Attack surface and actual risks of password managers. Book versus digital.
“The trouble is, most of us have lots of online accounts, so creating different passwords for all of them (and remembering them) is hard” – National Cyber Security Centre (NCSC)
Password managers are excellent tools for enhancing one’s password practices online. When looking at approaches to passwords, it is important to compare all available methods in terms of both security and practicality. Password managers are technically less secure than simply assigning and remembering distinct strong passwords for every service used online, but nobody really does this.
Forgetting passwords happens, especially for services that have not been used in a long time. It usually is nothing more than a mild inconvenience; reset the password, confirm it on your email account, and you are good to go. However, forgetting passwords can lead to serious consequences; the case study of Stefan Thomas is a good example of this. Stefan, a German-born programmer living in San Francisco, had stored a total of 7002 Bitcoin on a small IronKey hard drive. Mr Thomas had lost the paper containing the hard drive password years before the sharp appreciation of BitCoin, and his attempts at guessing it had been unsuccessful. At the current exchange rates, losing the hard drive password has cost Mr Thomas a staggering £216,649,907.
A password manager effectively gathers all used credentials into a single database, either stored on the user’s own device or in the cloud. At this point, the password manager completely relies on the assumption that access to the storage device is confidential. Malware such as keyloggers disproportionally affect users of password managers, as a stolen master password will result in all stored credentials being stolen.
In essence, a password manager gathers all used credentials into a single point of failure, like writing down passwords in a single physical notebook; so why don’t we just do that?
Let’s weigh the advantages of password managers over writing down passwords:
- More resilient against physical threats, such as someone breaking into your house
- Automatic generation of strong passwords without human-induced character correlations
- Proper use of password managers guarantees unique passwords being used across all services, while someone who writes down passwords might still fall under the trap of reusing passwords
- Accessibility of passwords anywhere with an internet connection
- Redundancy of digital data means the data is significantly safer from damage (fire, flooding, etc)
- Credentials autocomplete for added convenience
- Password managers are better at identifying phishing websites than humans
- Multiple factor authentication significantly mitigates the risk of a single point of failure
Now let’s weigh the advantages of writing passwords in a notebook over a password manager:
- Resilient against remote attacks, paper is less hackable than computers
- No risk of forgetting the master password and losing access to all credential data
- Reduced risk surface
- Writing down passwords is more friendly to non-tech-savvy users
- Self-ownership over data. Usage of cloud-based password managers involves the handing over of sensitive information to a third party. This includes information about used websites, usernames, and passwords.
- The risks posed to a notebook sitting on one’s desk are better understood than the risks of digital data. New methods of extracting written information come up a lot rarer than cybersecurity threats.
- Cloud-based password managers tend to have a subscription fee business model
For most people, a password manager that is appropriately secured will provide the best balance of both security and usability. NCSC has provided the following recommendations for using password managers securely:
- Use two-factor authentication on the password manager. This is an essential step in mitigating the main risk of password managers – the single point of failure. With 2FA set up, an attacker that has gained access to the master password will not be able to compromise the victim’s accounts.
- Choose a strong master password to control access to the password manager. NCSC recommends the three random words methods to come up with memorable, long, and sufficiently random passwords. If memorising this password will be an issue, NCSC says that it is fine to write these down on paper, provided it is kept safe and out of sight. To someone not explicitly looking for credentials (a burglar), three seemingly random words written down on a piece of paper without additional context would be hard to correlate to a password manager.
- Keep the used password manager software updated.
While a password manager will likely greatly benefit one’s password usage, as discussed, there are valid upsides and downsides to both solutions, and choosing the right approach is reliant on an individual’s own situation.
It is not without merit for someone to decide that they want full autonomy over their online banking credentials or recommend to a non-tech-savvy person to write their passwords down as they might struggle with handling a password manager.
Our takeaway is, to do what’s right for you in relation to your usage and threat landscape.