In January, we published a blog explaining why it is important to have strong passwords, and provided some advice to increase their robustness. Little did we know that this blog’s writing would create a commotion among the research team as different opinions on password managers emerged. The next two blog posts will cover password managers. The first one aims to explain why it might not be as popular as the InfoSec community wishes, while the second one attempts to nuance that anything is better than the status quo.
The password-management tool
Weak passwords are effortless and quick to crack for malicious hackers. One solution to avoid weak passwords is to use randomly generated strong passwords, but those are hard to remember. Plus, malicious actors will use the passwords revealed in data breaches to try to access other accounts. This is why having different passwords for each account is important. However, people have 100 accounts on average that are protected by passwords. It is impossible to remember strong passwords for each of them. For some, the solution is simple: use a password manager! A password manager is a tool designed to store and manage online credentials. It also generates randomly created passwords that are strong. Usually, these passwords are stored in an encrypted database that you protect with a master password. Password managers have tons of advantages! They allow you to store a great quantity of strong passwords by remembering only one master password. They also can store more than just passwords, such as your passport number and expiry or your social insurance number.
However, previous studies have shown that password managers (particularly stand-alone applications) suffer from low adoption rates, especially among nonexperts. Let’s devote this post to understanding why.
Awareness
Researchers have suggested that many users are not aware of what password managers are, how to use them, and/or whether they are trustworthy. Therefore, basic awareness of password-management tools is the primary adoption barrier for some users. Another important awareness problem is that users think that they do not have enough accounts for a password manager, or that their accounts are not valuable enough to require a secure password-management tool. People tend to have security concerns, lack of need for this solution, and a lack of motivation. Other reasons noted are time for installation, the lack of the sense of urgency, or the lack of awareness of how password managers worked. Some users are simply unwilling to hand over control to a third party.
It is yet ANOTHER tool
Researchers mention the rationing of effort to be a central theme in users’ password-management choices, meaning that using this tool or not is a tradeoff between security and convenience. For some users, it seems like yet another extra effort that is added to their long list of things they have to do to protect themselves. Plus, when you think about it, the password is supposed to be protecting my information already. So, this extra effort from the user part is meant to adjust to a system that is presenting weaknesses in protecting them. I am getting carried away, let’s refocus.
The password manager solution does not answer all problems. Even if a user decides to use it, the effort does not stop after downloading it. It does not lift the weight of creating strong passwords for every account. It does not erase the fact that some websites –even if counter-indicated by NIST, will ask to change your passwords after a certain period of time. It also does not avoid the use of two-factor authentication, which rob us of our time already (although MFA is a necessary protection in this immediate urgency of increasing account security). Even after the installation, you must spare time in making sure that all passwords are strong, then store them in the right place, and then retrieve them when you need them.
Not costly…Or user-friendly
Free password managers are not user-friendly. You still have to open your password manager EACH time you need a password. If you are like me, it takes 30 seconds to access the vault (that’s only when I enter my very hard to guess master password adequately on the first try) and must access it around 23 times a day. This represents more than 10 minutes of my time every day, and, needless to say, I consider my time as precious.
The embedded password manager in browsers is much more user friendly. It remembers your password and enters your credentials for you as soon as you reach the website. However, this tool has been proven to be unsafe, as the entire list of your credentials can be stolen via cross-site scripting. Plus, this practice presents an imminent other threat: If someone has physical access to your computer, this person automatically has access to each account stored in the browser.
Two features are necessary to make password managers user-friendly: 1) the auto-filled credential when accessing a website; 2) access your account from different devices. However, most (if not all) password managers which have those features are associated with a significant cost.
The single point of failure problem
The recent LastPass data breach has proven that the password manager as a service model is not immune to cyber-attacks. It is a fact that using a password manager controlled by a third-party presents security risks. This is related to the fact that all passwords are now stored in one place and that if the vault is decrypted, all the password information, instead of a single password, is compromised. Plus, there is always the risk of losing access to the vault because you forgot your master password. In those two cases, you will have to recreate passwords for 100 accounts all at once.
Don’t get me wrong: Password manager is an adequate (or tolerable?) solution
In an ideal world, people would adopt password managers and have different strong passwords for each website they use. This way, data breaches would be less effective for two reasons: it would prevent password stuffing and the effortless cracking of credentials. Users’ information getting compromised would have a much lesser impact on the individual users. The point of this blog post was to expose the different reasons why password managers are not so easily implemented among non-experts, and they are the ones that we are trying to protect with misguided advice.
The solution is a world without passwords. After all, even the inventor of the computer password, Fernando Corbató, said that “passwords have become kind of a nightmare with the World Wide Web”.