17

How can we quantify the trade-off between password aggregation and convenience?

Password managers such as lastpass are convenient, but aggregation of passwords into a common store may reduce security. How do we evaluate the trade off between convenience and security? How much risk arises from password aggregation? How can we compare convenience and risk.

AviD
  • 72,138
  • 22
  • 136
  • 218
nitrl
  • 3,003
  • 4
  • 20
  • 23
  • 4
    Hi @nitril - just a note - comparison questions are generally not great on SE and this fact may explain the downvote you received (not from me) **however** I think you have a valid question in the second paragraph. Perhaps you could expand on your needs on this and definitely change the title - then I reckon this would be a great question. As you can see, the line is fine - [this question worked](http://security.stackexchange.com/questions/98/password-management-synchronization?rq=1) for example and it is quite close to yours. –  Mar 13 '13 at 10:34
  • LastPass' crypto is pretty weak. – CodesInChaos Mar 13 '13 at 10:38
  • @AntonyVennard Thanks for the tip. It looks like the edits that have been passed reflect your suggestions. – nitrl Mar 13 '13 at 12:30

3 Answers3

8

How much risk arises from password aggregation?

This is a difficult measure to quantify. Certainly, if the cryptography protecting your password store is poor, or in the case of a cloud-based tool their host system security is poor and their storage scheme allows an attacker to recover your password database, then all password data is freely available to the attacker and you have a near-100% compromise of everything stored there.

However, life is not necessarily that straightforward. There are two really important factors to consider:

  • Do you use two-factor authentication mechanisms for your accounts? For example, consider that your google mail account has 2-factor auth turned on. If its password is leaked, you have a problem certainly, but the attacker requires access to the other factor before they can gain access to the account. This is a defence-in-depth approach to your accounts, which you should use if you can.

  • What is the likely behaviour for yourself or other users if you do not have the convenience of a password manager? With a password manager you have no excuse to use anything but high entropy passwords. However, if you are required to remember all your passwords you will hit upon the human-brain-storage limit pretty quickly and find yourself using correct horse battery staple 1 for everything, adding a different number each time.

    In this case, a password leak may give a persistent nuisance the chance to evaluate how you generate your passwords (badly, most likely. I'm as guilty as the next for this) and therefore probably log in to a great number of accounts.

How do we evaluate the trade off between convenience and security?

I think I have answered the how above, but I'd like to add an additional consideration into the mix: it depends on what you are storing in your aggregated password safe. Despite the emergence of technologies like OpenID, almost every site wants an email address and password from you - the motivating reason behind this discussion.

That does not mean that all such accounts are created equal - indeed, 99.99% of "stuff" users register for online they don't actually care about one hoot, a statistic I made up just now. So on this basis, such a user would probably be well served splitting their accounts into three types:

  • Those which have direct access to their financial details and can cause considerable financial loss, damage etc - e.g. bank accounts, insurance, etc. I would probably include your email in this category.
  • Those which have access to large quantities of socially-identifying information and direct communication links to your friends, e.g. Facebook, LinkedIn. You might also include in this category accounts which have access to financial information, but need to go through a system such as 3D-secure to authorise payment, as this requires additional non-site-specific authentication.
  • Everything else, especially sites like this one that email you your password in cleartext.

On this basis, you could decide that the risk of storing your most risky stuff in a password manager is too great (and you can expend some of that precious human memory stuff on memorising a difficult to remember password and turning on two factor auth), so you don't do it.

You could then decide which, if any, of the socially identifying sites pose the biggest threat and optionally not include these.

Finally, all the junk sites that seemingly want you to create an account can have a randomly generated password of sufficient length.

Evaluating password managers themselves is a much more difficult proposition. I'd fit them into two categories:

  • Desktop. This benefits from the security advantage of being (mostly) not directly available all of the time which also adds to the inconvenience. You may be able to evaluate the cryptographic on disk algorithms used, but above all else like any encrypted data unless you protect the physical target and ensure the virtual target is malware free, you put your data at risk.

    In addition, in a desktop-based solution it would be possible to harvest the entire database, something that is not so easy from a secure cloud based solution.

  • Cloud. These are less easy to evaluate as they are typically harder to reverse engineer. You do not have access to, or knowledge of, the underlying algorithms, transport mechanisms etc. However, these facilities are convenient. On the upside, a leak (however small) would put any cloud password management company permanently out of business, so they do have an incentive to stay well ahead of the curve.

As I say, cloud based service evaluation is a hard one to do and each type of manager has their advantages and disadvantages. This really boils down to deciding what risks you wish to accept and the level of convenience you desire.

Hopefully, however, this is food for thought.

  • Shoot- thanks for the incredibly detailed answer. I had actually found myself mentally segregating accounts as you suggested... I think I will settle on something desktop based and open-source, such as KeePass. – nitrl Mar 13 '13 at 12:39
  • @nitrl no problem - I went through the same thought process myself for my own password usage, so this is just a brain dump of exactly how I do it :) –  Mar 13 '13 at 12:42
3

IMHO, its a question of trust. Cloud based services, or 3rd party services like LastPass are owned, managed, run, secured by a 3rd party who you can not audit the code nor the processes. Local application installations, like KeePass, can either be open-source or commercial software which you may have the full range of insight into ownership -> code auditability (if it is open sourced) or some subset - but you at least have some auditability.

In addition to the general "trust", I also come from the alien-landing, tin-foil wearing, highly paranoid crowd (having worked with government programs on several occasions) and know that 3rd parties are not bound to inform you when another 3rd party (say the government) is granted legal access to your information via the court system. So I tend to prefer to own my own destiny, trust aside.

Tek Tengu
  • 1,699
  • 11
  • 13
  • Sounds like we come from similar circles. Would that be an endorsement for an open-source system such as KeePass? – nitrl Mar 13 '13 at 12:24
  • I personally use KeePass, yes. But honestly, I have recently gotten bitten by the two fork/versions, and am reconsidering. – Tek Tengu Mar 13 '13 at 12:31
2

This is a very simple question, which has no easy answer.

The biggest issue with applications like LastPass is that they are cloud based, and not only add a new single point if failure, but also adds additional risks in case there is a breach of the service provider (as happened to LastPass in May 2011). Though with this extra risk, comes a lot of extra convenience.

Other tools, such as KeePass, have a very different attack surface thanks to not having a cloud service. Though users often add extra risk by syncing data files over services like Dropbox.

It's all about trade offs - like most other things in this field, it's all risk management. Have to determine what risks you are willing to accept.

Adam Caudill
  • 1,794
  • 14
  • 18