42

I'd describe myself as an average tech savvy computer user. I have many accounts in forums, shopping sites, etc where I recycle two moderately strong password with small variation. These are account where I don't care if anybody gains access to them and that's why I have them saved in the browser's password manager. For example, I don't care if somebody gains access to my Alfa Romeo forum account or my Deal Extreme account because they can't do me any harm.

Now for my internet banking and main email, it's a different story. I use a strong password for my internet banking which I DON'T recycle and don't have it saved in my browser password managers. For banking transactions I use a hardware token. For my gmail I use a two-step verification with another strong password. To me that sounds like a secure enough method where I'm keeping what's important safe and at the same time I'm not clogging my mind with too many passwords or worrying about what the latest security breach in my password manager would be.

Thanks!

Vladimir
  • 613
  • 1
  • 6
  • 7
  • 10
    Just as a side note, I don't recommend advertising your own password behaviours. It's maybe a paranoid view, but you basically just said "If anyone can work out who I am and one of my passwords is stored insecurely, they can take pretty much everything" – Owen Nov 07 '13 at 12:18
  • 2
    Only users with more than ONE service. – ThoriumBR Dec 06 '18 at 15:05
  • I can't see a need for a longer answer than the striking comment of @ThoriumBR ! – dan Dec 07 '18 at 11:50

5 Answers5

72

Yes.

The average user should use long random passwords for every site. Passwords should not be repeated, passwords should not follow a discernible pattern. The compromise of any one password (e.g. your Adobe or LinkedIn login) must not be allowed to make it any easier for the attacker to guess your other passwords. These requirements make remembering passwords very nearly impossible. But that's not the primary reason why you should use a password manager.

The primary reason is that it reliably protects you against phishing attacks. A browser-integrated password manager will only fill in a site-specific password if you're actually visiting the correct site. So you won't accidentally type in your Paypal.com password into www.paypal.com.us.cgi-bin.webscr.xzy.ru. This is doubly true for average users, who on the average, rely on the general familiarity of a site to determine whether or not its legitimate (a terribly ineffective heuristic). Since you don't know your password, you can't type it in. Instead, it will only auto-fill if you're at the authentic site.

Use a browser-integrated password manager, don't get phished. It literally is that simple. Phishing is far more prevalent and serious a threat than password disclosure, anyway.

tylerl
  • 82,225
  • 25
  • 148
  • 226
  • 3
    +1 To be fair to the OP, one does have to classify the data you are protecting and to employ the appropriate protections to the classifications. From that standpoint, you can reuse forum passwords _IF_ that's appropriate. On the other hand, the anti-phishing benefits should not be overlooked. – schroeder Nov 06 '13 at 22:16
  • 15
    I'm not sure that the user won't just mutter "Stupid broken password manager" as he manually looks up and retypes his credentials into the fake site. What do you mean I've been in the IT industry too long? – scuzzy-delta Nov 06 '13 at 22:19
  • 1
    @scuzzy-delta only possible if the user actually *knows* his password. If you're using your password manager correctly, this is not an option. – tylerl Nov 06 '13 at 22:25
  • 1
    @tylerl That's not quite true if the password manager is something like keepass. It'll let you paste (not retype) your password anywhere you like if you ask it to. – Matt Nov 07 '13 at 11:01
  • 4
    I always found it incredible how much resistance people put into using a password manager, in particular considering how easy they are to setup and use now and how much they make life simpler. – Stephane Nov 07 '13 at 16:27
  • I really like this answer, I never though about using an online password manager this way. Can LastPass integrate with the browser in the way described here? – Cory J Nov 08 '13 at 17:34
  • "The compromise of any one password (e.g. your Adobe or LinkedIn login) must not be allowed to make it any easier for the attacker to guess your other passwords." OK but in this case the "other" passwords which are related to the one which is compromised would not be valuable to them. @Stephane I'm considering cost of purchase and the fact that I won't be able to login from places where my password manager isn't installed. – Vladimir Nov 16 '13 at 19:56
  • 1
    @Vladimir Password managers increase user security and are absolutely recommended for the Average User. Your specific usage case is up to you to decide. This site is for answers that are useful to everyone. – tylerl Nov 17 '13 at 02:20
  • Is there any convenient way to synchronize a password manager among multiple computers without inducing leak risks? – Dillinur Apr 28 '15 at 08:15
  • Since you mention phishing attacks, I would go so far as to recommend using a stand-alone password manager over a browser-integrated one. A phishing URL could point to the legitimate site but include XSS in the parameters, which then exfiltrates your credentials as soon as they are auto-filled by your manager. – Fax Jun 25 '19 at 12:38
  • @Fax browser integration is the most important part of your defense against phishing; the browser can't be fooled into pasting the password into a phishing site, it knows which sites own which passwords. Auto-fill and xss are another issue. You can protect yourself by disabling auto-fill and requiring manual interaction to supply your password. But the strong association between a site and the passwords it owns is not a protection you can safely give up. – tylerl Jun 29 '19 at 16:50
10

There's some interesting thinking going on in Microosft Research labs that supports your approach. http://research.microsoft.com/apps/pubs/default.aspx?id=227130 for example.

They make the point that not all password secured accounts are equal. They categorise them as:

  • don’t-care accounts (unlocked doors).
  • low-consequence accounts (latched garden doors).
  • medium-consequence accounts (locked front door).
  • high-consequence accounts (bank vault doors).
  • ultra-sensitive accounts (those cool blast doors we like to imagine are at NORAD).

and point out that it is a waste of effort to make the passwords on don't care accounts as strong as the ones on the high-consequence accounts. If you don't care about an account, why should't you use "password" as the password?

I agree with them, but I still use a password manager and have unique strong passwords for everything for the simple reason that I don't want to spend the time figuring out what value I put on each account. With my password manager, I just crank everything up to strong and forget about it.

So I'd recommend a password manager to the average user, because it is the easiest way to get them to use strong passwords.

Graham Hill
  • 15,394
  • 37
  • 62
  • I love the highly sadistic classification in 5 levels of accounts. I hope this was a joke and not for real working humans . – dan Dec 07 '18 at 11:56
5

Can I give you an example of how I could exploit you?

One of the forums (lowest hanging fruits) gets its user details leaked, I now have your name, email address, password and can possibly work out some of your browsing habits.

Lets assume i dont have your password in plain text so i send you an email telling you that your account has been compromised, please go to ALFAR0ME0F0RUM.COM which serves you the "change your password" page as you expect. You put in a varient of your normal password, I now have a variant of your normal password in plain text. I can now easily crack your original password, I now have 2 of your recycled passwords.

Now lets assume that you used a non main email account for AlfaRomeoForum.com which uses the the recycled passwords. Now I can see every service you signed up for with that email address and can guess the passwords.

You bought something using this email address, I now know what you bought and when.

Ooh look, here is a service that has you main email address on it (I'm logged in and it is username/password and you have changed the email address at some point)

I can now phone you up and ask you some security questions due to there being an issue with your order. You set the account up long enough ago that you cant remember that there were no security questions asked when setting up that shops account.

Lets assume you have an iphone, I can now phone them up for a temp icloud password, i can answer the security questions because you have told them to me. i now have access to your iMessage which is also your text messages.

I ask for a password reset from your main email provider which needs a pin that is sent to your phone by sms. I now have access to your email and can route through that as I did the other.

I cant currently think of how to compromise your bank account but can you now see how a single hole in security can open everything up? even if you used you main email for the original account that was compromised, I could still have gone hunting for your accounts, its just they would have been harder to find.

if you think that people wouldnt do this see here

Topher Brink
  • 1,639
  • 11
  • 13
4

Others have pointed out the benefits for security, I'll just focus on the convenience and inconvenience.

If you use your password manager for everything like I do, save for places where the manager is inaccessible, you become conditioned to use its convenience.

Different sites have different policies, and so it isn't even possible to leave the door unlocked sometimes, you have to capitalize the first letter, or whatever quick derivation of your use-everywhere-password.

There are plenty of times where I couldn't remember if I had used the wrong password or if I needed to capitalize something or if I was using the wrong username or email.

The better password managers remember this stuff for you even if you clear your browser cache. This has the added security benefit of defeating phishing attempts when you use the plugins that register your credentials to a domain, like LastPass does.

It isn't always as convenient as when using a desktop browser however, LastPass for iPhone doesn't integrate with Safari, but is itself a browser and can be used to copy the password to clipboard.

To be fair, on the flip side, if you don't know what your passwords are and you don't have access to your manager, you aren't logging into anything.

JYelton
  • 166
  • 1
  • 8
Andrew Hoffman
  • 1,987
  • 14
  • 17
1

Yes most password managers prevent you from doing things like putting your password in the wrong site.

The traditional thought of changing passwords on a regular basis really applies t sites where the malicious actor would want to eaves drop or do things silently with your account. Things like social media sites or email. In those times it is good to regularly change your password. This makes it more difficult to remember passwords and thus another benefit of a Password Manager.

From Schneier: "The primary reason to give an authentication credential -- not just a password, but any authentication credential -- an expiration date is to limit the amount of time a lost, stolen, or forged credential can be used by someone else. If a membership card expires after a year, then if someone steals that card he can at most get a year's worth of benefit out of it. After that, it's useless."

Sites that people seem to worry about passwords on the most, like banking or other financial sites are actually less important to frequently change as frequently. A malicious actor who gets this password will use it, and you will notice (if you do not notice, you have much bigger problems than passwords).

That all being said, yes password managers are great for average users, but even more important is to remember that passwords are a very insecure form of protecting your data. monitor your accounts, restrict access to your accounts from locations that are unfamiliar, and monitor your accounts (yes I will repeat that one again and again).

David
  • 11
  • 2