June 27, 2019

Secure password management part 4 - Why password managers are not the best solution for everyone

Secure password management part 4 - Why password managers are not the best solution for everyone

Do you know how many user accounts you have? Because I use a password manager, I do.

This tweet is from last year October, I just checked and meanwhile the number of accounts has grown from 107 to 132. You might think I'm an exception, but Dashlane research from 2015 shows that the average user had at least 90 online accounts at that time.

Humans are simply not capable of creating and remembering strong passwords for the variety of accounts they have. And this is still the biggest reason why password reuse is still common practice.

But we're lucky, there are tools to help us!

The problems a password manager solves

One of the most common reasons why accounts get hacked are reused or weak passwords. If you want to learn more about why password reuse is a no go, read this post.

Good password managers have a few characteristics that help preventing against these attacks. They have a password generator that can be used to generate random and unique passwords for every account. Ā 

Such random passwords are only usable when you don't have to remember and enter them manually in password fields.

That's why password managers can store passwords encrypted in your password manager account. Whenever you need to login you can copy the password into the password field. A lot of password managers even offer auto-fill or auto-login functionality.

What a password manager doesn't solve

A password manager has several advantages, but it doesn't prevent you from applying bad password management practices.

It's nothing more than a means to help you improve your password security. It's still up to you to create unique passwords for every account.

Even if you have all your passwords stored in a password manager, there are still a few passwords that you'll need to reproduce before you have access to your password manager. Some examples:

  • The master password of your password manager account
  • Your computer / domain account
  • The pin code of your smartphone / tablet / ...

Except for pin codes, you could opt for random, password manager generated passwords. But from a usability point of view this is hard. You either need to remember them, or retype them from your password manager account opened on another device. For these kind of passwords it's best to use passphrases. We're talking only about a few accounts, so it shouldn't be too hard to remember them. Make sure that your passphrases are random and fulfill the imposed password complexity requirements.

Credits to The AntiSocial Engineer for providing me this slide from their security training material.

Usability barriers of a password manager

This all sounds very good and you might think almost everyone uses a password manager. But this is certainly not the case.

Earlier this year Google surveyed 3,000 adults (ages 16-50+) living in the U.S. to understand their beliefs and behaviors around online security. One of the interesting results from this survey is that only 24% use a password manager.

I was curious to see why people don't use a password manager. So I did the following poll on Twitter:

As I expected it was for various reasons. Let's look at them one by one.

13% doesn't know what a password manager is. To be honest this didn't surprise me. I maybe had expected that number to be higher. But given that my followers on Twitter are mostly Information Security practitioners the results might be a little bit biased. Anyway, this means that awareness is still necessary.

What did surprise me is that more than half of the voters distrust password managers. When I read the replies, I think that several people make assumptions or generalize and don't always understand the security model of certain password managers. It's important to evaluate the security of a password manager before you can make an informed decision. Here you can find some tips to help you choose a password manager.

I often read that people distrust password managers because they store passwords in the cloud. They use a desktop password manager instead and then they have set up their own way of syncing passwords via dropbox, which stores data... in the cloud.

Or even worse they distrust all password managers, but they have no alternative and reuse passwords instead.

22% voted that they manage passwords differently. In the replies some people say to use a "system" to generate passwords. Whilst I believe you can create unique passwords for every service, from a usability point of view this is just poor and the passwords will never be as strong as the truly random ones generated by a password manager.

12% say they find password managers too hard to use. I totally understand this, there's certainly a learning curve for non-tech people, but even tech-savvy people are given a hard time on many sites.

I can't count the sites anymore that have crazy password requirements or block certain special characters and where it literally took me minutes to get a password manager generated password accepted.

Or this beauty from EC Council. They break password manager's automated login by showing a captcha at each login attempt.

Other annoyances:

  • A lot of websites prohibit pasting of passwords which is hell for password manager users. Here's an excellent article from NCSC UK why you shouldn't do that!
  • Mobile apps for some password managers are hard to use

Why a password manager might not be the best solution

I hope the previous sections have made it clear that there's no single best password management solution for everyone. When we make a recommendation we should always take the threat model and technical knowledge of the users into account.

Knowing that many online services give password manager users a hard time, it's not very likely that non tech savvy people will be able to use them.

But for a lot of users, like my mum or dad, this is no issue. I recommended them to use different passwords for their accounts and write them down in a password book.

You might want to get a less obvious password book than this one ;)

Because they solely use a desktop PC to access their accounts the risk is really low that their passwords get stolen. Burglars will most likely not look for a book with passwords, but for more valuable things.

This is just an example to show that each user and each situation is different and that the means are secondary to the goal, creating unique and strong passwords.

For tech savvy people that know how to work around the obstacles caused by websites I would always recommend to use a password manager.

In a work context my approach is different. I would push everyone towards using a password manager. More about that in an upcoming blog. It's not a simple task, but it helps a lot to improve a company's security.

Conclusion

I lost count of how many times I have read the following advice. "Use a password manager". And in a perfect world I'd totally agree that everyone should follow it. But the world (wide web) is far from perfect and that's why I would like to see that Information Security professionals adapt their message to the target audience.

Yes, a password manager is the most secure solution to manage your passwords, but that doesn't mean that it's the best solution for everyone.