Friday, March 12, 2010

Password Managers, is this the best option user’s have?

Before reading the following, ask yourself if you’d recommend to the average user that they store their passwords in a local password manager.

Today there are four primary ways users lose control over their web-based passwords. Phishing Scams (email or SEO), Malware (installing malware or drive-by-downloads), website break-ins (SQLi, RFI, misconfiguration, etc.), and website brute-force attacks. For a user to protect themselves I’ve outlined the client-side technologies they can deploy (reason MFA is left out) and possible changes in their online behavior.

Phishing Scams (user hands over their passwords)
Client-side technology solution(s): Web browser security add-ons and anti-email-spam tools.
Behavior: Tell the difference between real/fake and safe/dangerous websites & emails using available visual indicators.
Outcome: The technology is not consistently effective and users are unable to reliably make accurate real/fake or safe/dangerous decisions.

Malware (passwords stolen off the PC)
Client-side technology solution(s): Update Web browser, Web browser security add-ons, desktop anti-malware, and scheduled patch management.
Behavior: Don’t install “bad” software off the internet. Don’t use a local password managers.
Outcome: The technology is not consistently effective. Users WANT to install software and by extension WILL install “bad” stuff. Users are unable to remember multiple hard-to-guess passwords so they’ll either write them down, have the same password across multiple websites, or use a password manager anyway.

Website Break-ins
Client-side technology solution(s): nothing
Behavior: Use different hard-to-guess passwords across websites.
Outcome: Users are unable to remember multiple hard-to-guess words so they’ll either write them down, use a password manager, or have the same password across multiple websites anyway.

Website Brute-Force Attacks
Client-side technology solution(s): nothing
Behavior: Use different hard-to-guess passwords across websites.
Outcome: Users are unable to remember multiple hard-to-guess words so they’ll either write them down, use a password manager, or use the same password across multiple websites anyway.

Now, consider the options users have for personal password handling:
  1. Mentally remember different passwords
  2. Write password down
  3. Use a password manager
  4. Use the same password across multiple websites.
Which should the experts recommend to the average user?

By enlarge users are unable to remember multiple hard-to-guess words so let's cross #1 off the list. From a security perspective the prevalence of malware has made written passwords easier for a user to keep safe than storing them on a PC. But, from a user perspective, this approach is terribly inconvenient and makes password managers or using the same password across websites more attractive.

If we consider the threat landscape, massive numbers of websites compromises who don’t encrypt their password, a password manager is preferable to having the same password across many websites. If a users account is compromised via website hack, ideally it should not impact the security of the rest of their online accounts.

On the other hand a PC getting infected with malware is a very common problem and could lead to every record in the password manage being lost. However when this happens the user has worse problems than a compromised password manager, i.e. Man-in-the-Browser attacks makes a password-only theft highly unlikely.

When you boil everything down, if a user can mentally remember multiple hard-to-guess passwords across various websites, this is their best option. If they can’t and don’t mind the inconvenience, write the passwords down and keep in a safe place. If they do mind (the inconvenience) and feel their PC is reasonably safe, password managers are the next most secure option. Perhaps the browser vendors should provide a native hard-to-guess password generator in the browser to auto-populate login/registration fields. Better still if they store them in the password manager by default (opt-out rather than opt-in). Then again, unless truly fixed this would encourage using XSS to steal from password managers.

What we do know is left to their own devices, users will continue to the use the same (weak) passwords across multiple websites -- and we know where that leads.


Terri said...

One thing you didn't mention is that there are some severe usability issues in password managers. Sonia Chiasson did a very interesting study on a couple of the (supposed) best-of-breed password managers a couple of years ago:

The short version is that the usability of these programs was so terrible that users wound up accidentally exposing themselves to more risk, and often totally missed that they had done so.

After hearing her talk about this work, I'm not sure I could ever recommend a password manager with a clear conscience... and that's before hearing about today's clever little exploit to gain access to the passwords!

Brad Greenlee said...

How about hash-generating extensions like PwdHash (

Collin Jacksoh said...

There's another threat you might want to consider, which is that someone has local access to your machine after you've used it, either temporarily (visitor who probably won't install malware) or permanently (thief). By avoiding a password manager you can make it harder for these local attackers to get your passwords.

Claudiu Francu said...
This comment has been removed by the author.
Claudiu Francu said...

I did a follow-up on your story here:
Tell me what you think!

Anonymous said...

I change my recommendations depending on who I'm talking to (and how much they know/care)
But I now advocate a simple three password approach:
1) Email password - this should be the hardest password to guess and should ONLY be used for email. My reason is that all your other passwords could be gleaned from your email ("forgot my password" links, etc)
2) financial password - hard to guess and used only for banks and other uber-important things
3) everything password - mid-hard to guess and use it for everything else.

This isn't the /best/ system but is very usable.

Anonymous said...

As the last guy said splitting up accounts into two or more groups is a good suggestion to users.

I also suggest they come up with a password scheme, based on a single common password but with a 4 or more character variation formula based on the site/account they're logging into. That way they can remember one or two passwords and one or two formulas depending on their abilities.

יונתן עמיר said...

Having to move across many different computers, some of which are shared, I have replaced KeePass with LastPass for several reasons:
I don't have to store the password in the clipboard or type it into the browser.
I can use one-time passwords, so my master password is relatively safe when using shared computers.
It is very easy to replace passwords, in case I fear one or more of my stored passwords has been compromised.

Jeremiah Grossman said...

@Teri, usability is hugely important. Thanks for the link to the paper. Still in theory, the concept of local password managers appears better and safer than the alternatives.

@Brad, Nice link! Forgot about that one. Another version of a local password manager. Again, would be nice if something like this was on by default in the major browsers. Otherwise, it'll remain obscure and largely unused.

@Collin, I operate under the assumption that local access = root. And I could be wrong, but local access isn't a major source of password loss like the others I outlines. Still, a screen saver password would be very helpful in these cases.

@Claudiu, as you left it on the end, it would be nice to move away from passwords. But solutions available so far just aren't that attractive. Leaving password as the best option, for the moment.

Anonymous said...

"By enlarge"? Don't you mean "By and large"? Try a Google search - seems to be an old sailing term.

lava said...

Nice article. Bard's suggestion looks the strongest and has the added advantage of protecting against Phishing attacks as well. Though not perfect, it does have a nice combination of usability and security for common non-security folks.

I would like to point out one additional attack vector that would be of interest, Browser Phishing. It's been a part of karmetasploit since 2008. I have implemented the same as one of the attacks in Imposter, a browser phishing attack framework. Video available here

Anonymous said...

Try Sticky Password

Wayne said...

My organization forbids both writing passwords down and using password managers (without approval, which you can't get).

Two factor authentication using smart card PKI certificates (where it's available) solve a lot of these issues. said...

Hey guys,

I think that the best option is indeed use a password manager since it is most important to change passwords frequently.

If you really want to use a highly secured manager, try Passter:

Unknown said...

The details about the best password management software can be understood clearly on reading this post. Keep updating the blog regularly.