password managers

Why use a password manager?

In an earlier post, I recommended strong unique passwords for all accounts, which is good advice, but hard to follow.

I made the decision to switch to a password manager about a decade ago.

Today, most people have hundreds of online accounts ranging from old hobby accounts they haven’t signed on to for years to financial accounts that control their life’s savings. Maintaining strong unique passwords on all those accounts can be a nightmare. The worst part is that some of those old accounts may have pitifully weak security. A criminal targeting a weak site could grab your password. If you happen to have reused that password for your savings account, you could fall into a real mess causing substantial loss or embarrassment.

As an aside, rather than manage the passwords of old, unused accounts, it’s easier and safer simply to close the accounts.

My evolving password management systems

Thirty years ago, I kept a list of passwords in a private notebook.

Those were the days when conscientious IT administrators forced new passwords on you every month and ordered you not to write them down. Yeah. Right. My limited memory for random facts has little room for passwords. It was either a notebook or never get any work done.

At that time, I was a contract software engineer at Boeing. Enough time has passed that I can tell you what happened in the epic password battle between the engineers and the IT admins. Programmers find ways around passwords. Not nearly as many ways now as thirty years ago, but given time and motivation, they find ways. The engineers had a workaround for every password in our division of Boeing Computer Services. Maybe there still is. When I moved on to a startup, secret workarounds remained in place.

This is the lesson that DSH and NIST took to heart when they relaxed best practices for passwords as I described in my Password Bliss post.

At home, the password notebook for my private desktop was soon cluttered with erased or crossed out passwords. As I added new accounts, finding them became more and more difficult. I switched to a box of 3×5 cards, which I could keep in alphabetical order and replace cards as they became illegible with changes. That worked, but the system was still took effort and iron discipline to keep current, and, I confess, my stock of iron discipline is smaller than my memory for random facts.

Switching to a manager

Password managers were available, but I resisted using them because I was afraid of putting all my password treasures into one basket vulnerable to a single criminal break in. Many of my colleagues in the software industry agreed, but now, almost all have changed their minds, as have I, because we have concluded that password managers are safer despite being a single point of failure.

Security is always relative. A password manager vendor’s database should at least as well protected from intrusion as your system. The password manager should easily provide strong unique passwords for all your accounts and offer easy and convenient access to those passwords to you, your designated agents, and no one else. Reputable password managers meet these criteria and, therefore, I am eager to use them.

Nothing is completely secure, but some situations are securer than others. If you have a system for managing passwords like my box of 3×5 cards that you can maintain and keep safe and not be tempted to use reuse passwords or create weak passwords and variants on multiple accounts, stick with what you have. But if you succumb to weak and duplicate password temptations, or you find yourself toting your system to libraries or coffee shops where it could be stolen, a password manager is a safer choice.

I made the decision to switch to a password manager about a decade ago.

Free password managers

There’s a saying “if the service is free, you are the product,” which is supposed to be a warning that free services target ads and outright sell information about you. This is true. But paid services do the same thing. Always check the privacy policy of any computing product you use.

In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

The European Union and some of the states have regulations that require vendors to inform users of some forms of information sharing and allow you to opt out. Because identifying where these laws apply is difficult, vendors almost always follow the most stringent regulations and treat all users the same. Paid does not equal private.

Since password managers hold some of your most private data, caution is required. Check their privacy policies and opt out of those you don’t like when you can.

I’m an insider. I’ve sat on corporate product committees that decided to offer free services to the public. In this age of ultracheap data storage and abundant computing capacity, a business can offer free services to entice you to purchase paid services and still rake in fat profits.

Vendors carefully consider offering free products or services. Generally, selling a service is preferable to selling a product because services are recurring revenue sources. The vendor’s goal is a mix of free features that hook the consumer and paid features that entice the user to upgrade to a profitable paid service. The consumer who can get by on the free subset of features wins big, although they must accept that the vendor will court like a lovesick swain to woo free riders to upgrade. And free riders are always subject to the threat that the free services will be curtailed or eliminated at the whim of the vendor.

Therefore, I’ll readily accept free password managers, although I scrutinize the privacy policy of the service and realize that I may be persuaded to upgrade to a paid service after I start using the free service. This is exactly where I sit now. I started with a free manager and upgraded to paid. Also note that I always check the privacy policies of paid services as well as free services.

In a future post, I’ll go into more detail on how to evaluate password manager features.

Ah, the blissful days on my first programming job. We had no passwords. A cipher lock on the employee entrance was enough security. Those days are as gone as last winter’s snow days in August.

Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

I don’t know anyone who likes passwords. The best I can say for them is that they protect computer systems better than nothing and they are relatively easy to implement. The truth is that password protected systems are breached all the time. Passwords are better than no protection, but that’s all. Breaking into a password protected system is in the league with hot wiring a 1957 Buick.

The end of passwords has been predicted for decades and the computer industry is inching closer, but I don’t see the end of passwords in sight.

Why? Because the alternatives also have flaws and most have high implementation costs. There are no sudden changes on the horizon. Any transition away from passwords will be gradual. The most likely change is more and stiffer nudges toward multi-factor authentication, the two-step process that is already insisted upon in many high risk systems. Multi-factor authentication, systems that usually involve your cellphone or email, are annoying but much more difficult to hack than a password alone.

If we are stuck with passwords, we ought to follow practices that increase security and maximize ease of use for users. Fortunately, NIST, the division of the federal Department of Homeland Security that makes recommendations for password security, has noticed that the password policies that annoy users also encourage them to work around the rules, usually in unsafe ways. The most recent recommendations are actually easier to follow than the old rules.

The old rule was to change passwords frequently. That’s out. When people are forced to change their passwords frequently, they resort to common passwords that are easy to remember, use simple spelling variations to reuse passwords, or write them down in obvious places, all of which make password theft easier, not harder.

The old rule about password complexity (a mixture of letters, numbers, symbols, and upper and lower case) is also out. Password crackers know that “$” substitutes for “s” and zero substitutes of the letter “o” and all the rest. Short complex passwords are not much more difficult to crack than an uncommon but short all lowercase password. Passwords over twelve characters are difficult to crack. Planning and executing a trip to Jupiter probably consumes fewer resources than cracking a eighteen character password that is not a common phrase.

Therefore, a long nonsense phrase that sticks in your memory is a strong password, unless the phrase is commonly used. A phrase that gets zero hits on a Google search is very safe. When you have a strong password, DHS recommends that you stick with it unless it gets compromised in some way. That long password will make you a tough customer to break.

The rest of the new guidelines are rules for processing and storing passwords that apply to programmers, not end users.

But there is another catch: password spraying. Hackers know that people tend to use the same password on multiple accounts. As soon as a bad guy gets a password, he sprays (tries) it on all your accounts. Most passwords are not cracked; they are obtained by trickery. For example, a bogus phone call from a fake IT guy asks for your password and you give it to him without thinking. The hacker then tries the stolen password and a hundred variations on your bank account within seconds. In order to limit the damage from such a mistake, never reuse the same password or an easy variant on different accounts.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer.

Just when you thought the new guidelines made your life easy, it all falls in when you consider the hundreds of accounts you probably have.

Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer: One long, strong, and memorable password for a password manager that generates and stores random passwords for all your accounts. Although they are not perfect, most people are safer with a password manager.

Choosing a password managers are a subject for another post.

Vine Maple Farm

Marv likes to help folks with computing problems. If you would like help on any kind of computing problem, go to my Questions page.

He also writes mystery novels. If you would like to read his latest, you can buy it here.

Vine Maple Farm is Marv Waschke’s less computing oriented web site. He writes about Whatcom County history, homestead farm life, and other subjects. These include public libraries, fiction, the covid-19 pandemic, and our changing culture.

Lately, he’s been posted some semi-technical pieces on working from home there. See New Normal: Network Performance.

What’s happening at Vine Maple Studio

On my other blog, Vine Maple Studio, I write about non-computing matters.

My Vine Maple Studio statistics show that one of my most popular pieces there is a ramble I wrote about software and the farm a year ago. Its popularity surprised me because I didn’t think anyone would be interested. Read A Retired Software Architect.

Raymond Chandler was a great mystery writer, but his stories are sometimes hard to follow. I examine his technique in Raymond Chandler on Plots.

I am an enthusiastic reader of Anthony Trollope, the Victorian author. Reading Trollope On Line.

Tag: password managers

Why use a password manager?

My evolving password management systems

Switching to a manager

Free password managers

Password Bliss