Portuguese English German

No Password Manager vs Password Manager

Nowadays web users have registered themselves in many websites. Each website asks you a new password that should be hard-to-guess and easy to remember. However it turns out to be a pretty difficult task.

If you don't really care about these many passwords you have, you probably end up reusing the same password over and over because it's better than defining unique passwords that you won't remember at some point in time. Not to mention that you'd probably store them in a spreadsheet file in your home folder.

Well, let's discuss how to securely deal with passwords comparing the following approaches:

  • No Password Manager;
  • Online Password Manager;
  • Offline Password Manager.

Security Principles for Managing Passwords

First of all, to securely handle passwords I've listed 5 ideal and main principles that we should keep in mind no matter what option you choose:

  1. Passwords must be complex, i.e., be hard-to-guess;
  2. Passwords must be unique for every account you have;
  3. Passwords must be stored securely;
  4. Passwords must be transmitted securely, e.g., from your password vault to the web page, from your password vault to your mobile device and so on.
  5. The process of managing passwords must be easy to use, otherwise it won't stick

No Password Manager

This approach includes managing your passwords using either paper or digital formats. Did I say paper? Yes. The more you know about attacks and encryption, the more you starting loving paper.

1. Passwords must be complex: to generate strong passwords without password managers is a challenging task because we're biased in our generation pattern, but it still should not be hard to generate a strong password that you won't need to remember. In this topic you can just randomly press the keys of your keyboard using SHIFT in some keys and not in others plus adding numbers to it until you reach a desirable size, e.g., 20 characters.

2. Passwords must be unique for every account you have: just repeat the generation process for each account, thus you'll have different complex passwords for every account. The problem will be to access it, but keep reading :)

3. Passwords must be stored securely: that's the tough part. If you're using paper there is the risk of being robbed or someone sneaking into your room and photographing all your passwords, just like a credit card.

If you're using a digital method you can choose to store it in a file like a spreadsheet, but chances are that you don't have full disk encryption, thus a backup of your notebook will be enough to dump all your passwords. A better option is to store all your passwords in your email provider. For example if your use Gmail, storing them in a draft is better. Why? Because when you forgot a password, if you still have access to your email you can reset it, thus your password is as strong as your email provider account access. Make sure to enable 2 step verification on your provider for an enhanced security.

But what's the problem of this approach? Drafts may be cached on your browser thus being possible to backup your HD again or if you have synchronized your mobile phone to access your email (99% of people do this I bet), you'll have another copy of your passwords cached in your mobile phone. Your email provider will have access to all your passwords, but seriously, Google has much more valuable data than your passwords to begin with. Not to mention that it's not shoulder surfing resistant. You can't log in to any service when sharing your screen or when someone is behind you, otherwise they'd be able to see your passwords.

4. Passwords must be transmitted securely: you don't need to remember to your passwords, but you have to move them from your vault (be it encrypted or not) to the login page. It turns out that you'll probably copy and paste them, but beware that other programs may access your clipboard. Or a malware infection may dump your memory or log your keystrokes, thus defeating all this password management process. You need to make sure to empty your clipboard after pasting the password. Just copy anything else. Ideally even before submitting the login form. For mobile devices you need to type your password again while looking at where they're stored on your computer or look in your draft's folder of your email app.

5. The process of managing passwords must be easy to use: in general it's just switching tabs and copying/pasting passwords. But it requires you to have continuous access to your email account and it's really a problem when logging in using an untrusted machine.

Online Password Manager

I'm using LastPass, a free service, for this category of online password managers. An online password manager is actually a mix of offline password manager with online capabilities to share passwords and synchronize across multiple devices. To sign up, I went to LastPass website and was prompted to install their browser extension:

LastPass Browser Extension

Then every action afterwards happen within this extension. The URL starts with chrome-extension:// where I'm asked to sign up. It's similar to having installed an app in my mobile phone:

LastPass Sign Up - Part 1

And in the next page I'm asked to set up "the last pass" I will need to remember, the so called "master password":

LastPass Sign Up - Part 2

Then I'm presented to the extension as a whole:

LastPass Extension

Let's discuss the security principles I've stated above:

1. Passwords must be complex: doing it automated is better than manually. We tend to stick to keyboard patterns instead of truly randomizing characters. Let alone use special characters. Whenever you try to sign up, LastPass can generate a new password using default rules:

LastPass Default Password Generation

Or let you customize them by clicking on "More options":

LastPass Advanced Password Generation

2. Passwords must be unique for every account you have: that's easily accomplished. The same password generation widget shows up in every password field. It's possible to identify password fields because they are input tags with the type="password" attribute.

3. Passwords must be stored securely: easier said than done. LastPass extension creates your "vault", a file containing your passwords that is encrypted using your master password (the password defined during the sign up process). Actually that should be the logic, but it's much more complex that. Why is that the case?

Well, password managers are only securely decent when you can't decrypt a vault if you have compromised the client's device. But users may forgot their master password, thus losing the master password means losing all other passwords as well. That said, instead of relying in the user's master password to decrypt the vault, wouldn't it be better to store the decrypt password in LastPass's servers and send it back to the device only when the user email/password matches? Yes, it's better. Actually they don't need to store the whole key, but part of it. This concept is called dual custody.

Ok, now in this scenario the security of your vault lies on LastPass's servers. Is that a good thing? It depends! At least until November 17th it wasn't.

But there is one worrisome thing: vault synchronization across devices.

It can only be done if the vault is stored in the server. It means that hacking LastPass should leak your vault and your vault key. These items may be separated in different servers, but it's hard to offer "device sync" and "forgot master password" functionality altogether. That's not necessarily how LastPass is designed. I didn't research it, but I have doubts about their implementation given the presented information in the previously linked article.

4. Passwords must be transmitted securely: in LastPass case, by default the username and the password are auto-filled thanks to the browser extension. It detects the current URL (the text in the address bar), look for matches within your password vault and automatically fills both fields:

LastPass Usage

There are LastPass icons on the right. If you click on it you'll be offered an option to choose "Log in as another user", in case you more users for that website. In my case I have only one, thus the "1" value near those icons.

But is it a safe password transmission from the vault to the website?

In this case there is no need to copy/paste, unless you disable autofill, thus preventing attacks on clipboard. On the other hand if the autofill extension is not secure, an attacker could craft a malicious URL to spoof a valid website and make the extension toss all credentials. It's actually occurred recently and in the past using a XSS of any page in a domain and iframing the login page to leverage the Same Origin Policy (SOP) to access the value of the password field.

5. The process of managing passwords must be easy to use: it's dead simple. It's been made for layman after all. After signing up to a website, you can manage every stored credential:

LastPass Usage - Manage Credentials

And then launch the website to authenticate directly:

LastPass Usage - Launch Website

They even offer a feature named "Security Challenge" that tests all your passwords against 'already leaked passwords', 'weak passwords' and much more:

LastPass Usage - Security Challenge

As it was my first account on LastPass and at least at first I don't want to use, I put a ridiculous master password hehe.

Offline Password Manager

For this topic I'll use Keepass, a free and open source password manager. What sads me is that it uses Wine instead of having a version designed specifically for Ubuntu, which makes the interface looks like Windows 95. But let's do it.

Offline passwords managers tend to offer more security in exchange of a decreased user experience, e.g., synchronize devices. Let's start by installing KeePass.

I tried to install the latest version (2.x), but only the classical version worked using Wine (1.x). Here's the first thing you'll see:

KeePass 1st UI

Let's proceed to create our vault. Note that it's possible to use a KEY to unlock our vault instead of a master password. Then you should have this KEY file in a pendrive only. Actually they name "composite master key" the combination of factors to unlock your vault. This combination of factors include "(...) a password, a key file, a Windows user account key and/or a key provided by a plugin (...)".

KeePass 2nd UI

Then repeat our master password:

KeePass 3rd UI

Now a brand new world has appeared before us:

KeePass 4th UI

Let's dig into the details of each security principle:

1. Passwords must be complex: This is accomplished by the "KeePass Random Password Generator", accessible through the menu "Tools -> Password Generator":

KeePass Generate Random Password

After clicking on "Generate":

KeePass Generate Password

And in clear:

KeePass Generate Password in Clear

Then, as we did not set a title, here's how it will look like:

KeePass Stored Password

2. Passwords must be unique for every account you have: no secret in here. You have to manually do this using the generator or use a browser extension to help you, accepting the risk that you're increasing the attack surface in exchange of more usability. KeePass has a lot of plugins and it happens to have 2 plugins to work with Chrome: KeeForm and ChromeIPass.

Unfortunately KeepForm plugin for Chrome was removed and it isn't present in Google Store anymore, thus we have to check ChromeIPass.

KeePass ChromeIPass

But it didn't work. I tried to set the "password database", however the "Connect" button simply doesn't work:

KeePass ChromeIPass Bug

3. Passwords must be stored securely: this is, as always, a giant topic that we could dive in. However in this case this is as secure as it should be. You'll have an encrypted vault and only a master password or key file to decrypt it. No 'backdoors' nor any other way to restore your master password/key as we saw on LastPass. Lose them and you'll lose all your passwords. Neat.

4. Passwords must be transmitted securely: copying and pasting, then clearing the clipboard after a few seconds is acceptable to transfer the password from the vault to your browser. Still, malware is a problem in this scenario.

5. The process of managing passwords must be easy to use: not that convenient without a browser extension, but copying and pasting isn't that hard. And for mobile devices you have to retype your password while looking to your password in clear after you've opened your vault. Very similar as to not using a password manager in here.

High Level Approaches Comparison

Everything with an asterisk (*) means "has strings attached that were discussed above".

Feature No PWM (Paper) No PWM (Digital) Online PWM Offline PWM
Complex PW Generation Rules Depends on User Depends on User X X
Generate Unique Passwords per Account X X X X
Passwords are stored securely X (*) X (*) X (*) X
Passwords are transmitted securely X (*) X (*) X (*) X(*)
Shoulder Surfing Resistant X X
Server hacking resistant X X (*) X
Client hacking resistant X X (*) X
Robbery resistant X X X

Conclusion

Every option offers benefits and drawbacks. You're not necessarily crazy using paper (not post it, please!) and you're not necessarily secure using the fanciest password manager either. The important thing in here is to follow my 5 security principles.

But if someone come to me and ask the best option to start with, I'd suggest an offline password manager. If you really have the need to synchronize and so on, you can make your own vault sync or switch at once to an online password manager. If you know what you're doing, sync on your own. Otherwise move to an online password manager.

I've been using the no password manager (digital) approach before the rise of password managers and I'm considering to switch it to an absent of magic password manager. Ideally open source with few lines of code and trusted by the community. A security vault truly decrypted by a master password that only lies inside my mind and nothing else. Taking the risk of losing every password once I forgot the master password. That's what a good password manager looks like for me.

1Password is being recommended by some security folks, but it seems to work decently only on Mac. KeePass lacks the integration to have the same UX as LastPass on Ubuntu at least, but I feel more secure using an offline password manager. LastPass worries me because of those many features that hugely increases the attack surface. Perhaps I should await for such tools to get more mature and provide a more friendly Linux version :)

See also

That's all for today

Thank you.

Share on Twitter Share on Facebook Share on Google Plus Share on LinkedIn Share on Hacker News

Popular Posts

Newsletter


Twitter