How to think about password managers

Posted on March 2, 2017

There exist numerous methods to authenticate a user to a system, but using only passwords continues to be the dominating choice [1, 2]. Under these circumstances, ideally, a user would have strong, unique passwords for each account that he or she has. However, this is an unrealistic expectation for the average human being. Thus largely, the general population uses a handful of weak passwords for all of their user accounts.[3, 4, 5, 6]

At an attempt to alleviate this problem, password managers were introduced. A password manager is a program that stores and organizes all of a user's passwords. Access to a user's passwords in the password manager typically requires knowledge of a "master password." This pushes the burden of remembering strong, unique passwords from the human user to a software application.

Fairly often, the topic will come up whether to use a password manager or not. It is argued back and forth. In my opinion, password managers are one of the best things since sliced bread. There's no better feeling than using a random 50 character password or using openssl rand -base64 5 output as an answer to a security question (I use 5 bytes because if I want to get anything done with a support line over the phone, it's more realistic to spell out a 7 character string than 50 character string).

I've noticed, though, that many tech savvy people are reluctant to adopt such a technology. I know plenty of security professionals that use either the same password for all accounts or use a handful of passwords in a tiered fashion (one password for important accounts, another for less sensitive accounts, another for the ones they care about even less, and so on). The average non-technical person, in my experience, is quick to adopt password managers once they discover such apps, but it's frustrating to me how information security professionals are so stubborn to do the same.

The biggest excuse I hear is probably "I don't want all my eggs in one basket," though there are others [7]. At first, this tradeoff makes it unclear whether using a password manager is any safer than the traditional method of memorization. To tackle this problem, we really need to change the way we think about password managers. They shouldn't be thought of as "password vaults," but "password strengtheners." Here, I will describe the proper way to utilize password managers such that they are in theory no less safe than using pure memorization.

Assume user Alice is currently using a 2-tier password scheme with the passwords \(P_1\) for important accounts (email, bank) and \(P_2\) for the rest of her accounts. In this scenario, we will require Alice to come up with a separate master password. The strength of the master password does not actually matter as our proof does not rely on it.

To login to her bank account, Alice should take the password entry in the password manager for her bank account, and incorporate it with her password \(P_1\). "Incorporate" entails somehow merging the two -- most likely prepending or appending the entry to \(P_1\). The idea is the password entry in her password manager adds to the strength and complexity of her original password \(P_1\). A similar method should also be adopted for accounts with password \(P_2\).

Notice how other than retrieving the password from the password manger, the way Alice uses her passwords does not need to change. As we have seen she still "uses" password \(P_1\) for important accounts and can use \(P_2\) for less sensitive accounts. The password manager passwords merely strengthened her original passwords.

Now, let's revisit the "eggs in one basket" problem again. There are two scenarios:

  1. Alice's password vault is somehow compromised (e.g. LastPass vendor compromise [8] or Tavis Ormandy ;) [9]). In this case, the strength of her passwords falls back to the original strength of \(P_1\) for important accounts and \(P_2\) for the rest of her accounts.
  2. Alice's computer is compromised, e.g. infected with malware. In this case, we can assume the password vault would also be compromised since it just takes unlocking it once for malware to log the master password. At this point, the security of her accounts, password-wise, is in the same state as it was in situation 1. We can thus conclude, again, that the strength of her passwords falls back to \(P_1\) or \(P_2\) (that, and both \(P_1\) and \(P_2\) are logged by the malware once she attempts to logging into accounts).

In both situations, the use of a password manager isn't any less safe than traditional memorization alone in theory. The proposed method does not solely rely on the password manager for the security of Alice's account; its function is to strengthen her existing passwords.

The caveat here is, as you probably guessed, the phrase "in theory." In reality, it's a little more nuanced than the above scenarios and their assumptions. The password manager technically does open up attack surface. As an example, when I open 1Password on macOS, it opens up a few ports. Port 49506 is the port used for local LAN syncing of passwords between devices (which can be disabled in the app). 

    $ sudo lsof -iTCP -sTCP:LISTEN -P -n | awk '{print $1, $3, $5, $9, $10}' | column -t
    COMMAND    USER  TYPE  NAME
    ...
    2BUA8C4S2  kedy  IPv4  *:49506          (LISTEN)
    2BUA8C4S2  kedy  IPv6  *:49506          (LISTEN)
    2BUA8C4S2  kedy  IPv4  127.0.0.1:6258   (LISTEN)
    2BUA8C4S2  kedy  IPv6  [::1]:6258       (LISTEN)
    2BUA8C4S2  kedy  IPv4  127.0.0.1:6263   (LISTEN)
    2BUA8C4S2  kedy  IPv6  [::1]:6263       (LISTEN)
The service listening on 0.0.0.0 increases the attack surface. Therefore, the chance of falling into situation 2 above increases. Though given the choice of picking between a slightly increased attack surface vs strong passwords, I would pick the latter any day.

Lastly, I'll note that using this method of password managers means that you won't be able to use any accompanying password manager browser extensions. Although honestly, you probably shouldn't be anyway -- copy pasting is the safest way to go. In addition, you should also consider

  • avoiding the builtin browser
  • avoid using the cloud to sync passwords
  • disabling any listening services if possible, or block the listening ports with your host firewall
  • sync password vault manually (e.g. use iExplorer to transfer 1Password's sqlite db)

[1] http://research.microsoft.com/pubs/161585/QuestToReplacePasswords.pdf
[2] http://users.ics.forth.gr/~elathan/papers/eurosec15.pdf
[3] http://cyberside.planet.ee/docs/www2007-A%20Large-Scale%20Study%20of%20Web%20Password%20Habits.pdf
[4] https://cups.cs.cmu.edu/soups/2006/proceedings/p44_gaw.pdf
[5] http://www.canberra.edu.au/cis/storage/CIS_PayPal_Whitepaper_FINAL.pdf
[6] http://www.csid.com/wp-content/uploads/2012/09/CS_PasswordSurvey_FullReport_FINAL.pdf
[7] https://www.internetsociety.org/sites/default/files/08%20why-do-people-adopt-or-reject-smartphone-password-managers.pdf
[8] https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
[9] P0 issue 884, 888, 890

comments powered by Disqus