Updated: November 27, 2015
One of my readers asked me, hey, Dedoimedo, how do you manage your passwords? This question became the idea behind this article, in which I'd like to give you my perspective on password management. Similar to my backup guide, the purpose of this piece is not so much to tell you what to do, but more sort of help you come up with the best solution that matches your needs. Almost like going to a psychologist. Only better.
And so, I will not really tell you what I'm doing with my passwords. That's not relevant. Because the only person who needs to know your passwords is you, and so my methods and ways won't help you in that regard. Which is why I will mostly be asking questions. Okay? After me.
Note: Tony Werman, flickr.com, licensed under CC BY-SA 2.0.
You have probably read a billion guides online. Long, short, complex passwords, online vaults, encryption, two factor authentication, and such. There's so much out there that it can really get confusing. In essence though, your password management comes down to three things:
What are you trying to protect?
Are you a tech savvy person?
Do you care what happens to your online accounts if you die?
As it turns out, people may not necessary understand the risk or damage, or the risk of damage, should someone steal those passwords. It's not a simple, or straightforward thing. You may think your personal email full of stupid emails and photos is not really interesting to anyone. And the truth it is, it is not. But then, that email may be used to recover passwords for other services, which is what people often do, and then, it does become interesting. The way information travels and eventually funnels is of great importance.
Furthermore, people may assume that someone out there is actively seeking to break into their systems and steal their stuff. This is an ultra-classic case of Unwarranted Human Importance (USI) syndrome, with people attributing too much importance to their actions and immediate surroundings. As it turns out, the Internet is such a well-oiled, mechanized system, with so much automation and chaos, that you are as likely to be a random victim of your own folly, accident or neglect as you are to be violated by an anonymous stranger that caters to your social stigma and Hollywood expectations. You will rarely need to worry about individual hax0rz putting all their best effort to screw you. Personal targeting belongs to important people, and you are not important.
For most people, the simple solution for password management is pen and paper. And really, if you think about it, it does make more sense than having an online account with a master password and two-factor authentication. Because non-techies will not want to bother with the discipline required to use these tools, so they will use them in a shoddy manner, which makes a set of useful technologies into a set of vulnerabilities and exposure vectors that do not contribute to security.
Tools need to match their users. KeePass and LastPass sound like great utilities, and they are, but not for someone who can barely use Google. There are superior methods to help ordinary citizens keep their passwords safe, without having to force them to use the techno jargon.
Finally, if you expire prematurely, what will happen to your email accounts, your online storage, your cloud, and other stuff? Will your family members and friends be able to retrieve the personal information, or at least claim it in your name?
This is another consideration for your password management. Sure, you can have a two-form authentication for your mail with 63-letter passwords and fingerprint scanning and such, but in a way, the tools designed to prevent malicious access will also prevent your family and friends from retrieving information after your death. If your phone uses a fingerprint scanner, then others won't be able to unlock it, and thus, they won't be able to get the access code for your online accounts, and they won't be able to login, even if they do know the passwords, which they won't, because you will have saved them in a crazy, secure manner that locks everyone out.
And so your considerations should also include a scenario that most people prefer not to ponder, and that is death. Will you be able to reliably transfer your personal data to your loved ones, even if you're not around to instruct them how to use double and triple encryption, how to mount external volumes, sign in here, sign in there, and such.
The extension of the death scenario is the ability to memorize passwords. Can you reliably remember 29 different passwords for 29 different websites, so that you can actually use them without compromising on some of those best practices you've read online?
Most people cannot, which is why they will often use a single password, and we go back to the question of risk and exposure, and what happens if your security or privacy gets compromised. Which is why we need to discuss how to handle this properly.
Now that we have taken into account everything and anything there is, let's see what the Internet has to offer. Most of the password management tips and tricks will revolve around the following:
Use complex, hard-to-guess passwords or, alternatively, long, memorable ones.
Use two-factor authentication.
Do not reuse passwords.
Frequently refresh your passwords.
Use secure connections when logging in.
Those are the basics. Now, on their own, they are meaningless if you don't apply them to your particular use case. Remember, you cannot control what others do. You cannot decide if someone wants to hack you or not. You can also not 100% guarantee your system will not be compromised. However, you can evaluate your risk and needs and work accordingly.
Moreover, there is another dimension to consider - damage control. Should one of your three building blocks be compromised in some way, how quickly can you contain or eliminate the problem? Again, the consideration revolve around what happens before, during and after an incident. And remember, an incident could be spilling coffee on a laptop where you saved your password, and now you cannot retrieve them.
All right. You want to be able to use your passwords in a reliable manner, and you want others not to be able to access them without your permission. Makes sense, right? This is true for all types of users and all types of data sensitivity.
To prevent unauthorized access, you need to keep your passwords secure. Now, there are two main locations where you can keep your passwords - offline or online. Offline means not on a computer, i.e. your head or a paper slip or a disconnected computer, and online means on a computer that can be accessed from the network. In the latter case, from a purely technical perspective, your passwords could be reached from the Internet. It may be a difficult task, and the likelihood of that could be low, but statistically, it is doable.
If you want to keep your passwords in a digital format, they ought to be protected. This means you need to use some kind of a mechanism that will hide the passwords from the naked eye, and if someone grabs your disk, the data will be meaningless. This means encryption. This means technical expertise and post-death complications.
Moreover, even if you keep data secure, your input terminal - your laptop, your phone or any other device, could in theory be compromised, without any loss of data. In the worst case, from a purely technical perspective, you could have a keylogger installed, and then, even if you manage your passwords smartly, the keystrokes can be intercepted, and someone else could have access to your online accounts.
This means your own computer is probably the weakest link - rather than how you manage passwords, but we will address that piece in a moment. Computer security is a whole different topic, and we've talked about it in the past. There's really nothing specific to passwords in this case. If you somehow mismanage your resources, you will end up with a data leak. This could be phishing, stupidity, laziness, installing random crap, and so forth. Passwords could be one of many potential pieces of data that could be lost. So what you need to do is make sure you keep your machine safe. As simple as that. If there's no crap, there are no flies, my grandpa used to say. Not really, but it's a good saying.
But if you can't really do it, then the next question is, what if someone does have your passwords? The answer is, two-factor authentication, which makes any one half of the data useless. But this method is cumbersome. You need to be an advanced user, and then, your technology becomes the limiting factor. What if you lose your phone? What if you die and your family don't understand this new authentication method? As you can see, as far as online data access goes, we have:
online --> plain|encrypted passwords --> keylogging
--> two-factor auth
We did not discuss offline just yet. Now, the old security practice of never writing your password down is true for offices and corporate environments. It is meaningless for home users. If someone breaks into your home, they will probably not care about random pieces of paper, and if they do, they probably won't be able to easily map them to your online stuff. Unless you're being targeted, but then, that's a very unlikely scenario.
So writing your stuff down is actually a good thing. You can use very long passwords, you can share them with friends and family, the technological challenge is low, and no one can steal the paper notebook from the Internet. This method does not fix the computer security piece, so we have:
offline --> keylogging --> two-factor auth
We can see that the logic points toward two-factor authentication, which really rules out a vast majority of users, because they are not savvy enough to implement it reliably. And it also complicates post-mortem use. Which is why you need to think hard. What do you fear more? Online hacking or your own death? Do you care more about malware or leaving a sane legacy behind you?
So far, we've only discussed the home piece. But there are two sides to that coin. Your own, and the server you are logging to. And this opens a whole new range of questions and problems and possibilities. In fact, hacking servers is far more lucrative, as you can glean thousands if not millions of passwords in one fell stroke, rather than wasting effort on individual targets. This is what we've been reading in the news lately. Breaches of data with big companies that have not implemented proper security measures.
Again, you only have partial control over the whole scheme. You can make sure you login over secure (HTTPS) connections, but you may not always know this, especially on your mobile phones and such. You can make sure to follow the various best practices, but you cannot prevent companies from being hacked and such.
This is why we go back to the question of damage control. If a database is hacked and all its users are compromised, how much additional risk do you incur through your password management policies? So if you use the same user and password for all online accounts, then yes, technically, in theory, if these credentials are exposed, then someone can access all your stuff. Having different passwords - as well as users - makes sense. Non-personal aliases can also help anonymize you. And where would you store these user names? Online or offline? We go back to square one.
All of the above has nothing to do with how strong or memorable your passwords are. They all discuss the eventually of a data breach, and what you can do before, during, and after such an incident. Forget the reasons as to why this may happen. It WILL happen. The only thing that matters is, what have you done to minimize damage, what can you do while the problem is ongoing, and what's for you to do after the problem has been fixed.
If you are wise, then you will invest as much energy in the earliest links in the chain, because the sooner you act, the cheaper the cost. If you prepare well, then even if there's a problem, you may not really care.
On the client side, it means smart security so you don't need to worry about data compromise. Ironically, people less likely to be hacked are those more likely to use two-factor authentication, a method designed to minimize the chances of haxorology.
In the end, it means the choice of offline or online password storage, and minimizing damage that you will incur if there's a server-side problem. In other words, use different names and passwords for your various online accounts. It's a pain, but then, do you walk around the streets advertising your identity to everyone? No. So why would you want to do that online?
To sum it up, there's no silver bullet solution.
But passwords are not about security. Partly yes. But there are far more important reasons to manage them well. Your OWN brain. If you forget them, you're screwed. If you buried them somewhere so deep you can't find them, you're screwed. If you die, it's all gone.
Security is in fact highly overrated as a concept. It is a part of the online world, but just like there's no reason to contract sexually transmitted diseases in day-to-day life, there's no reason to fiddle with malware. Be sensible, and you can avoid that side of the Web. Again, the paradox of computing. Those who need this advice will not be reading this article, and it will only be nerds scrolling through, enjoying the affirmation of the things they are already doing.
So security. People invest so much in it, but there are more pressing matters. Like data backups. What's the chance of you being hacked? Low. What's the chance of you losing a hard disk? 100%. This is what people forget.
With passwords, it's the same thing. You will forget them. You will misplace them. You will die. So make them useful and practical. And this actually is the answer to the original request. How does one manage passwords sensibly?
And the answer is - I don't have one. What will drive your consideration is, how can you make sure you remember your passwords when you need them? And by remember, I mean, you can find them, whether inside the brain cells or an old, mangled paper somewhere.
The argument of complex versus long passwords comes to mind. Indeed, having hax0ry password is all l33t and cool and rad, but in reality, unless you are being target by a human, having long, memorable passwords is statistically, mathematically a more sensible approach for the vast majority of people. They can easily remember song lyrics or places or such, but they sure can't master the uppercase lowercase special character nonsense that we nerds inflict upon them.
The side benefit of it all is, if the password management process is fun, then people will be more likely to adhere to it and maintain some discipline. Just go with your favorite films, write a list, and enjoy it. Sounds simple and effective. And remember, I am not advocating this, because you need to find your own way to ensure the legacy of your passwords.
Never forget the triangle of password management. Risk. Technology. Death. Your songs might be high and mighty, but if no one can guess you saved them in a file titled pr0n.txt inside a hidden folder, then they are meaningless, right?
As you can see, and you might be frustrated by this, I am going to end this article without a single specific app or technology mentioned. This is because giving advice is so easy, and it means nothing when you have to be the one applying it. Like the proverbial shrink, I will leave you with some blue balls of password management, armed with a golden recipe of thinking and reasoning, which should give you the tools you need.
Evaluate your situation based on the three critical parameters. Once you know the odds, you know the weakest link. Strengthen it first, then work up the ladder. Minimize damage with the expectation it WILL happen. Use technology to aid yourself and your family, rather than creating an impressive but meaningless fortress of pointless security. You are not as important as you think you are, and there a hundred things that will happen before you get hax0rized. And you are neglecting them all, because you've been visiting security forums too much.
To wrap this up, managing passwords means a bit of work, especially if you use different account names and passwords, but it can be done in a sustainable manner. You just need to find the one that matches your life expectations, technobabble skillz and the risk of losing it all to whim, curiosity, daring, foolishness, and plain ole disk failure. We are done. Hate me if you want. If you're looking for advice like use XYZ 2.0 and MyP@ss 17.3, then look elsewhere. We are here to learn how to think! The end.
P.S. The brain memory image is in public domain.