Thoughts on Trusting Password Managers
Posted by Craig H on 14 December 2010
There has been a lot of buzz about the Gawker Media user account data breach, which came to light last weekend. One aspect of that is a privacy issue (anonymous comments are now no longer anonymous) but the main concern seems to be passwords from Gawker Media sites being used to gain access to accounts on other systems.
First a clarification: it’s not obvious that Gawker Media did anything fundamentally wrong here. The passwords were one-way encrypted, and database breaches can happen to even the most diligent system administrators (software inevitably has flaws, and there are lots of bad guys, some of whom will be able to develop or find out about Zero Day exploits). It doesn’t really matter how good the password encryption was either; once the encrypted passwords are available, off-the-shelf hardware can run through a staggering number of possible passwords to “brute-force” the encryption in seconds.
There are really only two defences, and it’s the users who need to choose to use them: (1) choose a password that’s difficult to brute-force, and (2) don’t use the same password on different systems. Of course there are two big problems with those defences: (1) passwords that are difficult to brute force are difficult to remember (the best defence would be a completely random string of characters and symbols) and (2) people use dozens or hundreds of different password-protected web sites. I just counted the number of cached passwords on my home PC and work laptop: 202 at home and 355 at work (including quite a few single-use ones, for e.g. hotel Wi-Fi, but still a pretty large number!)
The only rational solution to this is to let your computer manage all this complexity for you. There is a risk though – we are moving all our eggs from one basket (same password for many systems) to another basket (the password manager). The first basket isn’t trustworthy (there is a high risk of one of the many systems being compromised) but we must make sure that the second basket is, or we’re no better off. I’m put in mind of the scare about banking applications on the Android Market. Incidentally, although it was widely reported that those applications were malicious, Google later stated they were not. Nevertheless, something like them could easily have been used to harvest banking passwords.
So, we need a trustworthy password manager. Does such a thing exist? I think it’s pretty hard to tell; my advice (and my current practice!) would be to use the password cache in your browser, but make sure that you password-protect that (and go to some effort to make it a difficult-to-brute-force password, you will only need to remember this one). On your phone, make sure that you are using the device lock PIN (you are doing that already, right?) and in Firefox, set a master password.
I don’t think the Firefox password manager is perfect by any means – I wish it would ask for the master password more often (or at least make that an option) and I wish it had the facility to generate a random password when you’re creating or changing a password, but I think it is better than using memorable passwords and inevitably sharing them between sites.
In the absence of being able to generate random passwords in the browser itself, another piece of advice (which I confess I don’t do at the moment, but I am considering it…) is to pre-generate some good passwords and print them out and carry them around with you. As you use each password, tear off the paper and destroy it, so it’s then only recorded in your password manager. There’s a handy site for generating truly random character strings here.
Oh, and one final thought – back up your password cache!