Password Managers Really Could Provide Sufficient Security

BLUF: Increased use of password managers would like to improvements in security for both individuals and businesses, and would make a lot of “post-password” security measures unnecessary.

More use of PMs will not solve all security issues. I do not think we can talk about a site or a database (or anything) as being “secure” or “insecure”. I think it is a matter of degrees. We can only talk about “more secure” or “less secure”. That said, I think password managers would go a long way towards solving a lot of problems. Hopefully it is not too late to make improvements. And I know vendors are trying to push things in a different direction.

I have been listening to old episodes of security podcasts: Security Now and Risky Business. I started at the very beginning for both, and I am up to about 2012 for Security Now and 2013 for Risky Business. I got up to 2011 with Security Now. They said passwords are dead, but I think password managers could solve a lot of issues and improve security. I think if people use them more, we would not need to move to a password-less future. I use KeePassXC. I hope that KeePassXC will still be useful in a world where vendors want to control access.

One is issue with passwords is password reuse. A lot of people re-use passwords because they cannot think of and/or remember new passwords. So if hackers get a database of users for one site, they will try those credentials on other sites, and sometimes get they lucky. With a PM, you only have to remember the password or passphrase for the PM. It can create new passwords for you so you do not have to remember them or re-use them. And if a site has a policy about changing passwords on a regular basis, again you can create new ones easily. One of the times Kevin Mitnick was on Risky Business he said he was trying to get information about his credit card. He had questions about his account, and the woman on the phone said he needed to provide his password. She starting giving him hints because he had trouble remembering. If he had a good password manager, he would have the second password available, and the support desk would not be practicing bad security.

With KeePassXC, you can create attributes which are stored as key/value pairs. You can use these for password reset questions. Many famous people have had credentials hacked since their answers are public information: mother’s maiden name, where were you born, where did you meet your spouse, etc. Much of this information can also be obtained for just about anyone if you know where to look. One way around this is to make answers up. Tell a site you were born in a place you have never been to. Put in a random phrase for the title of your favorite movie. But if you make stuff up, how do you remember what answers you gave for each website? Attributes in KeePassXC can take care of that for you.

You can also attach files to an entry. This would be a good way for people who are not very tech-savvy to send each other sensitive files. Make a database file with one entry and attach your files. Put it on Google Drive or DropBox, and email the link to whoever you want to send it to. Then send them the password or passphrase (I think passphrases are better and should be used whenever possible) some other way. If you send the link to the file in an email, do not email the passphrase. The best thing would be to do it over the phone, and they can type make an entry in their own KeePassXC database and type it in there.

I used to be one of those people who thought what if someone gets your PM? Well, we have seen the alternative. If you have a strong passphrase, I think you will be fine. As Bruce Schneier has pointed out, there is nothing wrong with writing your master password on a piece of paper. The important thing is what do you do with that pice of paper.

Could your PM passphrase be brute-forced? I suppose so. But there are counters or potential weaknesses for just about everything. I think if you take a few intelligent steps to be secure you should be fine. “What if they do A? What if they do B? What if they do C?” That cycle never ends. Nothing is perfect.

I use KeePassXC locally, running as a standalone application. I do not hook it into my browser. I clear cookies when I exit my browsers. I think storing passwords in a browser is a bad idea. As with many things in security, doing something that is more convenient is not always a smart idea.

And I hope I never have to use an online PM. With online PMs you are adding more risks to your threat model. What if their site is offline? Then you cannot log in to anything. Suppose your online PM is down, but your bank, your utility and Netflix are all up. Now you have to wait to pay your bills and watch movies until the PM site is back up. These sites have been breached, particularly LastPass (see here and here). According to this page, just about every PM has been hacked in some way. It mentions KeePass, but not KeePassXC, which is a fork (actually a fork of a now-dead fork) and has a separate source tree. Another issue with online PMs is a lot of them have different tiers of service, and many of them (including the popular ones like 1Password and LastPass) have bumped some features up to a higher tier, leaving some users high and dry.

As to whether or not KeePassXC runs on a phone: I do not care. I do not use my phone for too many things except as an alarm clock, a stop watch, two-factor auth when I have to and ignoring the few calls I get. Most apps are just ways to get you to spend more money. I do not need help spending more money. I need help making more money. And I just hate this phenomenon of people being on their phones all the time and trying to do everything on their phone. I have seen people pull half-way out of parking spaces and stop because they were looking at their phone. I don’t know if phones are making people stupid or giving them an excuse to let their freak flag fly and stop hiding their idiocy, but I am not interested in doing everything on my phone. When I see people at the grocery store walking way too slowly looking at their phones, I am always reminded of that line from Blaise Pascal: Mankind’s problems are due to his inability to sit in a quiet room alone.

Every month I make a copy of my KeePassXC files (as well as other files, including my Org-mode files) onto a couple of USB flash drives. Between KeePassXC and Org-mode I am becoming more disciplined with all my information.

One way to be disciplined is consolidation. One argument against PMs is that they put all your eggs in one basket. True, but it is a basket you can control. We put “all our eggs in one basket” all the time. How many people live their lives on their phone? How many people keep all their physical keys on a keychain? As Troy Hunt pointed out, PMs are not perfect, but they are better than the alternative.

Some people might object to KeePassXC because it is open source. One person on Hacker News argued against open source PMs on legal reasons. He tried to explain KeePassXC to his father (who is a lawyer), and his father was horrified there was “no legal entity to hold accountable”. Either that person’s father is a bought-and-paid-for shill, or really really dumb. If you sue someone (even if they are bigger than you), they can turn a course case into an endurance contest. Control what you can control.

Now a lot of vendors are pushing a “passwordless future”. Vendors cause the problem, then they try to solve the problem. I do not want to give vendors any more control over my life. I do not want to be forced to use a phone, especially a specific phone vendors. I know I am kind of old-school in how I access the web. I use a browser on a laptop. If other people want to go through life not saying if the sun is up until Apple tells them it is, they can do their thing and I can do mine. I do not want vendors having any sort of access to my fingerprint, or my face, or be forced to use anything by Microsoft, or buy a stupid iPhone. I cannot change my face, or change my fingerprint, and I do not want to be tied to a device. Everything I read about this “passwordless future” requires me to do things the way they want me to do it, and not the way I want to do it.

It is odd to me that a lot of people in the US are distrustful of the “guv-ment” and complain about taxes, yet they have no problem doing whatever Microsoft tells them without question. And there are a lot of people who pride themselves on not trusting Microsft, yet will do whatever Apple tells them (and constantly buy overpriced products year after year).

You’re welcome.

Image of David and Goliath from a 9th-century manuscript  Vat. gr. 752 from the Vatican Library; image from Wikimedia, assumed allowed under public domain.