Ricardo Tavares

January 1, 2023

Passwords cross all boundaries, how can we manage them?

Passwords are a great solution and a huge problem. People use them every day, not only as a way to claim ownership of services and products, but also to share that access with other people they trust. Passwords are great because they stand outside everything. You're not forced to have service A in order to access service B. Passwords are portable, platform agnostic and not tied to a particular identity. Allow me to stress this aspect because you'll not hear it mentioned by corporations that are interested in locking down account ownership completely: people share passwords with their close relations. One person pays for something and then they can easily share access to it by simply giving out that password. Account details are often sent in plain text e-mails, but also in loosely encrypted chat messages. The security risks are considerable, but there are also hidden benefits to using passwords as opposed to biometrics or device keys. People who push for alternative solutions like to pretend that this is not a welcome feature that everyone sooner or later depends on.

However, passwords are bad because they're powered by cognitive load. You need to generate, remember and keep secret some strange and unique series of characters. And some other person needs to technically secure a matching hash of your password. And each time that we fail at this task, a permanent record of leaked passwords is eventually made available worldwide. Finally, each of these failures can be relatively inconspicuous, it can be possible that right now someone is taking some advantage of your leaked password and no one will ever know. Indeed, handling passwords is not a fair task. You're supposed to do it by yourself and, if there's a problem, it's possible you'll never know until maybe some money has gone missing or some unsuspecting account comes up associated with criminal activity. No pressure.

Therefore passwords are a good example of how real-world security is a balance between what features you value and the risk associated with each of those, it's always a mixed bag. If we recognise that there are both benefits and costs to using passwords, we can consider accepting and mitigating the risks of having our accounts compromised. Password managers are not a perfect solution, but they are currently the only way to keep passwords around with the degree of freedom they offer. Like other flawed solutions, password managers don't solve the problem but rather kick the can down the road. But, for those unaware of this solution, I'll describe a complete password management service that you might even want to pay for.

The service still depends on a single master password that you create following all the usual best practices. This one good password is how you access all your other passwords that the service can then generate, store and type for you wherever you need them. That's why this has to be seen as a complete solution for all your accounts across all your devices. It involves a website, iOS/Android apps and extensions for most browsers, all so you can create and use secure passwords everywhere. I do recommend not going for half-measures. If you're going through the work of having a password manager, you want it to remove 99% of the burden of juggling passwords in your head. And the reason why the best service is probably a paid one is because having just one user interface to manage your passwords only gets you halfway there. Now you want it to automatically type into login screens inside apps on your phone. You want it to save a new account you've just created in a new browser you've decided to try out. These cross-platform features unfortunately cannot happen for free. Regular development time has to be spent chasing down the inevitable changes in browsers and ecosystems. The kind of drudge work that free and/or open source software rarely finds people to do. But it all adds up to providing a user experience that can greatly improve your security. It's often forgotten how important an easy UI and a good UX are to solid security practices.

And here are some not-so-obvious benefits to using a complete password manager:

Some platform you signed-up for got hacked and now you're forced to change your password. That's easy.
This one torpedoes the usual method that people have of using some personal cypher to generate passwords from the name of each platform. For example, your Google password would be elgoog.2001 and your Yahoo one oohay.2001, for example. Now, Yahoo gets hacked and what do you do? This specific account now deviates to oohay.2002, right? Not very secure or easy to remember. With a password manager, you don't care what the password was or what the next one will be. You're not particularly bothered even if some company forces password rotations every 3 months. Just generate a new one and get on with your life.

This specific website has some strange password requirements. Not an issue for you.
Another cannonball shot at the starboard of personal cyphers. Now, let's say your bank requires two capitalized letters. Following on the previous example, you have to do something like KNab.2001,right? Again, not something we should be wasting brain power on. Password managers allow you to generate randomized text that can match any of the usual or most annoying requirements.

You can turn the magic dial up or down at your convenience.
When you switch to a password manager, you're not forced to change all your old passwords. It's an incremental solution. You can start by keeping all your not-so-secure passwords and then gradually replace them over time as you get the chance. You can also account for situations where you don't expect to have your password manager installed by generating a long pass phrase that's easy to copy by just looking at it. For example, you can check it on your phone to login in a new computer.

Sites you want to use keep asking you to create an account. An easy process.
When you don't use a password manager, you tend to shy away from creating accounts because it's another password you have to create and remember. In a way, this service plays the same role as having a virtual credit card. You're more comfortable with getting things done online because there's always some protective layer. If some website shows itself to be insecure (like by showing you they keep your password in plain text), you can cancel your account without having exposed some personal cypher you use or a password you use somewhere else. Sometimes you can even take an extra step to anonymise your account: you can generate both a random username and a password that have zero relation to any of your online identities.

I don't want to give any specific recommendation for a password manager, but I personally use 1Password and at work we have LastPass. I've also heard good things about Bitwarden which you can self-host. Like in anything involving your own security, it's best to do your own research up to a point where you make an informed decision. So thank you for reading!

(Originally written on July 1, 2021)

About Ricardo Tavares

Creates things with computers to understand what problems they can solve. Passionate for an open web that anyone can contribute to. Works in domains where content is king and assumptions are validated quickly.

Mastodon  |  Twitter  |  GitHub


View From the Web