I love my password manager. It enables me to use stronger passwords, unique passwords for every site, and even rotate passwords on select web services. You know, the sites that involve money. Because I can synch its data among all my computers and mobile devices, I am never without access. I believe this improves the security of my accounts, and as such, I am an advocate of this type of technology. I was encouraged when I saw the article Guard That Password in this Sunday’s New York Times. Educating users on the practical need for strong passwords in a mainstream publication is refreshing. Joe User should know how effective just a couple extra password characters can be for foiling attackers. On the downside, the article looks more like a vendor advertisement – in an attempt to reduce concerns over LastPass’s own security, the author seems to have missed describing the core values of a password manager.
First a couple pieces of information that were missing from the article. One of its fundamental mistakes is that most merchants – along with the associated merchant web sites – don’t encrypt your password. On-line service providers don’t really want to store your password at all, they just want to verify your identity when you log in. To do this most sites keep what is called a ‘hash’ of your password – which is a one-way function that conceals your password in a garbled state. Each time you log in, your password is hashed again. If the new hash matches the original hash created when you signed up, you are logged in. This way your password can be matched without the threat of having the passwords reversed through the attacks described by Prof. Stross. Attackers still target these hashed values during data breaches, as they can still get figure out passwords by hashing common password values and seeing if they match any of the stolen hashes. In most cases you directly improve your password security by choosing longer passwords, thereby making them more difficult for an attacker to guess.
All bets are off if the owner of a web site you visit does not secure your password. If the merchant stores unencrypted or un-hashed passwords – which is what Sony is being accused of – it requires no work for the attacker. You can’t force a web site owner to secure your password properly, and you can’t audit their security, so don’t trust them. The (generally unstated) concern is that people are bad at remembering passwords, so they use the same ones for eBay, Amazon, and banks. That means anyone who can decrypt or identify your password on a Sony site has a good chance to compromise your account on other (more lucrative) sites.
Which brings us to my point for this post: using a password manager frees you from conventional problems, such as your memory. Your security is no longer dependent on how good your memory is. The commercial products all generate random strings with special characters for unguessable passwords. So why should we limit passwords to 10 characters? You no longer need to remember the passwords – the manager does this for you – so think 20 characters. Think 25 characters! And just as important, why limit yourself to one password when you should have a different password for every single site? This reduces the scope of damage if a site is hacked or when a merchant has crappy security. Finally, if you don’t trust the password manager to securely store your password in ‘the cloud’, you can always select a password manager that stores exclusively on your computer or mobile device. Password managers are one of the few times you can get both convenience and security at the same time, so take advantage!