The password security / convenience tradeoff

The story broke recently that a number of cloud based password managers have been found to be vulnerable to hacking, in a paper published by the University of California, Berkeley.  The password managers, including the popular LastPass, were found vulnerable to various attacks allowing, among other things, the leaking of plain text passwords or the extraction of the entire encrypted password database.  It should be noted that the vulnerabilities found in the password managers have either been, or are currently being patched, however the finding puts a spotlight on the danger of convenience when it comes to passwords and password management.

What’s a Password Manger?

We all know that a password is only as secure as it is complex, but a long and complex password is obviously hard to remember.  Because of this people tend to use shorter passwords, common words, or even familiar words and phrases like the name of their dog or a line from a song.  This is great for easy recall, but not so good for security.

We also know that you should be using a different password for every site.  The theory is that if one account is compromised and a password leaked, the damage is limited.  Change a single password and you’re back in action.

Password managers are all a little bit different, but work in much the same way.  A password manager takes away the need to remember multiple, long and complex passwords, by keeping a record of every password you use in an encrypted database, secured behind a single password which you need to remember.  When you want to login to your online bank account for example, you are prompted to enter the password for your manager, and the manager then enters your saved banking password automatically.  This allows you to use long, complex and randomly generated passwords for each of your accounts, as the responsibility for remembering each password is left to the manager.  All you need to do is remember your single manager password and all is well in the world.  Or at least that’s the theory.

One of the shortcomings of using a password manager is that the encrypted password database is stored locally, and you need to install the password manager software on every device on which you want it to function.  If you’re at a friend’s house or at work for example, and want to login to your online bank, you’re out of luck.  There are apps for a number of the big name managers which allow you to retrieve your stored passwords using your smartphone.  This partially alleviates the issue, but is not a complete solution.  If you’re overseas or otherwise without your phone, you’re once again stuck.

The password managers found lacking in the UC study were cloud based solutions, where your encrypted password database is stored on a server, somewhere in the cloud.  By using this type of solution you have access to your passwords from anywhere with an internet connection.  The cost of this convenience though, is that you are handing the key to your entire password empire over to a third party.  This introduces a single point of failure, and can make cloud based password managers attractive targets for hackers.  Certainly the convenience of a cloud based system is great, but it’s arguable that this is at the cost of security.

So what’s the solution?

Unfortunately, there’s no real way to avoid the convenience/security trade off.  You have to decide for yourself how much risk you are comfortable accepting in the name of convenience.  There are a few rules that I would try to stick by though.

  1. For security critical items like online access to your bank account, or admin access to your website I really would recommend a randomly generated password as long as possible.  You’ll never be able to remember what this is, so make sure you record it somewhere.  Write it down or use a password manager, and please don’t put it on a post it note stuck to your screen.
  2. If randomly generated passwords are too inconvenient, then at least use a randomly generated, common word password.  By this, I mean concatenate a string of random but common words.  It’s even better if you can add some characters and numbers, as well as upper and lower case.  It will be less secure than a truly random string of characters, but better than your dogs name, while still being reasonably easy to remember.  The XKCD below explains it nicely, and there are a number of online password generators inspired by this idea if you want to try it out.  Note that this won’t add any special characters or numbers though.

    XKCD password strength

    Random character passwords aren’t the only option

  3. Make sure your passwords are long.  This will be limited by the application – some sites may only allow sixteen characters, others may allow many more, but for every character you add the complexity increases exponentially.  Length is just as important as complexity.
  4. Use a different password for every site.  The main advantage of doing this is that if the worst happens and your password is leaked, only a single account is compromised.  You just change a single password and move on.  If this is too much trouble, at least use a different password for each high security application.  For example, don’t use the same password for both your bank and that online cat GIFs forum.  You could always have a throwaway password you use for low security applications and then unique passwords for each of your high security applications.  Once again we’re back to the security vs convenience playoff.

Any recommendations?

The compromise I’ve come to varies with the application.  As suggested above, I use truly random passwords for applications I don’t want to risk.  For applications I want to be able to access more easily, I use common word passwords, with the addition of numbers, special characters and upper and lower case.  I also use a different password for every application.

This might not be the most secure solution, but overall I feel it gives me a reasonable compromise between security and convenience.

Do I use a password manager?

Yes!  I write down every password I generate in a notebook and lock it away somewhere safe.  It’s not the most high tech solution, and at times, not the most convenient, but I can be sure that the vulnerabilities faced by LastPass and other cloud based managers don’t affect me.  By my reasoning, those who want to get access to my password are random online hackers, while those who may break into my house are more interested in my laptop than a scrappy looking book.  Perhaps I’ll be proven wrong and live to regret the day I filled a notebook up with the passwords to my entire life, but for now it works great.

It’s up to you

What all of this boils down to is that there is no one-size-fits-all solution, and that you really just need to use common sense.  There are many people who will tell you that you need to be using lengthy, randomly generated passwords for every account, but for most of us this is simply overkill.  A password manager of some sort is a great idea as it allows you to use more random passwords, and to use different passwords for each of your applications.  As proven by the vulnerabilities recently published, this is not however a perfect solution, and can even introduce it’s own risks.

Use strong passwords, mix them up by application, record them somewhere and you’re doing well.  And don’t forget, if it’s convenient, it’s probably not the most secure.


Featured image by Pascal licensed under Creative Commons.