This tweet from Rachel Tobac, a renowned social engineer, inspired me to write a short blog post.
All eggs in one basket, is it really a problem?
A lot of people are really anxious about storing all their secrets in a password manager. From opponents of (cloud) password managers I regularly get the reply that "putting all eggs in one basket" is a bad idea.
But is it really such a big risk when you put all your eggs in one basket, or in this case all your secrets in 1 tool?
Like so often in security... It depends.
- It depends on (the security of) the particular password manager.
- It depends on your particular threat model.
If you use a password manager with decent security - you can read more about which criteria I use to select a password manager in this blog post - the risk of getting your secrets compromised, or your eggs broken to stay with the analogy, is low.
If you have to fear nation-backed attackers you might need extra or other defenses, but for most mortals a good password manager will just do fine.
We're putting all eggs in one basket anyway
The remark of all eggs in one basket is often made about password managers.
But why is the same remark rarely made about other common ways to manage passwords like the human brain or a password book?
They are both also a single basket containing a person's secrets.
My best guess, based on the reactions I often get, is that most people just don't trust (cloud) password managers because they have no control over the storage of their secrets.
And this bias is only human. But we should look at the overall picture and then make an informed decision about which is the best basket to manage our secrets.
The human brain is a basket which isn't capable of storing multiple random, unique and long passwords. Given the big amount of online accounts most people have, this leads to (re)use of sub optimal and often bad, easily guessable passwords. While the passwords can't be stolen from storage - our brain - due to their weak nature they can be guessed, brute forced or found in other data breaches. The latter is a much greater risk than the former.
A (physical) password book is also a single basket. It can be a valid alternative for people that are less tech savvy, it's just much less practical than a password manager. And because it's not possible to copy paste passwords it almost certainly drives people to use non random passwords. That said, it's still much better than the password reuse that results from memorizing passwords.
Another basket that's often overlooked is an email account. Most people register a lot of online accounts with the same email account. When attackers can access this email account they can potentially gain access to all the other accounts via password reset or recovery.
When people have their email accounts secured poorly, with weak passwords and no MFA they are much more likely to be hacked than their password manager account.
Conclusion
Not using a (cloud) password manager because you don't want to put all eggs in one basket is actually a non-argument. You're putting them in one basket anyway. People that say so probably don't like that they can't control how the eggs are stored in the basket.
It certainly is important to select a password manager from a reputable vendor that offers good security and is transparent about it.
The ability to generate, store and (auto-)fill unique, random and long passwords is what differentiates a password manager from other ways of managing passwords that encourage people to re(use) weak passwords.