Password Managers

Why use a password manager?

In an earlier post, I recommended strong unique passwords for all accounts, which is good advice, but hard to follow.

I made the decision to switch to a password manager about a decade ago.

Today, most people have hundreds of online accounts ranging from old hobby accounts they haven’t signed on to for years to financial accounts that control their life’s savings. Maintaining strong unique passwords on all those accounts can be a nightmare. The worst part is that some of those old accounts may have pitifully weak security. A criminal targeting a weak site could grab your password. If you happen to have reused that password for your savings account, you could fall into a real mess causing substantial loss or embarrassment.

As an aside, rather than manage the passwords of old, unused accounts, it’s easier and safer simply to close the accounts.

My evolving password management systems

Thirty years ago, I kept a list of passwords in a private notebook.

Those were the days when conscientious IT administrators forced new passwords on you every month and ordered you not to write them down. Yeah. Right. My limited memory for random facts has little room for passwords. It was either a notebook or never get any work done.

At that time, I was a contract software engineer at Boeing. Enough time has passed that I can tell you what happened in the epic password battle between the engineers and the IT admins. Programmers find ways around passwords. Not nearly as many ways now as thirty years ago, but given time and motivation, they find ways. The engineers had a workaround for every password in our division of Boeing Computer Services. Maybe there still is. When I moved on to a startup, secret workarounds remained in place.

This is the lesson that DSH and NIST took to heart when they relaxed best practices for passwords as I described in my Password Bliss post.

At home, the password notebook for my private desktop was soon cluttered with erased or crossed out passwords. As I added new accounts, finding them became more and more difficult. I switched to a box of 3×5 cards, which I could keep in alphabetical order and replace cards as they became illegible with changes. That worked, but the system was still took effort and iron discipline to keep current, and, I confess, my stock of iron discipline is smaller than my memory for random facts.

Switching to a manager

Password managers were available, but I resisted using them because I was afraid of putting all my password treasures into one basket vulnerable to a single criminal break in. Many of my colleagues in the software industry agreed, but now, almost all have changed their minds, as have I, because we have concluded that password managers are safer despite being a single point of failure.

Security is always relative. A password manager vendor’s database should at least as well protected from intrusion as your system. The password manager should easily provide strong unique passwords for all your accounts and offer easy and convenient access to those passwords to you, your designated agents, and no one else. Reputable password managers meet these criteria and, therefore, I am eager to use them.

Nothing is completely secure, but some situations are securer than others. If you have a system for managing passwords like my box of 3×5 cards that you can maintain and keep safe and not be tempted to use reuse passwords or create weak passwords and variants on multiple accounts, stick with what you have. But if you succumb to weak and duplicate password temptations, or you find yourself toting your system to libraries or coffee shops where it could be stolen, a password manager is a safer choice.

I made the decision to switch to a password manager about a decade ago.

Free password managers

There’s a saying “if the service is free, you are the product,” which is supposed to be a warning that free services target ads and outright sell information about you. This is true. But paid services do the same thing. Always check the privacy policy of any computing product you use.

In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

The European Union and some of the states have regulations that require vendors to inform users of some forms of information sharing and allow you to opt out. Because identifying where these laws apply is difficult, vendors almost always follow the most stringent regulations and treat all users the same. Paid does not equal private.

Since password managers hold some of your most private data, caution is required. Check their privacy policies and opt out of those you don’t like when you can.

I’m an insider. I’ve sat on corporate product committees that decided to offer free services to the public. In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

Vendors carefully consider offering free products or services. Generally, selling a service is preferable to selling a product because services are recurring revenue sources. The vendor’s goal is a mix of free features that hook the consumer and paid features that entice the user to upgrade to a profitable paid service. The consumer who can get by on the free subset of features wins big, although they must accept that the vendor will court like a lovesick swain to woo free riders to upgrade. And free riders are always subject to the threat that the free services will be curtailed or eliminated at the whim of the vendor.

Therefore, I’ll readily accept free password managers, although I scrutinize the privacy policy of the service and realize that I may be persuaded to upgrade to a paid service after I start using the free service. This is exactly where I sit now. I started with a free manager and upgraded to paid. Also note that I always check the privacy policies of paid services as well as free services.

In a future post, I’ll go into more detail on how to evaluate password manager features.

Password Bliss

Ah, the blissful days on my first programming job. We had no passwords. A cipher lock on the employee entrance was enough security. Those days are as gone as last winter’s snow days in August.

Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

I don’t know anyone who likes passwords. The best I can say for them is that they protect computer systems better than nothing and they are relatively easy to implement. The truth is that password protected systems are breached all the time. Passwords are better than no protection, but that’s all. Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

The end of passwords has been predicted for decades and the computer industry is inching closer, but I don’t see the end of passwords in sight.

Why? Because the alternatives also have flaws and most have high implementation costs. There are no sudden changes on the horizon. Any transition away from passwords will be gradual. The most likely change is more and stiffer nudges toward multi-factor authentication, the two-step process that is already insisted upon in many high risk systems. Multi-factor authentication, systems that usually involve your cellphone or email, are annoying but much more difficult to hack than a password alone.

If we are stuck with passwords, we ought to follow practices that increase security and maximize ease of use for users. Fortunately, NIST, the division of the federal Department of Homeland Security that makes recommendations for password security, has noticed that the password policies that annoy users also encourage them to work around the rules, usually in unsafe ways. The most recent recommendations are actually easier to follow than the old rules.

The old rule was to change passwords frequently. That’s out. When people are forced to change their passwords frequently, they resort to common passwords that are easy to remember, use simple spelling variations to reuse passwords, or write them down in obvious places, all of which make password theft easier, not harder.

The old rule about password complexity (a mixture of letters, numbers, symbols, and upper and lower case) is also out. Password crackers know that “$” substitutes for “s” and zero substitutes of the letter “o” and all the rest. Short complex passwords are not much more difficult to crack than an uncommon but short all lowercase password. Passwords over twelve characters are difficult to crack. Planning and executing a trip to Jupiter probably consumes fewer resources than cracking a eighteen character password that is not a common phrase.

Therefore, a long nonsense phrase that sticks in your memory is a strong password, unless the phrase is commonly used. A phrase that gets zero hits on a Google search is very safe. When you have a strong password, DHS recommends that you stick with it unless it gets compromised in some way. That long password will make you a tough customer to break.

The rest of the new guidelines are rules for processing and storing passwords that apply to programmers, not end users.

But there is another catch: password spraying. Hackers know that people tend to use the same password on multiple accounts. As soon as a bad guy gets a password, he sprays (tries) it on all your accounts. Most passwords are not cracked; they are obtained by trickery. For example, a bogus phone call from a fake IT guy asks for your password and you give it to him without thinking. The hacker then tries the stolen password and a hundred variations on your bank account within seconds. In order to limit the damage from such a mistake, never reuse the same password or an easy variant on different accounts.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer.

Just when you thought the new guidelines made your life easy, it all falls in when you consider the hundreds of accounts you probably have.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer: One long, strong, and memorable password for a password manager that generates and stores random passwords for all your accounts. Although they are not perfect, most people are safer with a password manager.

Choosing a password managers are a subject for another post.

Password Hygiene 2018

A year ago, I wrote a short list of rules or suggestions for choosing and managing passwords. I reread it today. The advice is still good, but the urgency has increased, if that is possible. The unfortunate fact is that the criminals have not let up. Law enforcement is still often stymied by cybercriminal assaults. Some assaults are from places where cybercrime laws are lax. When a crime is committed from out-of-state or out-of-country, an extradition is usually required, expenses that local law enforcement agencies often cannot afford. On top of all this, the criminals, both domestic and foreign, are getting better at their “art,” if you can call it that.

There is a bright side. The computing industry is taking security much more seriously in 2018 than they did ten years ago, even three years ago. The current arguments over election hacking, as disheartening as they are, have helped focus the spotlight on computer security. The industry has invested heavily in multi-factor and biometric authentication. Although I have reservations about biometric authentication, I’ve been using Windows 10 facial recognition authentication on my go-to tablet and I have found it convenient, although I still doubt that my device is well protected if I let it slip out of my hands. If I were a high-profile target with precious contents on my device, I would not rely on facial or fingerprint recognition to keep my contents safe.

The big news is the rise of multi-factor authentication, which I wrote about recently. Multi-factor authentication uses more than one kind of verification to authenticate the identity of a user. I will not equivocate: multi-factor authentication is always more secure than relying on a password alone. However, some forms of multi-factor are more secure than others. But multi-factor is always more trouble than simply entering a password or having your face scanned. If you are going to submit to the hassle, and I recommend you do submit when anything important is at stake, then why not choose the most secure alternative?

Verification via a token sent by email or a text message is substantially stronger than a password alone, but both email accounts and text messages are subject to hacking that is not that difficult. Use of an authentication application or a physical authentication key like Yubikey or Google Titan is much more difficult for hackers to circumvent. If I were a high-profile target, I would have a physical key.

Nevertheless, does multi-factor make good password hygiene obsolete? Absolutely not. An easily hacked password is an open door that makes the hacking life easier. And, unfortunately, some sites do not offer multi-factor authentication in any form, so password hygiene is still a necessity.

2018 password hygiene rules

  • Never use a password for more than one site or account. Some of the biggest security breaches in recent years were caused by password reuse.
  • To resist the temptation to reuse or to use easily crackable passwords, consider getting a password manager like LastPass to generate and manage long random passwords. Password managers are a single point of vulnerability. If your password manager is hacked, you are a slice of toast in a shower bath. However, a well-designed and maintained manager is much more secure than a badly managed set of weak passwords.
  • Longer passwords are better. The longer a password is, the harder it is to crack. A password 15 characters long is still hard to crack today. As computing hardware improves, longer passwords may be needed.
  • Mixing lower case and uppercase letters, numbers, and symbols like !@#$ make cracking harder, but not as much as increasing the length.
  • A long phrase is often strong and easy to remember, but common phrases, even common phrases obfuscated with tricks like replacing “s” with “$” or “o” (letter) with “0” (number), are relatively crackable. Skilled hackers know the tricks as well as you do. Start with a plain phrase that gets no hits on Google and go from there.
  • A long random sequence of mixed lower and upper case, numbers, and symbols is very hard to crack, but also hard to remember. A password manager mitigates this issue.

A final word

Quantum computing threatens to blow encrypted passwords away completely. In theory, a quantum computer could crack any password in milliseconds. This danger is theoretical and a few years in the future, but real. An outlying possibility is quantum encryption that thwarts quantum decryption, but I am aware of nothing real yet. However, because I recognize the quantum threat, I continue to explore biometric solutions and emphasize multi-factor.

A final final word

Avoid sites that are sloppy or predatory in design and management. These places are like dark alleys in a bad neighborhood. If you must deal with these sites, be sure that the benefits are worth the risk and watch yourself. If you can’t recognize cyber danger, stay away. If you are subject to hubris over cyber threats, find a secret hole and crawl in it. You are in danger.