Passwords: storing passwords

Back in 2007 I wrote a post (One Ring To Rule Them All) detailing my idea for coping with the Internet-necessitated need to manage a whole bunch of passwords with some modicum of security, and without fear of tearing all your hair out.

At the time I commented that while there’s plenty of advice to the effect that one should maintain different passwords for each application/ website one uses, there’s a dearth of information regarding how to manage umpteen different passwords.

That’s still true. However, it’s also not the whole story; there are ways of storing passwords.

You could, for instance, save them in a spreadsheet, and you could also password-protect that spreadsheet — although if using a Microsoft product such as Excel, you should be aware that passwords in Microsoft’s applications are notoriously insecure; cracking them is a relatively trivial matter (if you’re interested, Bruce Schneier has an illuminating article on why Open Source cryptography is superior to proprietary code).

There are also dedicated ‘password safe’ applications, such as Password Safe, KeePass (both free and Open Source) and LastPass

However, I maintain that the ‘One Ring‘ is superior to all these, for several reasons.

Firstly, with the One Ring you can’t lose your list of passwords. Any ‘password safe’ is susceptible to system failure (if your hard disk should crash: bye-bye password list, hello ‘OMG how do I get into my online bank account now?’). There’s also the problem of transferring the data to your new computer when you get a new one (admittedly, this might be straightforward: then again, it might not; old software — chances are you’ve had your password safe a while now — often has compatibility issues). With the One Ring, you need only fear amnesia. Or, maybe, senility.

Secondly, the One Ring is 100% portable between real-world locations. If you’re relying on a password safe and you pop into an Internet café, you won’t be able to log into [insert website name here] because you probably don’t have your password safe with you. (You could carry it around in a pen drive, but then that’s just another thing to lose.) If you’re using the One Ring your head is always there, right where you are. Handy, that.

Thirdly, unlike a password safe, the One Ring is not easily transferable between individuals. It’s in your head, and communicating it to another person can only be accomplished by deliberate, wilful action. I think it’s safe to assume that the risk of explaining your One Ring to someone else accidentally is minimal, even if you are a somniloquist.

Fourthly, if you should choose to use a password safe, there are three things to consider:

  1. You’d better be absolutely certain that the password safe software you’ve chosen isn’t a trojan that will pass your passwords to someone else…
  2. If you open a password safe you’d better be absolutely certain that you have no malware on your machine that’s looking for you to do something like… open a password safe, for instance.
  3. To access a password, you have to open the password safe software, locate the password you need, transfer it reliably to the application you want to log into (copy and paste might work; then again, it might not), and, finally, you need to close the password safe. All of which is a lot more palaver, and quite a lot slower, than retrieving a password that’s stored safely inside your head.

A note to cryptology experts: by all means, if you think that I’m deluding myself, please do get in touch. I’d love to hear what you think of the One Ring and its sequel, Two Rings To Rule Them All. Oh, and there’s my nifty idea for remembering credit card PINs, too 🙂

Advertisements

About pendantry

Phlyarologist (part-time) and pendant. Campaigner for action against anthropogenic global warming (AGW) and injustice in all its forms. Humanist, atheist, notoftenpist. Wannabe poet, writer and astronaut.
This entry was posted in Computers and Internet and tagged , , , , , , . Bookmark the permalink.

8 Responses to Passwords: storing passwords

  1. FilterJoe says:

    I came to your site because of your comments on Troy Hunt’s site about passwords. This post and your other “one ring” posts are one specific implementation of what I like to call a base phrase approach to password management. I discuss this approach on my site and I think it is feasible for a certain small percentage of the population that happens to be blessed with both a good memory and a reasonable facility with symbolic manipulation. That’s fine for this small percentage, but not fine for the average Joe.

    I would love to see the tech community rally around the password manager concept, as it is something that can be easily implemented by the average Joe. You don’t need long lists of security rules or complex schemes like this one to implement it. You can communicate the strategy in a simple sentence:

    Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password.

    I describe this strategy and give background/help in a series of posts, here:

    http://www.filterjoe.com/2011/04/14/passwords-guide-without-distraction/

    As to your password manager objections, here are my replies:

    1) Stick with one of the leading market share password managers (lastpass, KeePass, 1Password, or RoboForm). KeePass is scrutinized by the open source community, while the other 3 have worthwhile brands to protect.

    2) Malware is a problem with any strategy – but some password managers offer protections against malware that are not available for someone typing at a keyboard. First – they offer keyboardless entry. Second, they offer on screen virtual keyboards for those who want a higher level of security. Third, both KeePass and lastpass offer 2 factor authentication, for those who want yet a higher level of security. In actual reality, there is not a single reported case to date of someone’s password database being compromised when protected by a strong master password, using one of these 4 password managers.

    3) Some password managers are cumbersome to use, including KeePass for those who are not technically inclined. But the other 3 make password entry trivially easy. Just enter your master password once at the beginning of a computer session. Thereafter, you can select from within your password manager any site you want to visit – which then automatically opens the site and logs you in. And this happens to protect you from several types of browser-based password stealing methods, though that is not the main point. The main point is that this is so easy any grandmother could do it.

    I’ve been trying to educate average people about passwords during past year. Most are not willing to put in any effort at all into it, let alone create a base phrase approach. But a few have adopted a password manager and after using it for a few weeks, are big fans.

    Again – nothing wrong with your One Ring approach. But it’s not for the masses. Password managers are the best compromise currently available for managing the tradeoff between usability and security. And it works for the masses.

    • pendantry says:

      Thanks for taking the time to respond, Joe, I appreciate it. Having followed numerous links from Troy Hunt’s site and your own, I was surprised (but shouldn’t have been!) to find that the ‘One Ring’ has been thought up and championed independently, several times.

      As you rightly point out, any system for password maintenance has its flaws. The reason being, of course, that the security paradigm itself is fatally flawed by the unreasonable expectation that every computer user will make the effort to become knowledgeable in the field.

      Various banks in the past tried to persuade me to use online banking: invariably, I would be asked why when I decline, and, knowing that the one asking the question is probably not au fait with the technicalities, I have only ever been able to answer “because I know too much about computer systems”.

      I applaud your efforts to educate people about the importance of password maintenance, and would thoroughly recommend your guide to using passwords without distraction to anyone prepared to take the time to educate themselves further on the topic.

  2. FilterJoe says:

    I love your quote: “the security paradigm itself is fatally flawed by the unreasonable expectation that every computer user will make the effort to become knowledgeable in the field.”

    On the other hand, there are basic security expectations that all kids learn from their parents regarding personal security and home security:

    Lock doors and windows when you leave your house.
    Keep your wallet and keys on your person at all times.
    Don’t tell strangers exactly where you live.
    Etc.

    I think it’s reasonable to expect the population at large to memorize a few types of similar rules regarding security. Just like people don’t memorize information about the number of pins in their lock and various lock picking techniques, so too we can’t expect people to understand concepts like entropy, password stealing techniques, etc. And it’s about as realistic to expect people to memorized and implement a dozen password construction rules as it is to expect them to construct their own door locks and change them out yearly. But it would be great of the tech community could rally around a few very simple rules that parents should understand and pass on to their children. Something along the lines of:

    Keep your browser, operating system, and security software up to date.
    Be cautious about giving out personal information (Phishing)
    Use a password manager to assign unique, random 15 character passwords for all accounts, protecting them with a strong master password.

    My understanding is that the vast majority of the population doesn’t even get these 3 things. And I thing the tech community is partly at fault for inundating users with so much (mostly irrelevant) detail that they simply turn off to it and do nothing.

    • pendantry says:

      I agree with you that the majority of computer users don’t get your list of three things. I think that where we differ is in expecting that they should.

      In your previous comment you imply that using — and maintaining, which is a horse of another colour — [a relatively straightforward software application] is “so easy that any grandmother can do it”.

      I’ve met a great many people (not all of them grandmothers) who have no interest in computers except as a tool to do a job. To many, any machine, whether it be a lawnmower, a dishwasher, or a vacuum cleaner, needs to do what it says on the tin; if the machine malfunctions a repair technician is called in. Computers these days are so cheap that they’re almost throwaway items, and very few people are willing to pay to have them serviced in the same way that they would their car; so they muddle on through.

      By promoting the idea that computers are ‘simple’ and ‘easy to use’, the IT industry hasn’t helped. Computers never have been user-friendly, and, worse, as time goes by the nouse required to run one doesn’t decrease, it increases. To those who use computers every day (and especially those who enjoy doing so), the increasing complexity of the technology sneaks up incrementally, so this simple truth is probably not that evident.

      It wasn’t so very long ago, for instance, that this whole password protection can of worms was a non-issue; yet now, people are being expected to learn another skillset to handle their passwords.

  3. FilterJoe says:

    I very much agree with you that most people just want the computer as a tool to get work done, and will be annoyed with anything that distracts them from that. And I agree that for the most part, computers are far harder to use now than they were in 1999.

    But there’s a great trend afoot – the internet appliance is becoming a reality. That’s essentially what the iPad is. And what Google aims to do with devices based on the new Google Chrome O/S coming out later this year may be even better (because it automatically uddates the browser and O/S). These devices will simplify or eliminate most aspects of computer administration (including, importantly, malware).

    But they won’t eliminate the need for password management. Passwords have become far more important in the past 5 years as people increasingly use cloud services for email, commerce, banking, and socializing. And it will become even more important for internet appliance devices on which compromised passwords will become the most common mode of failure.

    I don’t see anything on the horizon that will cause the “password protection can of worms” to go away. Kids learn that possessions in the home need to be protected from fire and theft, and they learn how to do it. They will also have to learn that data in the cloud or on a computer must be protected from loss and theft, and they must learn how to do it.

    Ideally, it should be taught by parents. Next best might be in school. Unfortunately, the most common method for learning these days is in the midst of recovering from a disastrous loss or theft of data.

    • pendantry says:

      If it’s true that recovering from a disastrous loss of data is the most common incentive to get wise about data security, that says ‘BAD’ to me (‘broken as designed’).

      With reference to the greater availability of more computing power on smaller devices: I wonder whether the use of biometrics could obviate both the need for passwords and the requirement for the user’s mind to be filled with technobabble. I did at one point have an idea for replacing the humble credit card with a (physical) ring one could place on one’s finger (I had thought I’d already written an article about that, but I guess that was a draft I lost in the transfer from Live Spaces).

      Although… if a biometric security system were to be compromised, recovery of a stolen identity might be even more problematic. I think I’ll decline the beta 😉

      • FilterJoe says:

        On taking action only after a disaster, I think it’s a normal heuristic: Don’t pay much attention to (what you think are) low probability big disaster possibilities until they actually happen. That’s why people live near nuclear reactors or don’t worry overly much about invading aliens – and in this case – data theft/loss.

        People who spend a lot of time worrying about low probability events aren’t going to have as much time to devote to more productive activities.

        However, what people need to understand is that data theft/loss is no longer low probability for people with minimal security habits.

I'd love to hear what your views are!

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s