A password manager a single point of failure. Then why is it so often recommended nowadays?

Question

The conclusion of this article is that to protect passwords in 2017, you need length and randomness. It recommends giving up all little hacks and techniques like turning "o" into 0 in favor of picking a random password.

And on top of that, you'd need dozens of these long random passwords and so you need a password manager like lastpass or keepass.

I just find it a little scary that I'll know none of my own passwords (except the one to the password manager).

Isn't there any other solution? Or perhaps a way to make this a little less daunting.

Answer 1

And on top of that, you'd need dozens of these long random passwords and so you need a password manager like lastpass or keepass.

I just find it a little scary that I'll know none of my own passwords (except the one to the password manager).

Well, it's a trade-off. In exchange for getting strong complex passwords, you give up your knowledge of each password, and you introduce the danger that an attacker who compromises your password manager gains access to all your passwords.

In real world terms, the alternative - humans either choosing weak passwords which they can remember, or the same password for every system, or one weak password that they use for every system - is a worse case scenario.

You don't have to love the right solution. Sometimes the right solution is just the lesser of two evils. (And, frankly, a good password manager has relatively little evil.)

Isn't there any other solution? Or perhaps a way to make this a little less daunting.

Yes - the other solution is the use of OTP with federation. Something like Google Authenticator, where you have a software token which provides rotating passwords, and where the "secret key" used to validate those passwords is owned by one entity who allows multiple systems to leverage it for authentication without giving each system access to that secret key*.

This third option also has upsides and downsides. If not knowing your actual password bothers you, then being reliant on a device to provide you with passwords that are only good for 60 seconds may bother you more. The security of the system is better than the other two for a number of use cases. However, the applicability (e.g., systems you want to use may or may not support it) is worse.

---

*As opposed to, say, RSA SecurID tokens, where the seed file which is the "secret key" needs to be installed on each RSA installation, so either your seed is shared among multiple entities or you have multiple tokens.

Answer 2

I suppose the logical thing is to think of the password manager as a tool, like a car, or a washing machine. I know the theory behind how my car works - there is an engine, which takes in fuel and air, and puts out rotary motion, which drives the wheels around. However, I don't know the details - it's got some kind of electronic fuel injection, that lets it adjust how much fuel is in the engine on every stroke, which seems to be some kind of magic. This doesn't really matter, though, since I know the key function of my car, which is to get be from A to B. I can use it for getting from A to B, without needing to worry about the detailed "how".

In the case of passwords, I know a handful of mine. I can log into my password manager, and into a few other key places with long, memorised passwords - basically, I want to be able to bootstrap access to my accounts without the password manager. I don't know what my Paypal password, to take one example, is. Not the foggiest. It's just a long string of characters. However, just as with the electronic fuel injection on the car, it doesn't matter - I can quite happily get on with what I want to do (log into Paypal) without knowing the detail of how.

The benefit though, is that anyone attacking that account needs to work out something from effectively no knowledge. Doesn't matter if they know my favourite sports teams, TV shows or books. Doesn't matter if they happen to know another password of mine (perhaps they run some other service I use) - there isn't a pattern to spot.

Now, if they manage to break into my password safe, yes, they'd have access to everything. However, I have 2FA enabled for it, so they'd first need to have access to my token generator. It alerts me if there are new logins to it. My email provider alerts me to unusual login behaviour. I get a lot of indications that something is wrong, very soon after they get in. I also have a list of all the places I need to change a password for - the password manager itself. I don't need to worry about forgetting one site.

If you don't like the idea of a cloud service for passwords, which is understandable, you can backup the database file yourself, and remember a DB password, or keep it on a regularly updated drive stored in a safe. You could even print out the passwords and keep them in the safe - for most modern situations, the main method of getting attacked isn't someone sitting at your computer, but someone sitting at their computer, on the other side of the world. They're not likely to be able to get into your safe! (Obviously, if you're talking nation-state attackers, your precautions may be different, but in that case, you've got other things to worry about too.)

Answer 3

Here is a different way to think about it: Passwords only exist for convenience. The only reason I ever need to enter a password, really, is because I don't want to bother going through the "recover password" workflow, which usually requires more steps (e.g. more authentication information and possibly out of band authentication such as a one-time password sent to my phone).

A problem comes up when entering a password is just as inconvenient as going through the password recovery workflow. An example of this is when I have so many passwords I can't remember them. So to make things easier, a password tool can be very helpful.

Don't be afraid of losing your password database, because almost all systems out there allow you to sign on a different way and reset your password.

Answer 4

In the end it is about the entropy and strength of the passwords, that is the inability to predict what your password is and the amount of options your password could be. The best way to create a lot entropy is simply to create a long password that no one can remember.

I am from the 'password managers are cool front' and I would recommend using one. If you are afraid of have a single point of failure: Most password managers allow you to setup ways to recover your data if you forget your passphrase. You could setup a key file instead of a passphrase, or you could setup either one so you could always retrieve your data.

You could also save your recovery info in a secure place, like a actual vault if that makes it less daunting for you. We used to keep recovery CDs for full disk encryption into a physical large vault.

Answer 5

A password manager is a Single Point Of Failure.

I simply do not agree. Or more exactly you should specify how it is a SPOF. As long as I am concerned, I use Keepass on both my Desktop and my mobile phone and I keep both databases in sync. Of course if the developper of Keepass becomes evil and if the program purposely destroys the database starting with a specific date, I will lose. But if I just face a disk crash (I have backups of my data as a supplementary protection) or if my desktop is destroyed or if my phone is stolen I still have a backup solution.

So IMHO, when it is correctly used, a password manager is not a SPOF at least under expected risks. I am the SPOF here, but once I will be dead, I should no longer worry for my passwords...