19

I understand the utility in having one application remember a bunch of long, randomized passwords, but all you'd need is one well-placed phishing scam or a keylogger and they get all the keys to the kingdom.

Has there been any progress in this area? I want to consider using a password manager but feel incredibly uncomfortable with putting all my eggs in one basket. I could theoretically have multiple managers and only remember 3 long passwords or so (try to diversify the risk), but I feel like that only goes so far.

It is frustrating that the best passwords seem to be exactly the ones that you cannot memorize well. Where do I draw the line?

user49637
  • 723
  • 6
  • 9
  • 13
    If someone has enough access to install a keylogger on your system, you're already hosed. – Stephen Touset Jun 23 '14 at 19:02
  • 2
    Passphrases are very strong passwords and are not difficult to memorize. – martinstoeckli Jun 24 '14 at 08:36
  • 2
    @StephenTouset I feel that that is missing the point of the question. If someone has a keylogger on your system, you are hosed only insofar as the services you login to *on that system* while that keylogger is active. If you are keylogged opening your password manager, and the attacker has access to the database, they have access to services that you *didn't log in to (and might never log in to)* on that system. – Jon Bentley Aug 25 '16 at 11:37
  • @JonBentley, like my geocities account that is no longer active? The photo sharing site (probably defunct) that I only uploaded 2 photos to? The fact that you use the site frequently enough for the keylogger to pick up on it is what proves that it is one of the few sites in your database that is even _worth hacking_. – NH. Nov 28 '17 at 22:38

7 Answers7

15

Password managers introduce different risks, they do not eliminate all risks. It is debatable if a password manager is generally more inherently risky than dozens of memorized passwords. Does the risk of a central password outweigh the risks of having dozens of poorly implemented passwords? It might all depend on the implementation.

Password managers automate the process of creating and 'remembering' unique passwords with maximum complexity, and can automate the renewing of passwords on a regular basis. Not only that, but they can highlight the fact that you are not on the login page for the website you think you are on. All these benefits are difficult to pass up, but you need to ensure that your password manager is properly secured.

You are correct in saying that by putting all your eggs in one basket, you run the risk of wide-spread access. But there are ways to mitigate that risk. For instance, some password managers require 2-factor authentication to access passwords.

"Risky" is always in the eye of the beholder. What is acceptable to one would not be to another. Each person/organization needs to make that determination for themselves.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Re: automated recreation: Doesn't this also depend on the way the site is built? Sometimes the password-change HTML is different for whatever reason and so the automation would break, would it not? – user49637 Jun 23 '14 at 18:45
  • 1
    The password manager can alert you when a password has reached a time threshold. They do not change the password for you, but tell you when you need to change it (and then create one for you). You still need to click on the 'change my password' link. – schroeder Jun 23 '14 at 18:46
  • Do such services cost much? (in general) – user49637 Jun 23 '14 at 18:47
  • All the password managers that I know of are free. – schroeder Jun 23 '14 at 18:48
  • Is there any reason they might "go out of business" in which case you'd have to reset all your passwords and re-access your accounts via email to make new passwords again? – user49637 Jun 23 '14 at 18:51
  • 1
    A risk you always take. But I have never seen a company simply shut its doors one day without any announcement to extract your data. – schroeder Jun 23 '14 at 18:55
  • 1
    If I may ask, do you use such a service? (i.e. is the risk tradeoff worth it to you?) – user49637 Jun 23 '14 at 18:57
  • 3
    Your concerns seem to revolve around password management as a service provided over the Internet. Most password management applications do not work this way — the software and password database are stored entirely on your own machine (e.g., 1Password, LastPass, KeePass). Combine this with something like Dropbox and you can sync your passwords to any device, without having to worry about a third party going offline and taking your passwords with them. – Stephen Touset Jun 23 '14 at 19:05
  • 1
    Lastpass is free for browser plugins but the smartphone access costs a $12 yearly subscription. I use it and when my sub runs out I'll probably just go ahead and buy the 10 year sub. Once you develop the habit, not using one just seems self-destructive. There are lots of managers but the one that is least likely to go under is also the one with the most convenience features. I don't lose sleep at night. I think if all else fails they'll sell to microsoft or google and we'll be fine. – Andrew Hoffman Jun 23 '14 at 19:09
  • 1
    @StephenTouset LastPass and 1PAssword store your passwords in their servers. Keepass creates a local file that you can sync to Dropbox. – schroeder Jun 23 '14 at 20:44
  • 1Password absolutely does not, although you're right about LastPass. That said, @user49637 seems to believe that if a service like LastPass goes down, your passwords go with it. Or that you would ever send your credentials to them in such a way that they could be phished. Neither of those scenarios is the case. – Stephen Touset Jun 23 '14 at 21:51
  • @StephenTouset You are correct about 1Password, it uses Dropbox for syncing. – schroeder Jun 23 '14 at 22:10
3

[Disclosure: I work for AgileBits, the makers of 1Password]

As has been pointed out nicely by others, password managers are subject to different risks. I obviously feel that using a well designed password manager is a good choice.

I want to address the "eggs in one basket" issue that has been raised. Yes, password managers do put all of your eggs in one basket, and so you should look at how well that basket is protected. But let's look at the same security issue (many eggs in a basket) when not using a password manager.

Password reuse is also putting multiple eggs in a basket

Suppose that Molly (one of my dogs) reuses the the password 1chaseR4bbits for ten different sites and services. (Molly is not a very bright dog.) By doing so each of those ten sites becomes an egg in the same basket. If her password is discovered, all of her accounts on those sites are compromised.

Now let's look at how well that reuse basket is protected. It is vulnerable to her password being captured in transit, it is vulnerable to phishing, it is vulnerable to a breach of any one of the ten sites and services. Indeed, the bigger the basket (the more sites she reuses the password on) the more vulnerable it is.

Quite simply, password reuse is putting multiple eggs in one very poorly protected basket. A good password manager solves the password reuse problem, and gives you a very solid basket.

Miscellany

You listed phishing attacks as a threat to ones Master Password for a password manager. With 1Password, the app runs completely locally, so there is little scope for a phishing attack. There is potentially scope for some locally running program to try to spoof 1Password. We haven't seen anything like that (yet) and so have not enabled counter measures. (Anyone remember site-keys? Yuck!)

You mentioned the difficulty of maintaining even a small number of strong, memorable, type-able passwords. About four years ago, I wrote up advice (see Towards Better Master Passwords) on how to do this for the few passwords you do need to remember. It is advice which still holds today (and was picked up by XKCD) and if followed properly remains strong even if attackers know exactly what system you used.

Jeffrey Goldberg
  • 5,839
  • 13
  • 18
  • Password reuse isn't an inherent problem with traditional password management, so we can't really say that password managers "solve" this problem as such. A traditional user can choose to use different passwords, just as a password manager user can choose to reuse the same password. The real problem is that memorised passwords are going to be relatively weak compared to generated and stored passwords. On the other hand, the "eggs in one basket" that password managers have is inherent. – Jon Bentley Aug 25 '16 at 12:20
1

Are you mistaking a password manager with OpenID? I don't know how you can phish a password manager master password.

Anyways, my password manager is accessed either by app or by browser plugin, and requires MFA from new devices or anywhere outside of the USA.

I guess it depends as always, if your trusted devices aren't secure, then its risky.

Password managers, at least lastpass, is extremely useful against phishing cause even if you don't catch the bogus domain, it will.

Andrew Hoffman
  • 1,987
  • 14
  • 17
  • I don't know how all password managers work -- I assume there are managers that hold information online and can be accessed that way, so I figured someone could just send a spoofed email in hopes someone is careless enough to enter in their master pass. – user49637 Jun 23 '14 at 18:31
  • "Password managers, at least lastpass, is extremely useful against phishing cause even if you don't catch the bogus domain, it will." can you elaborate on this? How does lastpass work here? – user49637 Jun 23 '14 at 18:32
  • You register your logins to domains like stackexchange.com. When you go to login, the plugin recognizes the domain and provides an easy dropdown control to auto-populate the user/pass. Bogus domains won't have that option. – Andrew Hoffman Jun 23 '14 at 18:35
  • 1
    And no you'd never access your password vault from an external link, never never. – Andrew Hoffman Jun 23 '14 at 18:36
  • Just so I understand, let's say I log in to my account on my place-of-employment's website (my corp account), which has its own custom form, etc, whatever. How would I use Lastpass here and how would it be secure? What if I wanted to do it through my Android smartphone? – user49637 Jun 23 '14 at 18:38
  • They have windows8/iphone/android apps and plugins for every major browser on the desktop. I think they have a youtube video that shows you how it works. For logins that lack a browser plugin you have to open the app, select the login, copy the password, and paste it into the password field. If its a trusted device I usually use the 'keep me logged in' or 'remember my password' option on the smartphone browsers. – Andrew Hoffman Jun 23 '14 at 18:44
  • Do you personally use two-factor authentication? – user49637 Jun 23 '14 at 18:45
  • And finally, there's no way for an outsider to know you use lastpass, right? Otherwise they'd have incentive to try to "spoof" your trusted devices and possibly get access that way? Are there any documented cases of lastpass being breached or exploited? – user49637 Jun 23 '14 at 18:46
  • And if you MFA protect it, which is definitely recommended, it doesn't matter if somebody discovers your master-password, the keys to the kingdom are still safe. – Andrew Hoffman Jun 23 '14 at 18:46
  • It doesn't actually matter if someone knows you use lastpass. If anything, it would be the biggest discouragement of all. The only feasible way of compromising your lastpass account is to steal a trusted device that you have previously installed it on and chosen to no longer require MFA. And even then you can't bruteforce attempt the lastpass client so they'd have to know your password beforehand. – Andrew Hoffman Jun 23 '14 at 18:50
  • That's always a fear of mine (losing my phone, which would allow someone access to email, and then possibly lastpass if I were using that, etc) – user49637 Jun 23 '14 at 18:52
  • If you're worried about that, setting devices as trusted is completely optional. You can permanently require MFA on your phone if you'd like, but thats also where I keep my authenticator so its kind of pointless. – Andrew Hoffman Jun 23 '14 at 18:59
1

You are absolutely right that malware is the most significant threat against password managers.

One option to keep your password manager secure is to put it on your phone. At this point in time, your phone is at somewhat less risk from malware than your laptop.

If you're highly security conscious, you could get a second device (iPod touch?) to use only for password management and nothing else. You don't even turn the wireless on, let alone connect it to the internet. In that case the device is at very low risk from malware.

Many password managers have some anti-malware precautions. For example, with 1password on Windows you can enter your master password at an elevated security prompt. There are also tricks to securely send passwords to applications, such as mixing clipboard and keyboard operations, which can defeat key loggers. These precautions are not watertight, and you should assume that malware on your laptop means a full compromise, but they do defeat a lot of common malware.

Ultimately, as others have pointed out, whatever approach you take to your passwords has some level of risk. I believe that for most people using a password manager is preferable to using the same password everywhere, which seems to be the other common approach.

paj28
  • 32,736
  • 8
  • 92
  • 130
1

The password manager could be a security hole, but only based on its options and how the end-user uses it. The open source password managers I have used and am familiar with all have options that would foil keyloggers, and definitely would not be phishable. If the options were to be tweaked so that the password DB is auto-opened without two-factor authentication, and also so that auto-logins to everything are on all the time, then merely getting physical access to the workstation would give a hacker the keys (or the ability to copy all keys).

Security is and always has been a team sport. Risks and options must be understood with or without any extra software tools.

FOSSMandala
  • 11
  • 2
0

Yes, a password manager is risky but everything you do has risks. Fact is we do need a lot of accounts. So it is wrong to only think what are the risks of doing X. You need to look at your options and choose the option with the risk you like to take.

A typical brain can only remember some passwords. If you don't write your passwords down, you need to use the same password in multiple places or have a easy system to generate passwords for every account. Using the same password again is bad. The systems a human uses to generate are mostly weak because your brain can not do good crypto. In both cases you passwords won't be very secure.

So we are left with the choice to write passwords down or have weak passwords. I would prefer to write them down.

PiTheNumber
  • 5,394
  • 4
  • 19
  • 36
0

Yes, if someone has access to your computer, he has already installed a keylogger on your computer to stole your passwords. First, set a password to your personal computer, then choose a password to your password manager.

user49855
  • 1