~$ A much ado about passwords and password management

Posted on Mar. 7th, 2021.

Tags:InfoSec


Within the last 5 years, we've become more and more reliant on services provided by companies -- services that usually require some form of Internet connectivity and on some form of account scheme, potentially under the guise of a warranty scheme. When setting up these services, users need to define a password, which might help them access the vendors' platform or a dashboard or something of the sort.

However, the human memory is only so good. You cannot exactly rely on it to store a dozen or more passwords, that you only have the use for every few weeks or months. We as a species are constantly plagued by thoughts, considerations and the ramblings of our imagination. To aid in remembering such important details, we've developed a few methods, and only so many of them are actually efficient, and only a slight handful are secure, as we'll get to in this article.

Here I will also go over some custom solutions that were interesting -- to say the least -- and why when it comes to your cyber-hygiene, a password management solution is usually the most practical and efficient way to go.

Summary

Storing passwords

The first option is of course to reuse the same password everywhere, be it from your personal mailbox to some random service or video game on the Internet. This option is the best in terms of efficiency, because you only need to remember a singular password! However, this benefit comes with a consequential edge: Your password needs only to appear in a single breach for it to compromise the entire realm of services, some of which have a lot of details concerning your identity. This makes a potential attackers' job easy by giving them all of the resources they need to impersonate you and steal all of your money or open a credit line in your name, among other nasty things.

Another option would be to store with passwords in some form of media, be it physical or virtual -- a notepad, a piece of paper, a safe, a text file (non-exhaustive list). Now this is a "good" solution, because in theory you can have as many different passwords as you want. Aaaaaand your computer just died. Sad emoji face, you do not have anything left, and need to reset all of your passwords -- if you can.

So potentially having multiple copies of parts of your password repertoire in various places? Yeaaaah, not really: good luck finding the exact password you're looking for from the office.

There's a lot of alternatives, like I'll get into this next chapter, but yeah... you are taking a lot of risk for not much punch.

Sparse bits of frightening reality

Not convinced? Here's some mind blowing real uses for storing passwords that I've seen.

The first and most common one idea of a bad password management solution is the Post-It methodology. Now imagine someone putting their personal passwords on Post-It's on their work desk. To be fair their writing was horrible, but it was still legible. So there's one for identifying, keeping track of and relating to scope.

Another one was a person that stored their passwords in random files on their hard drive, in a place they swore made sense when they did it. This happened to a family member of mine, and the second part of the story was the unevitable drive failure. The following is a real-live quote from me when seeing this.

Never before has murder felt so justified than after observing your password management technique.
AtomicNicos

One of the most exotic things I've seen in the wild, is someone using their mailboxes drafts folder as a password storage. The mailbox itself had a 12 character password that was their last name, their birth year and the dollar sign. That password had appeared in a breach of a site filled with old flash games from three years prior. To this day, I have not found out what happened to this person, but I am assuming nothing good.

Not becoming the victim in the thriller where you are also the antagonist

So how do people get around all of these limitations? Well, they get around to using an online password management solution. To get a good one you might need to shell out a few dollars a month, but in my opinion it is worth it.

The main excuse used by Password Manager phobic people is that you are just exporting the problem to somewhere else, and if the service gets breached all your passwords are lost to the world.

That would be true, if the whole business model of the service-host didn't rely on "almost" perfect security. Plus, all you need to know is a singular password, and you can use it on multiple platforms (just don't forget to sign out). There's many solutions, which I am not going to name, but the most well known are pretty well documented.

So yeah, those are my 3¢ on the matter. I've been using a password manager for a while now, and I really like the fact I don't need to remember passwords anymore and that the software can generate high-entropy passwords for me.