Digital Hygiene Part 2: Password Manager

In this installment we are going to look at the elephant in the room of digital security: passwords. Two most common sins against security committed by millions, or billions of Internet users are 1) weak passwords and 2) password reuse. It is now widely recognised that it is not the users who are to blame, but the password system itself. It is inconceivable that a single person can remember dozens of different, complicated passwords for different online services the modern world all but forces us to use. Thus we settle on something that can be remembered, use it across all websites, perhaps with slight variation, and then a day comes when one of the more obscure and less secure services is broken into and its user database is stolen. Nowadays, most of the popular services do not store the password, only a hash – that is, a piece of data that allows them to check if the password we entered is correct, but not recover the password itself[1]. Even then, unless the compromised service applied all the best practices in credentials storage (many do not[2]) and we used a really strong password, it will not take the hackers long to recover our password in clear text. From there they can try and use it to log into our Facebook or Gmail and obtain a wealth of data that can then be used to defraud us of money in a multitude of ingenious and ignominious ways, or otherwise abuse our personal data.

What is a “strong” password? The technical measure of password strength is entropy, which is not a very simple concept to grasp and estimate, so allow me to use a prop provided by a source of useful knowledge on all things scientific:

Right, so a string of four random words makes a good password. Still, we have not got around the problem of recalling the particular combination of random words we picked for a website of the company that delivers electricity to our house. This is where a password manager comes in handy.

What

A password manager comes under various guises. Web browsers and operating systems often have a built-in feature that will “remember” the login details for you. Then, there are “real” password vaults, which is what we are going to discuss here. A password vault is a store of all your passwords, kept by some company on their servers. The vault is encrypted with a master password – the only password you really have to remember – before leaving your machine. If you want to synchronise all your passwords to another device, you connect to the server of the company who manages your vault and download the encrypted bundle, then enter the master password to access all the passwords stored within.

Why

What do dedicated password managers provide beyond the features we get out of the box from, for instance, Google Chrome? There are two key advantages: first, all such dedicated service does is protecting our passwords, so we can expect that it is secure against a wider range of attacks; all security expertise of the company is dedicated to that goal, while a browser vendor has to take care of a much broader surface of potential attacks. Second, it can generate new, strong passwords whenever we register for a new account or change existing password. We no longer have to come up with lists of random words or characters, which will likely not work anyway, due to some silly restrictions on the length of the password and the set of allowed or required characters (many websites, in a misguided attempt to make our passwords stronger, force the use of symbols, numbers, mixed case etc.).

But! Are we not running the same risk as with VPN, and giving the keys to the kingdom to the company that stores our vault? We are not: the encryption of our vault takes place locally, on our device, and what is transferred to the provider company is inscrutable to them without the master password. That password stays in our heads. In theory, the company, who provides the application that runs on our device and encrypts and decrypts the vault, could try to make it sneakily send the master password we entered. In practice this is highly unlikely – since the entire application resides on the user machine, it can be assumed that its code and the protocol it uses has been audited by independent security experts.

How

There are two popular password management services I am familiar with: 1Password and LastPass. I have been using premium version (US$1 per month) of the latter for the last six months in Chromium on Linux and on Android, and have been very happy with it. LastPass also has a free tier, which, since I signed up, seems to have improved in that it allows many devices (used to be just two), so there is little risk in trying it out. If you do, please remember to make up a new, strong master password!

11/12/2016


[1]: Incidentally, beware of services that have the helpful feature of reminding you the password you have forgotten – if they can recover it, so can the hackers! A password reset feature, on the other hand, is completely fine.

[2]: Even prominent websites such as LinkedIn turned out to have been storing weakly protected hashes of user passwords.


← 1: VPN

→ 3: an Alternative to Google