Password Manager - Friend or Foe?

If you are not familiar with Password Managers, you can refer to one of my old posts from 2012

Short answer: Yes
Long answer: Yes and No (depending on how you use it)

Unless you are coming from the stone age, you would have definitely noticed that we are living the post-password era. All those accounts you create, enclose you between a password that is both 'easy' to remember and hard to 'guess'.

One of the most recommended solutions is using software-based password managers, also known as password-vaults and password-wallets. It's a solution that helps you generate, store and use different complex passwords in a secured manner, by encrypting all your passwords with a master password that you have to remember. This password is also known as Key Encryption Key (KEK), and it should be stronger than the ones you are protecting.

Password Manager, Friend or Foe?

Pros:

In general, it helps mitigate the majority of the post-password era weaknesses
It helps you to securely store complex passwords (instead of writing them down on papers or self-mailing them)
It helps you generate complex passwords
It helps you change passwords periodically
It becomes easier to create different passwords for different services instead of using the same password for different services

Cons:

Single point of failure
Single point of failure
Single point of failure (hereafter SPOF)

Storing all your passwords in one place makes it easier to manage and yet, easier to lose all at a time:

If you happen to lose your master password, your password may become unrecoverable if recovery accounts were managed inside the password manager. Pick your recovery methods wisely to avoid a deadlock. (I know someone who forgot his Gmail password. When he tried the e-mail recovery feature, he noticed that his recovery Hotmail password was lost too, while his Hotmail's recovery was the same Gmail he already lost access to)
If your password manager is local, a hard drive failure or a computer theft may render you passwordless
Memory Scrapers and Keyloggers can jeopardize cloud based, web based and desktop based password managers, the fact of putting them all in the same place reverts back to the Single Point of Failure.

Threat modeling

Threat	Availability	Integrity	Confidentiality	Comments
Writing down passwords on papers	Medium Risk Low Risk if you store it in a safe, but remember you can’t carry your safe everywhere	Critical Risk Low Risk if you store it in a safe, but remember you can’t carry your safe everywhere	Critical Risk Low Risk if you store it in a safe, but remember you can’t carry your safe everywhere	Never store your passwords in clear text
Writing down password in a text file	Medium Risk SPOF but can be backed-up	Critical Risk	Critical Risk	Never store your passwords in clear text
Writing password in an encrypted word document/Zip file	Medium Risk SPOF but can be backed-up	Medium Risk Easy to brute-force	Medium Risk Easy to brute-force	A stronger encryption is needed to protect your passwords. You should never protect your passwords with a weaker password than the ones you are protecting. ZIP and Word docs leave temporary files behind, so better avoiding it
Cloud-based password manager	Medium Risk SPOF, pick your recovery methods wisely Managed by the cloud	Low Risk Managed by the cloud	Medium Risk Potential Keyloggers and memory scraping vulnerabilities	Keyloggers can capture your master password and attackers can access your cloud passwords. Memory scrapers can capture all your passwords not just your master password. Best used with a two-factor-authentication mechanism
Web-based password manager	Medium Risk SPOF, pick your recovery methods wisely Managed by the cloud	Low Risk Managed by the web service	Medium Risk Potential Keyloggers and memory scraping vulnerabilities	Same as above, add to them web vulnerabilities and XSF and XSRF.
Local password manager	Medium Risk SPOF, losing your password is a game over even if you back-up your password file	Low Risk	Low Risk Main threat is memory scrapers	My best option, in addition to storing camouflaged passwords

And the solution?

Storing passwords anywhere, including password managers increases their likelyhood of disclosure. If you think you can memorize many complex and different passwords, and change them periodically without the need of writing them down or sharing them with anybody, then password managers are bad for your online security hygiene, you are better way off and more secure without them.

For everyone else, a regular use of password mangers is enough to cut down insecure password usage.

It is important to keep in mind that the human memory gets drained with age and mentally-managing your password gets harder every year. As for paranoid internauts like yours truly, using a regularly-backedup local password manager to store hints to the passwords (not the passwords themselves) helps reducing the paranoia hassle.

Personally, it just doesn't feel comfortable to store my usernames, passwords and related websites in one place inside the application and Passwords Managers are no exception, allowing them to use my passwords on my behalf makes it all gross. If I had to use a password manager, I would store hints to the passwords I want to secure instead of the passwords themselves, no usernames, no login pages no whatsoever.

I hope you enjoyed the paranoia dose of the day. Remember, if you are not scared of losing your passwords then you are not using internet enough, which I envy you for.

Closing this blogpost is brought to you by XKCD: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess!"