11

I've had this difficulty for a while, and I hope to get some feedback or referral to the sites where this problem may be discussed.

Nowadays all of us have multiple accounts, both personal and work-related (logins to websites or applications at work, logins to personal computers and mobile devices, etc.). I personally have more than 50 different accounts. In addition, some of those resources require changing the password every month or so, and some of them require that the next password does not have the same combination of symbols as the previous one and that it has both capital letters and numbers and other symbols, well, you know...

How do you come up with so many different passwords that have different combinations of symbols and how do you remember all of them?

I feel that it is incorrect to record work-related passwords on personal mobile devices or in cloud storage. It is also prohibited by company policies. I also prefer not to record the passwords to the sites where I can manage personal finances or taxes.

Next, some passwords may be restored using the email that was used for registration. Some passwords may be restored using the phone number that was used for registration. How do you manage that? Do you record or memorize the correspondence between the emails and the sites/resources, and also logins? Do you use separate emails for money-related issues?

Are there any interesting articles on the topic? What is the correct way of working with this much complexity/is there a know how? Was there an idea that the creators of this system had in mind? How all this can be secure if we end up recording all these passwords?

schroeder
  • 123,438
  • 55
  • 284
  • 319
MindYB
  • 107
  • 1
  • 6
  • 16
    Have you considered a [password manager](https://en.wikipedia.org/wiki/Password_manager)? There are many out there. They will store passwords (usually safely), have utilities to generate random passwords, some handle password changes automaticall, etc... If you have discarded password managers, you may want to explain why. – Marc Jul 08 '20 at 12:03
  • 1
    I use multiple devices. In work environment I have no way to access cloud storage, so the only way to access passwords would be using my phone, but I'm not sure it's secure, considering the fact, that the phone can be lost or left somewhere. Besides, password managers are software that is written by someone else. How can I be sure that it is safe when let's say money or valuable data is at stake. – MindYB Jul 08 '20 at 12:07
  • 3
    Decent password managers will have multiple login and access options including multi-factor auth, short session lifetimes, etc... Some also have offline access (of course, only for the set of passwords that it knows from the last time you logged in). – Marc Jul 08 '20 at 12:10
  • Oh, I didn't consider the online/offline factor. It complicates it even more. I don't always have stable internet connection, but I would still like to login to the software that works locally. So it would have to be a software for android-based phone with local storage. Doesn't look reliable... – MindYB Jul 08 '20 at 12:14
  • 3
    Again, the big name password managers have apps that work offline. I recommend you collect your requirements and check the various existing options. There is nothing you have mentioned so far that cannot be handled by a decent password manager. – Marc Jul 08 '20 at 12:15
  • And how do you know that you can trust the password management software? Is there a testing body that ensures that the specific software is safe? – MindYB Jul 08 '20 at 12:17
  • 1
    A lot of people try to find flaws in password managers and many have been found and fixed, so they are definitely not perfect (welcome to the world of security). Whether you decide to entrust your passwords to those systems is entirely up to you. You'll have the same problem with any solution developed by someone else. But I'll remind you that you asked for a recommendation, this is mine (and many others'). – Marc Jul 08 '20 at 12:19
  • 7
    The answer is "password manager". If you have concerns about password managers, then that's a different question. And it's pretty easy to look up all these individual questions and concerns you've raised in the comments. https://security.stackexchange.com/questions/45170/how-safe-are-password-managers-like-lastpass – schroeder Jul 08 '20 at 12:52
  • I count 9 different questions, some of which off-topic. Maybe splitting this question into separate ones may help to get more precise answers regarding all your concerns. – sox with Monica Jul 09 '20 at 14:21

3 Answers3

41

Password managers are the accepted and recommended solution to this problem:

NCSC (UK):
https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers

CERT (US):
https://us-cert.cisa.gov/ncas/tips/ST04-002

ENISA (EU):
https://www.enisa.europa.eu/news/enisa-news/tips-for-secure-user-authentication

NISC (Japan):
https://www.nisc.go.jp/security-site/campaign/files/aj-sec/handbook-all_eng.pdf

NIST (Standards body):
https://pages.nist.gov/800-63-3/sp800-63b.html

And password managers have been the recommendation of the experts here since the site began 10 years ago.

Here's a list of password managers to get you started. This type of software has been around for about 20 years.

Features:

  • Software may be online and synced between devices, or off-line and only stored locally
  • Some are open-source (so experts can review the program code for problems)
  • All software encrypts the data to prevent password disclosure in case the device it is on is stolen or accessed without authorisation
  • Most (all?) includes note-taking functionality to include extra info, like secret questions, etc.
  • Most (all?) will generate random passwords for you
  • All software is tested to some extent by security researchers trying to find weaknesses. The more popular the program is, the more attention it gets from researchers hoping to make the news with a finding.

In practice, you do not need to put 100% of your passwords in one password manager. It can make sense to break up your work passwords and personal passwords into different software and use the software that has the features you need for your work environment. Some work environments provide a commercial password manager to all staff for work passwords. Others have a commercial password manager for IT departments to remember all the passwords for the thousands of systems they administer.

In reality, even a password manager with weaknesses is more secure than trying to generate your own passwords and remember them. A long, random password is the most secure, and your brain can't generate or remember those.

Writing them down is another option to consider, but that suffers from a lack of encryption and a lack of backup.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/110417/discussion-on-answer-by-schroeder-safe-storage-for-multiple-passwords-for-multip). – schroeder Jul 09 '20 at 16:08
12

Using a password manager is the most obvious solution. There is no reason not to use one.
You can have very complex passwords, that are different for each website (or other purpose) and you don't have to remember them.

To present a concrete example based on my experience, I use KeepassXC which is a fork of the well-known KeePass software.

Some benefits:

  • free and open-source
  • local storage
  • files portable across platforms

Some of the criteria which are important to me:

  • I don't want to have my passwords stored in the cloud, even if the vendor claims that they cannot be recovered (in theory)
  • I prefer open-source software

I use Linux most of the time but the app works on Windows too. I can simply copy the .kbx database file and start using it on another computer.

There is also a browser plugin available. So you can login to sites with zero keystrokes involved.

The downside: requires some discipline. I have multiple copies of the database file on several machines. So I have to ensure that they are in sync with each other. Or at least, if I make an update on one of them, I have to make sure I will not overwrite a more recent version. If in doubt, look at the last modified date.

I could sync the file in many different ways but so far I have not bothered to do so.

I feel that it is incorrect to record work-related passwords on personal mobile devices or in cloud storage. It is also prohibited by company policies. I also prefer not to record the passwords to the sites where I can manage personal finances or taxes.

You can have use one app but separate database files: one for personal use, one for business etc. This is indeed good practice.

Kate
  • 6,967
  • 20
  • 23
  • 3
    This reads more like a guide for this specific product rather than general guidance. – schroeder Jul 08 '20 at 15:10
  • @Anonymous, I like the idea of storing several copies locally and synchronizing them manually. This way it is not just one point, so you have another copy in case the information is lost. – MindYB Jul 08 '20 at 15:23
  • 1
    Have you thought of using just an encrypted file to store passwords? Let's say a spreadsheet archived with a password? This way you can be sure that only you have this information, and similarly you can copy the encrypted file manually. – MindYB Jul 08 '20 at 15:34
  • 6
    @MindYB You could do that, but a real password manager has features to help with both convenience and security, such as copying passwords to the clipboard and then auto-erasing the clipboard after you've pasted the password. I also use KeePassXC and keep my password file synced between my desktop and phone through my personal Nextcloud. – Michael Hampton Jul 08 '20 at 21:01
  • I do not really need a feature of copying passwords, I mostly work on devices without the possibility to install the password manager software. So I will have to type in passwords most of the time from another PC that is next to my working PC or from a portable device. – MindYB Jul 09 '20 at 11:20
  • 1
    "There is no reason not to use one." Later "The downside: ..." That is your reason. More broadly the major downside of using a password manager is that you will not remember your passwords anymore. This can be annoying when you need to access something from someone else's device. Or very problematic if you manage to lose access to all stored copies of the manager. For an offline one, even if you made backups on other devices, I think that more often than you think all copies might be in say the same house at various times. If it burns down all your passwords will be gone.) – Kvothe Jul 09 '20 at 17:46
  • On the other hand the password manager would protect against some minor mental impairment. I don't know which one is the more likely risk. – Kvothe Jul 09 '20 at 17:47
2

It seems your situation is

  1. You are not allowed to install software on your work computer.
  2. Your work computer does not have a password manager installed.
  3. You are not allowed to store credentials in the cloud.
  4. Your work credentials protect employer (not personal) assets.
  5. Your employer has dictated password policy with elements like mandatory password changes and character requirements.
  6. Your work computer does have a spreadsheet program.

Then I would recommend that you use the spreadsheet to generate and store the credentials.

You can print out copies of the spreadsheet to serve as backup. Considering the mandatory password changes, I would date the spreadsheets. Definitely replace printed backups when you change your password. Securely destroy old printouts. Keep your printouts in a secure location.

Obviously a password manager would be better, but based on the available facts I would have to conclude that your employer does not want you to use a password manager.

emory
  • 1,560
  • 11
  • 14
  • It is partially correct. I also need to login from my work PC to some sites that I use at home. An example would be using this community or similar communities, also I may access personal email or financial accounts. So I would want to have access to these passwords (an idea is to type in passwords looking at some portable device, preferably android). Unfortunately, I do not see reliable solutions for this use-case. For unofficial keepass android apps there are reviews that they might crash the database. Other password-managers do not have open source. Bitwarden requires e-mail/not anonymous. – MindYB Jul 09 '20 at 13:13
  • 1
    @MindYB "Can't store credentials in the cloud" and "Access websites on different machines" are mostly incompatible. This essentially leaves two options: [Stateless password managers](https://security.stackexchange.com/questions/214301/what-are-the-cons-of-stateless-password-generators) and storing passwords on a device you carry everywhere (KeepassXC on phone, hardware-based password manager). I think that both of these options are superior to spreadsheets. – Nathan Merrill Jul 09 '20 at 15:59
  • @NathanMerrill I don't really like storing passwords in a spreadsheet. I just feel it is the best OP can do given the constraints. I implicitly assumed that OP can not use personal devices and OP's employer has not assigned OP a device with a password manager and OP can not install a password manager on any assigned devices. – emory Jul 10 '20 at 01:01