Why not a Password Manager?
Sometimes we might feel like just surrendering to passwords. Rather than trying to get rid of the damn things, why don’t we just learn to live with them?
On the face of it a Password Manager is a compelling idea. It generates all of your strong passwords, and more importantly, it remembers them for you. It makes logging in simple. Your passwords are maintained in a vault that is encrypted with the one master password that you do need to remember.
So just one password to remember. And no more worries about the implications of having in the past used the same password across multiple sites. What a great idea!
Let us first recall the one big advantage of a password. You keep it in your head. It goes where you go, so you can use it anywhere, and on any device. You don’t need anything else.
With a password manager this is no longer true. As well as your master password, you need to have your vault to hand as well. So do you carry it around with you? How do you use it on your mobile device?
Smart idea – put the vault up into the cloud, where it can be accessed from anywhere, by any device, and still remains completely safe as its encrypted with your master password. OK keep a local copy of the vault as well, stored safely somewhere just in case the cloud loses it. However, there is going to some cost associated with cloud storage, and along with your vault the cloud manager is going to want to store some meta-data associated with your identity.
Oh dear – the cloud gets hacked, and your meta-data and vault are stolen. Bad news is the bad guys now have your meta-data and your vault. Good news is that they can’t get into your vault as they don’t have your master password – that is still stored safely only in your head.
So you might think if its only the meta-data that is lost, no big deal right? Well actually you would probably be surprised just how much meta-data can reveal about you. Like name, address, email, Web Urls associated with the passwords, the IP address from which you last accessed your vault, etc. All of which sets you up nicely for a targeted phishing attack. If you need convincing check out this advisory from LastPass, which just got its cloud comprehensively hacked. You have to admire their up-front transparency about this data breach. But I can’t believe they didn’t encrypt the Website URLs. The bad guys now know your browsing habits. But you don’t have a guilty conscience about that, do you?
OK, so the bad guys have your vault, but as the only person on the planet that knows the master password you can still hope that you are relatively safe.
(As I keep telling anyone who will listen, you must assume that everything you store in the cloud is effectively placed into the public domain. That’s the way to think about it. So make sure you are happy with the associated meta-data, and make sure that everything you need to be private is stored strongly encrypted with a key that only you possess. Trust no-one other than yourself.)
Now we are good?
So you can relax right, at least your passwords are safe. Well there might still be a problem. It depends on just how good your master password is. The vault is encrypted with a 256-bit AES key, which is derived from your master password. Sounds impressive. But of course we know that a hacker who has your vault may can try to “brute force” your master password. You can make each password guess computationally expensive, but a hacker being a hacker might well have access to some pretty impressive computing power, maybe a powerful graphics card, or a redundant Bitcoin mining rig.
Recommendations for master passwords vary from requiring 12 or more characters, to a passphrase of five or more unrelated words. But none get you anywhere close to the strength of a truly random 256-bit AES key. So forget any warm fuzzy feelings you may have had around 256-bit AES, that is not your problem. Your problem is simply the guessability of your master password.
However you can check the strength of your choice here. For a password manager, it’s the “offline attack, slow hash, many cores” variant that applies.
So you have your strong password (and better write it down somewhere in case you forget it, and be careful that you put that piece of paper somewhere safe, and remember where you put it!). You have contacted your Password Manager service and been assured that they keep an absolute minimum of personal meta-data stored with your vault. And you believe them.
Are we there yet?
Well yes, but… you need to remember that big long ugly password and on occasion you will need to type it in. The service is not free. The cloud may go off-line and suddenly you can’t access anything! Maybe your cloud manager has been subject to a ransomware attack, or a DDoS attack. You do need to remember to back up your vault frequently.
Sadly you may realise that a password manager is a good, but not a great, idea. Maybe its better to use 2-factor authentication that only requires you to remember a 4-digit PIN. Like MIRACL Trust!