A clever meme hit the Internet this week:
“Stop asking me to change my password. I can’t keep on renaming my dog.”
If you (or the employees you support) aren’t using a password manager, clear off your calendar for the rest of the day and use the time to set one up. It’s easy security. Password managers make it simple to create good passwords, to change your passwords when required, to use different passwords on every site, and to avoid reusing old passwords.
The upside to using a password manager:
- You only need to remember two strong passwords. (One to log into the computer running the password manager, and one for the password manager itself.)
The downside to using a password manager:
- All your eggs are in one basket. (Therefore you need to pay close attention to choosing a good master password, protecting that password, and backing up your stored passwords.)
Generally speaking a password manager works as follows:
- You provide the password manager with a master passphrase.
- The password manager uses your master passphrase to create (or read) an encrypted file that contains your passwords and other secrets.
(For deeper details, see KeePass’s FAQ for a brief technical explanation or Dashlane’s whitepaper for a detailed technical explanation. For example, in the KeePass FAQ the authors describe how the KeePass product derives 256-bit Advanced Encryption Standard [AES] keys from a user’s master passphrase, how salt is used to protect against dictionary attacks, and how initialization vectors are used to protect multiple encrypted files against known-plaintext attacks. Other products likely use a similar approach to deriving and protecting keys.)
Password managers often also perform useful convenience functions for you—inserting stored passwords into your web browser automatically; generating strong passwords of any desired length; checking your usernames against hacker-released lists of pwned websites; evaluating the strength of your existing passwords; leaping tall buildings in a single bound; etc.
The root of security with password managers is in protecting your master password. There are three main considerations to this protection:
(A) Choose a good passphrase.
I’m intentionally using the word “passphrase” instead of “password” to highlight the need to use strong, complex, high-entropy text as your passphrase. (Read my guidance about strong passphrases in TCS’s Better Passwords, Usable Security whitepaper. Or if you don’t read that whitepaper, at least read this webcomic.)
Your master passphrase should be stronger than any password you’re currently using—stronger than what your bank requires, stronger than what your employer requires. (However, it shouldn’t be onerously long—you need to memorize it, you will need to type it every day, and you will likely need to type it on mobile devices with cramped keyboards.) I recommend a minimum of 16 characters for your master passphrase.
(Side note: For similar reasons, another place where you should use stronger-than-elsewhere passphrases is with full-disk encryption products, such as TrueCrypt or FileVault, where you enter in a password at boot time that unlocks the disk’s encryption key. As Microsoft’s #7 immutable law of security states, encrypted data is only as secure as its decryption key.)
(B) Don’t use your passphrase in unhygienic environments.
An interesting concept in computer security is the $5 wrench. Attackers, like electricity, follow the path of least resistance. If they’ve chosen you as their target, and if they aren’t able to use cryptographic hacking tools to obtain your passwords, then they’ll try other approaches—perhaps masquerading as an IT administrator and simply asking you for your password, or sending you a malicious email attachment to install a keylogger onto your computer, or hiding a pinhole spy camera in the light fixture above your desk. So even with strong encryption you are still at risk to social engineering attacks targeting your passwords and password manager.
One way to reduce the risk of revealing your passphrase is to avoid typing it into computer systems over which you have neither control nor trust, such as systems in Internet cafes, or at airport kiosks, or at your Grandma Edna’s house. To paraphrase public-service messages from the 1980s, when you give your passphrase to an untrusted computer you could be giving that passphrase to anyone who used that computer before you.
For situations where you simply must use a computer of dubious provenance—say, you’re on vacation, you take a wrong turn at Albuquerque, your wallet and laptop get stolen, and you have to use your password manager at an Internet cafe to get your credit card numbers and bank contact information—some password managers provide features like one time passwords, screen keyboards, multifactor authentication, and web-based access to help make lemonade out of life’s little lemons.
(C) Make regular backups of your encrypted file.
If you have a strong passphrase [(A)] and you keep your passphrase secret [(B)] then it doesn’t matter where copies of your encrypted file are stored. The strong encryption means that your file won’t be susceptible to a brute-force or password-guessing attack even if an attacker obtains a copy of your file. (Password management company LastPass had a possible security breach of their networks in 2011. Even so, users with strong passphrases had “no reason to worry.”) As such you are safely able to make backup copies of your encrypted file and to store those backups in a convenient manner.
Some password managers are designed to store your encrypted file on your local computer. Other managers (notably LastPass) store your encrypted file on cloud servers managed by the same company, making it easier to synchronize the password file across all devices you use. Still other managers integrate easily with third-party cloud storage providers (notably Dropbox) for synchronization across multiple devices, or support direct synchronization between two devices over a Wi-Fi network. (In all remote-storage cases I’ve found, the file is always encrypted locally before any portion of the file is uploaded into the cloud.)
Whichever type of manager you use, be aware that that one file holds your only copy of all of your passwords—it is critical that you not lose access to the contents of the file. Computers have crashed. Password management companies have disappeared (Logaway launched on May 4, 2010, and ceased operations on February 2, 2012). Cloud services havelost data and have experienced multi-day disruptions. Protect yourself by regularly backing up your encrypted file, for example by copying it onto a USB dongle (whenever you change or add a password) or by printing a hard copy every month to stash in a safe deposit box.
If you maintain a strict separation between your home accounts and your work accounts—for example to keep your employer from snooping and obtaining your Facebook password—simply set up two password managers (one on your home laptop, the other on your work PC) using two unique passphrases as master keys.
Password manager software is easy to set up and use. The biggest problem you’ll face is choosing from among the cornucopia of password managers. A partial list I just compiled, in alphabetical order, includes: 1Password, AnyPassword, Aurora Password Manager, Clipperz, DataVault, Dashlane, Handy Password, Kaspersky Password Manager, KeePass, Keeper,LastPass, Norton Identity Safe, Paranotic Password Manager, Password Agent, Password Safe, Password Wallet, PINs, RoboForm, Secret Server, SplashID, Sticky Password, TK8 Safe, and Universal Password Manager. There is even a hardware-based password manager available.
Your top-level considerations in choosing a password manager are:
- Does it run on your particular OS or mobile device? (Note that some password managers sometimes charge, or charge extra, to support synchronization with mobile devices.)
- Do you already use Dropbox on all your devices? If not, consider a manager that provides its own cloud storage (LastPass, RoboForm, etc.) If so, and only if you would prefer to manage your own encrypted file, choose a service that supports Dropbox (1Password, KeePass, etc.)
I don’t recommend or endorse any particular password manager. I’ve started using one of the “premium” (paid) password managers and am astonished at how much better any of the managers are over what I’d been using before (an unencrypted manual text-file-based system that I’d hacked together last millennium).