In January, we published a blog explaining why it is important to have strong passwords and provided advice to increase their robustness. Little did we know that this blog’s writing would create a commotion among the research team as different opinions on password managers emerged. Our last blog explained why password managers might not be as popular as the InfoSec community wishes. In this blog we will refute some of the arguments made, accept the limitations of password managers’ adoption, and propose strategies to address that.
We know why
IT Pros know well why they need a password management tool. To be effective, each password for each website (or application or server or device) should be strong and unique. This way even if a password is compromised it cannot be re-used in credential stuffing attacks. We know that on average, people have 100 accounts protected by passwords. That number must explode for IT Pros. For example, my work password manager has 187 entries right now and my personal one 570 and this excludes old, rotated passwords. I am definitely not alone in this. However, Andréanne’s point was that password managers are not a layman solution. Let’s look at some of her arguments.
It is yet ANOTHER tool
For some users, it seems like yet another extra effort that is added to their long list of things they have to do to protect themselves. Plus, when you think about it, the password is supposed to be protecting my information already. So, this extra effort from the user part is meant to adjust to a system that is presenting weaknesses in protecting them.
This is a refreshing perspective. I must admit that I agree with this. Thinking about it from today’s perspective, passwords should have been transparently protected by the operating system (OS) like what keychain does on Apple systems. The problem with this approach is historic: at the time passwords were created for websites, OS security was poor. Popular OS had no concept of multiple users, processes had no privilege systems and browsers were constantly under attack. OS password vaults would have been attacked and the all-eggs-in-one-basket failures would have been worse. This is how we got here today. But an analogy could be made with cars: putting your seatbelt on is more effort, so when it was available people were still not doing it. Sometimes in life you need to put in an extra effort in order to be safer.
The password manager solution does not answer all the problems. Even if a user decides to use it, the effort does not stop after downloading it. It does not lift the weight of creating strong passwords for every account. It does not erase the fact that some website –even if counter-indicated by NIST, will ask to change your passwords after a certain period of time. It also does not avoid the use of two factor authentication which rob us of our time already (although MFA is a necessary protection in this immediate urgency of increasing account security).
I disagree here. Besides MFA, most of these problems are solved by password managers. They come with password generators, password rotation is made easy (3 actions: generate, set, store) and your existing passwords can stay the same and be gradually improved as go.
Even after the installation, you must spare time in making sure that all passwords are strong, then store them in the right place, and then retrieve them when you need it.
This is a clear case of “perfect is the enemy of good”. You can keep your existing passwords the way they are and rotate them over time as you need to change them or reset them because you forgot what they are. Even with my 750+ accounts, I still have a handful of old accounts with memorized passwords.
Not costly… Or user-friendly
Free password managers are not user-friendly. You still have to open your password manager EACH time you need a password. If you are like me, it takes 30 seconds to access the vault (that’s only when I enter my very hard to guess master password adequately on the first try) and must access it around 23 times a day. This represents more than 10 minutes of my time every day, and, needless to say, I consider my time as precious.
That is an inaccurate depiction according to my experience. Most password managers (free or paid) allow you to configure how to keep the vault open: indefinitely, until you put your laptop to sleep or for a certain period of time. It is then a matter of how you evaluate your risk profile that can determine how you should configure your password manager. For example, mine will lock itself after 5 minutes without usage. As I write this, I realize this is not an argument for user friendliness, but it can alleviate some of the friction.
The embedded password manager in browsers is much more user friendly. It remembers your password and enters your credentials for you as soon as you reach the website. However, this tool has been proven to be unsafe as the entire list of your credentials can be stolen via cross-site scripting.
This argument is fallacious, a case of the perfect solution fallacy: “occurs when an argument assumes that a perfect solution exists or that a solution should be rejected because some part of the problem would still exist after it were implemented”. The built-in password manager of modern browsers’ can simplify the handling of passwords for many and significantly reduce risks compared with password re-use. We must think of it from a risk reduction perspective. Attacks abusing password re-use happens online without any interaction with your computer required. The impact can be stolen social media accounts, emails read, all the way up to money theft. Attacks against browser password managers require code to execute on your computer (for the malware info-stealer case) or you must visit a malicious page (for the cross-site scripting scenario). Both of which require user intervention reducing the likelihood of event significantly. Arguably, the impact is worse because all the passwords are stolen at the same time not only social media or emails. However, remember the risk equation: probability x by impact = risk. A large decrease in probability will reduce overall risk even if the impact increases. Nowadays, the probability of anyone being in a data breach approaches 100% with 33 billion accounts expected to be breached in 2023. On the other side, the probability of your computer being attacked by an adversary that will steal your password is much lower. For example, research on information stealers revealed that over 5 million records were being sold on the darknet. This is a numbers’ game and using your browser’s password manager will reduce the impact of breached accounts.
Later she says:
Plus, this practice presents an imminent threat: If someone has physical access to your computer, this person automatically has access to each account stored in the browser.
Physical access to computers is a different problem that requires different solutions, but they exist: full drive encryption, per-user accounts and for shared family computers Google created Chrome profiles. With a Chrome profile you can easily switch from one identity to another which means that every member of the family can have its own browser-based password store. However, you need to remember to disconnect from your profile after you are done with your Web browsing session.
One last point about browser password managers is that they are constantly being improved. Google just turned it into a standalone tool and added significant features like “Password Checkup” that verifies your passwords against data breaches. Note that the practicality of a feature like this is disputed in the password management community.
Continuing on password management user experience, she says:
Two features are necessary to make password managers user-friendly: 1) the auto-filled credential when accessing a website; 2) access your account from different devices. However, most (if not all) password managers which have those features are associated with a significant cost.
The open-source and free keepassxc has had credential auto-filling for ages, but setting it up to work with multiple devices involves a cloud storage provider and steps that are too complex to most except techies. User-friendliness is at the center of the problem here and yes, user-friendly solutions are expensive but competition is driving costs down.
About the single point of failure problem
The recent LastPass data breach has proven that the password manager as a service model is not immune to cyber-attacks. It is a fact that using a password manager controlled by a third-party presents security risks.
The single point of failure problem is a serious one and should be part of your threat model. For accounts of high security and where the impact will directly incur financial loss, a separate system without a cloud component is advisable. First, the free and convenient browser-based password manager for most online accounts which is automatically synchronized to your phone. Second, a KeepassXC for banking, investments and other sensitive accounts, that are usually accessed from a computer. Third, a separate KeepassXC for work-related accounts. On top of that you can add a physical password notebook, where you can write master passwords in case you are afraid of forgetting a rarely used password vault. Afterall, we often think that hackers could physically access our devices but the reality is that account compromise are almost always performed using remote techniques.
Researchers have suggested that many users are not aware of what password managers are, how to use them, and/or whether they are trustworthy. Therefore, basic awareness of password-management tools is the primary adoption barrier for some users.
Yes, user awareness of password managers is terrible. The first contact new computer users have with password managers is probably browser-based password managers. Then it is up to them to decide: do they embrace it, look for alternatives or disable it entirely?
What is making things worse is the tech media’s coverage and tone when password management solutions are breached, or report vulnerabilities. This is likely to be detrimental to the trust the IT Pro community must have in these solutions. Since IT Pros are an important contributor to the word-of-mouth proliferation of password managers, it must hurt adoption.
More than just passwords
An interesting feature of password managers is that they can contain more than just passwords. This means that little snippets of text of relative security importance can be stored in them like your passport number and expiry, credit card numbers or your social insurance number. This has the side benefit of allowing you to access that information without having to retrieve your physical passport. Something that can be useful when purchasing plane tickets at work for example. The alternative is leaving that information in plaintext in a passport.txt in your Documents folder: clearly less secure…
Another thing to think about is that we always say “don’t share passwords”, but that is impractical quixotic advice. Some passwords and use cases need to be shared, period: shared access to important household accounts (banking, Internet router), shared access to per-user expensive software-as-a-service products (Adobe, Miro, etc.). Cloud-based password managers like BitWarden provide a mechanism to share passwords and keep shared passwords synchronized across changes more securely than the alternatives.
Don’t get me wrong: Password managers are an inadequate solution
I know I spent the whole post praising password managers and I am using them myself, but the truth is that it is a niche technological solution for nerds or people who have nerds in their lives to advise them. They are a step too far for most people: need extra work, require risk evaluation, and come with additional costs. That said, I hope people reading this blog and knowledge workers in general were convinced that intermediate solutions like browser’s password managers are better than nothing and will start adopting them.
Writing this made me realize that I need to push my household in that direction with my daughters being pre-adolescents, they are on the verge of starting to manage online accounts. As for myself, I realized that I should leave KeepassX and move towards KeepassXC and try its browser-integration.
To finish by quoting Andréanne:
The solution is a world without passwords. After all, even the inventor of the computer password, Fernando Corbató, that “passwords have become kind of a nightmare with the World Wide Web”.
We have never been this close to get out of this nightmare.