Here at Comparitech.com, we firmly believe everyone can benefit from using a password manager.
But not everyone agrees with us, and that includes information security professionals, such as Simon Edwards, Director at SE Labs.
With that in mind, we thought it would be fun to have a face-off over password security.
Read on to find out how mine and Simon’s views differ on this important subject:
Lee Munson: Making the case for password managers
In my opinion as an information security professional, the biggest single point of failure in any system designed to ensure the confidentiality, integrity and availability of data is the human element.
While technical controls (antivirus, firewalls, etc.,) all have their weak points – which is why I always advise patching software and updating hardware at the earliest opportunity – the human operating system is nowhere near as reliable, or even half as easy to fix.
Even if you ignore the minority of people who have malicious intent, the larger number of people who have no interest whatsoever in security, and the majority to whom we, as an industry, do such a poor job of communicating with, there remains an even larger group of potentially risky human beings – those who find security naturally too bothersome.
Why would security be such an issue you may ask?
Well, the answer is simple: it’s becoming more and more complex by the day.
As the attackers become more sophisticated, so do the defences, but on the human level, the problem is far more simplistic: we all have far more accounts to protect these days.
From online banking accounts to SnapChat, Twitter to Facebook, InstaGram to online dinner money accounts for the kids, the sheer volume of usernames and passwords required to protect them are increasing on a daily basis.
And you know what?
We really are terrible at remembering things.
That’s why we continually see blog posts about all the awful passwords discovered following a data breach.
It’s not that you think password1 is a great way of authenticating your identity though is it?
No, I know what it is: you have 250 passwords to remember and even phrases like CorrectHorseBatteryStaple become cumbersome when you need to come up with passphrase after passphrase.
So what are you to do?
Keep it simple by using the same password for every site, despite the protestations of people like me, or use a unique password for all your accounts that is so ridiculously simple, even you can remember it?
There is another way, and that is the password manager.
While the doomsayers would have you believe a credential management program is a bad idea – it is a single point of failure after all – I’m here to tell you otherwise.
I personally have over 300 passwords covering a multitude of different accounts.
I also have the worst memory known to man – if you ask me for my online banking credentials, my Twitter password, or any other of my login credentials I won’t be able to tell you.
Mainly because that would be a really, really bad idea in the first place, but also because I honestly do not know what any of them are.
In fact, I only know three passwords. Two of those are work-related, the other is the master password for my password manager.
If it wasn’t for that clever piece of software, I would be that person requesting a password reset every five minutes of the day. I simply cannot function without one.
That said, even I am wary of keeping all my eggs in one insecure basket, so to speak, so I made sure I chose a password manager that keeps all my credentials encrypted so, if the worst ever did happen, and that data found its way onto the web, chances are it would be of no use to anyone.
My password manager of choice also has some other nifty features too – it keeps up with the latest breaches and advises me if any of my accounts may have been affected, giving me the opportunity to change those credentials at the earliest possible juncture.
Sure, a password manager isn’t a silver bullet when it comes to protecting your login credentials, but then silver bullets don’t exist in the security industry, despite what some salesmen may tell you.
But it is a good tool in an imperfect world, allowing you to create strong passwords for every new account you open while only having to remember one master password (and by golly, you better make that password a good one).
Until text-based passwords die – and biometrics will ensure they do… one day – it’s the best option available and I highly recommend you take advantage of it.
All you need to do to bolster your account security is to completely disregard Simon Edward’s retort to this article and read our password manager reviews which will help you pick the right software for your needs.
Stay secure my friends!
Simon Edwards: Making the case against password managers
It is true that we have to manage huge numbers of online accounts. Even those who aren’t particularly interested in computers are likely to have dozens of accounts spanning their email, social network, online banking and online shopping lives. You want to do something? Log in!
As I’m sure I don’t have to tell you, using the same credentials for each account is dangerous because one breach can easily snowball into something far more serious and wide-reaching. Remembering unique passwords for each account sounds mind-boggling and such a feat could well drive you to use a password management system, But, before you stash the keys to your digital kingdom into one vault, consider the following.
If you were a hacker who wanted to breach as many accounts as possible, would you target a wide selection of popular websites, hoping to strike lucky consistently, while evading detection? Or would you aim for the few services that store passwords for potentially billions of users? Why break into lots of sites when just a couple will provide the same (or better) results?
Password management services that provide an online repository of credentials worry me – a lot. They are an obvious target with an astoundingly valuable payout for a successful attacker.
It’s not like it hasn’t happened before. LassPass was hacked last summer, with the attackers downloading users’ email addresses, encrypted passwords and reminder phrases and solutions (What’s your email address? And your mother’s maiden name? – Gladys? Job done.)
Encryption can be broken but you don’t even need to go that far. LastPass itself noted that hackers could guess the passwords using the additional information provided from the breach (see https://blog.lastpass.com/2015/06/lastpass-security-notice.html/).
You may choose to use an offline password manager, which certainly reduces your attack surface. These don’t allow you to log in easily using multiple devices, though, which somewhat reduces their usefulness. And should your PC become compromised by malware, there is absolutely no reason why the attacker would not target such an application. Again, this has happened, with a tool called KeeFarce targeting password manager KeyPass (see https://github.com/denandz/KeeFarce).
Real experts might choose to roll their own password management system. An administrator for HackingTeam, the Italian security firm that worked at the highest levels of inter-governmental hacking, saved his passwords in text files protected by the well-respected TrueCrypt software.
Sadly for him he was logged into his system and had already mounted his TrueCrypt volumes when his system was compromised, so all of the passwords stored on his system were available to the attacker. There was nothing wrong with TrueCrypt’s encryption. His mistake was saving his passwords on a computer. Computers get hacked all the time.
What is the alternative to using a computer-based password management system? Use a paper-based one. Write everything down and you are vulnerable only to physical thieves and assailants. Unless you live life in a movie, you should be OK. Also, it is possible to create unique passwords that are easy to remember.
Let’s start with your favourite password, that you used to use for all your sites: letmein123.
I’ll assume you use that for Gmail, Amazon and HSBC. We can easily change this password to an easily-remembered variation by changing it with some rules:
Ridiculously easy, I know. But it’s better than re-using the same passwords time and time again – and you can make efforts to increase your security by using little tricks. Maybe you change the numbers, or slightly edit the passphrase ‘letmein’. You do not need to have 100 passwords that are in the vague form of “123hjgsdfpakelk”. That way madness lies.
Create a memorable set of passwords, write them down on paper (in a pad that you keep safe) or at least ensure that your email address’ password is strong because, ultimately, when you forget your passwords, everything ends up being verified through your email address in the end. And that is why you should, if available, enable two-factor authentication for your email address. Because unlike your password manager, your email account really is the vault for your kingdom’s keys.
Now it’s time for your thoughts
Now that you’ve read the case for and against password managers it’s time to make your own decision.
Are you with me in believing password managers offer the most secure option for storing your login credentials?
Or are you in Simon’s camp, thinking storing all your eggs in one hackable basket is a risk you are unwilling to take?
Either way, we’d love to hear your views in the comments below.
Funny thing is that I already create a set of memoriable phrases like Simon suggests I actually have 3 sets the first is for websites like shops that want you to register for whatever reason this phrase if ever picked up by hackers can shop till they drop but never get to the essential information. The second is for anything I want to keep personal like memberships and such and the last is for anything financial like banking. So it’s clear that I agree with Simon as I’m a programmer myself and I know it’s childishly easy to get into some systems and hack databases or decrypt anything they have encrypted. Don’t trust password managers they will let you down. The only security you can rely on is your own mind so use it!
So like me use an emailadress that is only used for replying to sites like these so that if it ever gets hacked you can abandon it and create a new one without any consequence or regret.
I am completely agreed with Paul. What we do if we have to login accounts using our friends PC on which none of our passwords are saved. But again, this is only a case, after all every coin has two faces. One can also go with single sign-on solution to protect and reduce passwords number.
BTW! thank you, Lee for publishing the article.
Perhaps a password manager shouldn’t store passwords, but hints that don’t easily give away your password should your ‘password manager’ get hacked.
I concur. Storing all your passwords and logins in a single location is just asking for trouble.
What happens if youre away, or using a friends PC and need access to your accounts and you cant remember these crazy ass 15 digit passwords saved in a password manager not linked to that computer.
I think a hybrid approach is indicated. A password manager is certainly useful for inconsequential or low-risk accounts such as my login to “Summertime E-Zine”. But it is probably not appropriate for use for my retirement account, stock broker account or online banking. It is worth remembering those passwords and keeping them out of the “basket”. If using the manual method, writing them down, it is best to separate the information into two notebooks and securing them in different places. The account login in one notebook and the password and secret answers in another.