Password Management Alternatives

Risk mitigation comes down to trade-offs and personal choices

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

🔒 Related Stories: MFA | Passwords

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Wired author, @lilyhnewman, recently reached out for my thoughts on the topic of using third parties to manage all your login credentials. I’m a fan! You’ll find many references to her work in my book: Cybersecurity for Executives in the Age of Cloud. You can read her full article here:

Others have asked me questions like this many times before. Should I use a password manager? Is using Google authentication secure? It’s a very tricky question because it’s complicated, to begin with, and then there’s the fact that most end-users are not going to be willing to do the things I do with my passwords. Even though I try to be more secure, I’m still concerned that attackers will somehow get to them. There’s no easy answer to this problem.

I loved what Lily chose to write in her article. Since I struggle to condense this complex topic into a simple answer, I gave her a more in-depth collection of thoughts and let her pick and choose what she wanted to write. I thought she did an excellent job of summarizing my viewpoint and comparing and contrasting with others. I thought it might still be interesting to provide a more extended summation of my thoughts on the matter. Personal password management is a challenge for everyone, including me. It’s something I talk about more in-depth in my book.

When it comes to dealing with passwords, there are a series of trade-offs. I don’t think there’s one answer for every person, account, or scenario. Sometimes the answer is relative. One solution is more secure than another. One is easier than another, so more realistic that someone will use it effectively. Using a password manager or your Google account for authentication with a strong second factor such as a Yubikey or an application like Google authenticator is better than using the same username and password everywhere. Which one is better depends on several factors.

When you use a password manager on your local machine, an attacker may break into your computer and steal all the passwords via a vulnerability in the password manager. How secure are your network and your laptop? Could an attacker break in and steal the files associated with your password manager to steal the passwords, or overwrite the password manager with a copy of their fake software that somehow accesses the passwords? Even if attackers do not break into your system, they may find another way to access those passwords. Earlier this year, researchers tricked some password managers into giving passwords out to illegitimate applications.

When you use Google as a source of authentication for an application, you risk one compromised set of credentials providing access to all your applications. Bear in mind that Google also has made mistakes in the past. They stored G-Suite credentials in plain text for some users for 14 years. Google had to recall its hardware key due to a vulnerability after the initial launch. Google employees might find a way to access credentials by changing system code if that is possible. Your choice to use Google involves some level of trust in the company. That is true of any company you entrust with the security of your data.

In general, I believe that Google has relatively robust authentication mechanisms. Some people who can’t or won’t set different passwords for every system will be better off with Google than nothing at all. Is it more or less secure than a password manager? That depends on how you feel about Google having your credentials versus the security of your password manager. Neither case eliminates all risk, but they are better than the alternative of doing nothing at all and reusing the same password everywhere.

It is impossible to be certain one is better than the other because we can’t know all the details about how Google internally manages your credentials. Additionally, each home user may have a more or less secure home network, and different password managers may be more or less secure. For home users who don’t want to invest a lot of time, either factor is a decent option, in my opinion. For those who want to invest a bit more time securing their data, we can consider the risk factors and, instead, come up with a strategy to minimize losses, should credential compromise occur.

When you invest in the stock market, a common strategy is to diversify your investments across many different stocks rather than put all your money into a single company. That way, if something happens to one company that causes the stock to fall, you still have decent investment income from the rest of your portfolio to offset losses, hopefully. I like to think about my data and passwords in the same way. I use the concept of segregation a lot so that if an attacker gets one username and password, or gets into one particular system, they don’t have everything. I also tend to back up data to multiple sources and accounts that have different passwords. I use separate computers for different purposes and don’t log into them all at the same time.

Using a similar strategy, I choose not to count on any single source for all my password management. I’m a security professional, and some home users may not want to go through the trouble to do things the way I do. I might use one third-party vendor to log into lower-risk applications and store passwords in an alternate form to log into higher risk applications. I have multiple accounts at a single vendor for different purposes, so if someone accesses that account, they only get a subset of my data. For my most sensitive passwords, I don’t put them into electronic form. I write them down and store them in a safe if I write them down at all, and then I use the strongest form of second-factor authentication available.

My solutions may be overly-complicated for some people, and they still are not perfect. I still worry about someone accessing my data via a stolen password or compromised system. However, I do my best to prevent that by keeping software up to date, securing my network, and segregating resources to limit potential damage. As mentioned at the end of the article, choose any solution that helps avoid reusing the same password everywhere for the reasons I explain in my book. If possible, that solution should not include storing passwords in plain text (unencrypted) on a mobile device, laptop, or computer. Wherever possible, use multi-factor authentication.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2020

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab

Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation

Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab