same regardless of whether you're running a password generator or password manager.

John Deters
  • 33,650
  • 3
  • 57
  • 110
1

Neither password managers nor password generators, use your own memory but I know its hard to manage. If you don't want to keep your passwords in local or server you can use Passcal and your memory.

Have a simple keyword structure. E.g. < your pet's name > + < Website address > can be used as keyword structure.
"Jerry" + "Stackexchange" (JerryStackexchange) will give you the following result: TmOA,W7t&!De_&/hHAZxjQK5

Simple enough to remember, strong enough to use as a password.

If you want to update your password regularly you can use;
"Stackexchange" + < Month/Year > or < Quarter/Year > combinations.
(Stackexchange10/2020)

Here is their output results for a single keystroke "a".

Ispas H.
  • 11
  • 3
  • 1
    This seems like a password generator to me. The problem with this method is that it falls apart if the method of generation is discovered. – multithr3at3d Oct 25 '20 at 23:51
  • Seems like password generator, they're calling as calculator. It uses hashing algos to create passwords, so reverse engineering as hard as cracking SHA-X. Also password generation process changing every time creating a new user account as I tested. I tried different accounts with the same name and master password-keyword, results are different. They advice to back-up one file after user account creation. – Ispas H. Oct 26 '20 at 10:03
  • Well, that's not how it works. The hash becomes your password. You don't need to crack the password that Passcal provides. Your username/password combo becomes a seed/salt/whatever for the hash generation algorithm. It becomes a complex password that has a process to be able to 'remember' it. If it becomes known that you have a password pattern and that you use Passcal, you just hope that Passcal peppers the hash uniquely so that it cannot be re-"calculated" on another machine. – schroeder Oct 26 '20 at 12:46
  • Not only username and pass become salt/seed because username-password combination not giving same password result. Seems they using another layer for security. Let's assume password is 2071. To get this result you are using < birthday > + < number of characters in stackexchange > + ( salt added by Passcal ) as keyword structure, < 1991 > + < 30 > + < 50 > = 2071. If you create another account and use same structure, this time salt will not be 50 to calculate. And result will not equal to 2071. So only you need to remember is keyword structure (Birthday + number of chars) and the account file. – Ispas H. Oct 26 '20 at 13:48
  • To re-calculate, they need your keywords + keyword structure + account file + account password. – Ispas H. Oct 26 '20 at 13:50