Password manager vs remembering passwords

I wrote this last year on the pro's and cons of password managers:

Pros:

  • Great balance of convenience and security - people tend to choose simple passwords and the reuse the same password (or base) because there are so many of them and you have to enter them so often. With 1Password or Lastpass you can generate a truly strong password (at least for your critical accounts) but still have the convenience of having it auto-filled or at least available written down on your phone. A real benefit is also in things like secret questions, this is commonly a weak point where a really strong password has a 5 letter dictionary word as a secret question answer. You can now generate strong secret question answers also

  • Portability - the problem with using your browsers save password function is that unless you combine it with something like Google or Firefox sync it is not portable. Even then it is currently not available on your phone (at least not the iPhone, not sure whether the Android browser has Google sync)

  • Secure storage - your sensitive information is encrypted in storage and protected by a master password. This is a lot better than just writing it somewhere or storing in a note or unencrypted spreadsheet

  • Not just for passwords - you can store bank details, insurance numbers, credit cards, passport numbers, etc which can save you time entering in these details and provide you secure access to the details on move. You can also store files like scans of your documents or your private keys

  • Improve your memory - on sites I hardly ever use, and government sites with those complicated usernames I can never remember these details. Launch up the iPhone, 1Password and everything to hand with easy search

  • People also add anti-phishing / anti-malware to this list but that one I don't agree with. You still have to enter your master password which malware can capture, if you have it on your phone and enter the password again it can be captured. If you launch websites from the tool I guess it could be anti-phishing but that's the same as typing it in directly or using your bookmarks

Cons:

  • Single point of failure, keys to the kingdom - if you sync your keychain to your phone or have it on your desktop or laptop some could get access to that. If your master password is weak then you lose everything in one go. As far as I'm aware 1Password does not offer a hardware based two factor authentication option for the master password which would reduce the risk of this significantly. Lastpass does offer a using a yubikey as a two factor mechanism but because Lastpass has a web application it can suffer from web application vulnerabilities (e.g. XSS) which could leave your account details and at worst case passwords exposed.

  • Terms and conditions - it is still technically 'writing a password down'. This maybe against the terms and conditions on things like your Internet Banking site. This may reduce or remove any protection you get in case of a fraud. You can always check this and not store the password for these sites

  • Trust in the cloud - it is supposed to be encrypted in storage but if you do synchronize the data some people will never trust that 1Password or Lastpass does not have a backdoor, potentially allowing a malicious or disgruntled employee access. All software has vulnerabilities, again a serious one could allow an attacker access to your data

Another option is to use a password vault stored in a hardware encrypted device like an Ironkey. Versions come with a password manager loaded in. It is a little bit less convenient as you have to attach it to a USB drive and have read access to this but it is definitely more secure. It mitigates some of the risks highlighted above, it is hardware encrypted and only stored on your device. Also if your Ironkey is on your physical key chain you are far less likely to lose it than your phone or laptop. You can also remotely destroy it if you do manage to lose it.

For the online remote destruction you need the enterprise version of the key. The remote destruction is a feature in the management console. When the key is plugged in it, it phones home. If the destruction has been activated, at that stage it becomes unusable and all data is effectively lost (believe by trashing the decryption keys). There is also an offline mode (similar to an iPhone), where you can set it to auto self destruct after 10 failed master password attempts.

Conclusion

Overall I believe the pro's outweigh the cons. If you have no option for two factor authentication then having a strong password is your only defense. Using a password vault just makes this a lot more practical and convenient.

There is no reason why you could not keep half the password in a password manager and remember the rest, it would make it more difficult for a key logger to capture your password, however the trade-off for usability may not be worth it. A better option maybe to use two factor for your really sensitive information and a password manager for the rest


If someone has rooted your box, then I think they can get your passwords from either method with not too much effort. They will be able to get your password file for the password manager and the password to that file via a keylogger. If you just use remembered passwords, they will collect your passwords over time as you key them in.

If someone has physical access to your machine to install and retrieve a keylogger, then they can log on to your machine if they have physical access for significant time. If they don't have enough time for that, then you would be safer with the password manager as they don't have your password file (only the password to it). If they do have time to get root access to your box and enable remote access to use at their leisure, then you are in the same position as in the first paragraph.

When you think about it like this, there is very little if anything that memorization holds over password managers. And that you and your passwords are hosed if someone nefarious has physical access OR can root your machine remotely. Preventing these two attacks is key.

You first need good physical security to prevent physical attacks. Then you need to prevent remote attacks - implement good network perimeter security, enable a minimum of services and have good security practices for the ones that you have no other choice but to enable. And also practice safe browsing habits, keep your machine regularly updated etc. i.e. the preventative measures that prevent you getting rooted in the first place. And you need to have backups in case you do get rooted. If you do get rooted, then you should assume that you need to change every password whether or not you use a password manager.

About the only thing memorization buys you IMO is perhaps a bit of time before someone logs your important passwords. You sacrifice a lot for this. Memorization is not scalable. The more sites you use (and as the web permeates our lives, need for more usernames and passwords grows), the more things you need passwords for. And they increasingly benefit from being strong. To make them strong requires a lot of effort on the user's part, along with making memorization difficult. Or if you write them down on a sheet of paper, you have the same problem as the password manager, except that it's harder to backup and sync, more conspicuous, easier to misplace, in plain text, etc. And you have to type them in all the time, rather than copy and paste.

At least using a password manager gives you the ability to have very strong and different passwords to every site on the internet you use (which may be many). And also the ability to easily remember the different usernames, along with notes about the specific sites. If you memorize a strong password to your password manager, they have to be able to get your keystrokes somehow to make use of your file, or they need your file to make use of your keystrokes.