Some common misconceptions about password managers and their alternatives

Recently I wrote a blog about why password managers are not the best solution for everyone. TL;DR: because they pose a usability barrier for less tech savvy people.

Every time I tweet about password managers I get replies from people that are very heavily debating against them. It almost always boils down to "I don't trust password managers".

The results from this poll Mike did a while ago show that 1 in 10 people find a password manager too risky.

What I noticed in many discussions is that this distrust is based on generalizations or misconceptions.

Many people purely look at what they - sometimes wrongly - perceive as weaknesses of password managers instead of performing a balanced risk analysis of different password management methods.

I don't write this post to convince anyone to use a password manager. I just want to debunk some of the misconceptions that are spread. I will focus on common arguments not to use a password manager but also on some of the alternatives that people use.  Keep in mind that you can only deal with a particular problem in the best possible way when you are well informed about the different alternatives.

"All your secrets are protected by a master password only"

This is the reason I hear the most for not trusting a password manager. People think that by definition all password managers protect their secrets with a single password. And that when this master password gets stolen they will lose all their secrets.

I got a very explicit reaction not to use or promote password managers.

This is a generalization. Probably there are password managers that just rely on your master password to secure all your secrets. And if we're talking about an offline password manager this might be an acceptable risk because an attacker still must get access to your machine first. Once he has access to your PC it's game over anyway because he can steal whatever information he wants.

For an online password manager I agree that a master password only to secure all your secrets is a big no. When I selected a password manager I first did some research and none of the password managers I investigated did rely on a master password only. They all offer multi-factor authentication and most of them even have additional security measures in place.

Do this exercise for yourself. Read about the security measures taken by different vendors and select a password manager that fulfills your security requirements. If you want to know more about how to select a password manager, you can find some tips here.

"When the servers of my password manager vendor get hacked all my secrets are stolen"

If this is the case it means that you have simply chosen the wrong password manager. A decent cloud based password manager should be resistant against its servers being breached. Because on the one hand they shouldn't store your master password and other encryption keys on their servers and on the other hand all secrets that are stored in your password manager should be encrypted on the client.

With this security measures in place your secrets cannot be decrypted even if the servers of the vendor get hacked because the attackers don't have the decryption keys.

"I don't use a password manager because I don't want to put all my eggs in one basket"

What people who say this forget is that by using their brain or a password book to manage passwords they also put all their eggs in one basket. So this is really a non-argument.

Talking about putting all eggs, or in this case passwords, in one basket, I totally agree with Sean Wright here.

If an attacker has access to your email account he can take over a lot of accounts registered with that email account. So if you don't want to put all your eggs in one basket, start with using different email accounts, certainly for important accounts.

Not that I think that it's necessary if you use a good password manager, but if you want you could use multiple password managers instead of one.

Or like some other people replied, you could use passphrases for your email accounts and other accounts that you don't want to store in a password manager and a password manager for all the rest.

Credits to The AntiSocial Engineer for providing me this slide from their security training material.

"A password manager is a single point of failure"

I've heard this comment several times. And it's certainly true that if you have no longer access to your password manager you can't access your accounts anymore.

Like I said before a good password manager doesn't store your master password and additional secret keys on their servers. This means that they can't do a password reset for you. This makes recovery a bit harder, but recovery processes should be hard enough to prevent attackers from abusing them.

One of the things you should research upfront is how to recover your account in case you can no longer access it. It's also best to write master password and secret key(s) on a piece of paper and safely store it somewhere.

Note that, unless you always have an up to date copy, a password book is also a single point of failure. Also the human brain isn't infallible and you could forget passwords for certain accounts. Certainly people that reuse passwords can get locked out of many accounts at once.

Another aspect people are afraid about is availability of cloud based password manager. I use a password manager for years and I've never experienced downtime. I might have been lucky, but even if the service is down I can still access my passwords offline. Make sure you think about this when selecting a password manager.

An additional benefit of using a password manager is that I never have to reset passwords anymore because I've forgotten them. When I was trying to memorize passwords years ago, I had to reset them all the time.

"I don't trust the vendor"

If you don't trust the developers and thus the vendor of the password manager don't use it. But this is no different for any other piece of software.

You can always opt for an open source password manager, so you can review the code. But bear in mind that the business model of password manager vendors is build on security and trust. This doesn't mean that things can't go wrong. It's important to choose a reputable vendor that values security. As a minimum, choose a password manager that

  • Doesn't store your master password and other secret keys on their servers.
  • Encrypts your secrets on the client
  • Is transparent about the security measures taken. Look for in depth information, for instance security whitepapers.
  • Is actively maintained
  • Releases regular security patches
  • (Optionally) has features to detect breached accounts
  • (Optionally) has a bug bounty program

The question you genuinely need to answer for yourself is: Do you trust your own password management practices more than the ones offered by a password manager?

If your password management practices consist of reusing passwords (which is a no go) you're far better off using a tool to manage strong and unique passwords for your user accounts.

Conclusion

People that are debating against something often look solely for arguments to prove the weaknesses of that particular solution without evaluating the weaknesses of their alternative approach.

I hope this post takes some misconceptions about password managers away and shows the importance of taking balanced and informed decisions. Fear and being uninformed about password managers results in people using sub optimal solutions.