The Coalfire Blog
Password Management: How many do you need to remember?
February 17, 2012, Mike Weber, Managing Director, Coalfire Labs
In today’s online world, the proliferation of usernames and passwords has resulted in a cottage industry springing up to meet the need to keep track of them in a secure manner. Software and hardware providers have developed a number of unique approaches to deal with this problem, but they all achieve the end goal of being a single credential that grants access to all your passwords.
<< Go Back
While being very convenient, these also have the drawback of being a single point of potential failure – “one stop shopping” for the attacker. Solutions that require the entry of a single factor for authentication – a master password – are only as secure as the system you’re using it on. Keylogger or other malware resident on the system can undo the security capability afforded by these solutions.
Software-based solutions are greatly impacted by the security of the system they reside on. In addition, these software-based solutions are of no help if you need to access an account using a system that doesn’t have this software present, such as your mobile phone. Cloud-based or web-based solutions meet the convenience and portability factor, but they’re typically a software-based solution; they’re just not resident on your desktop. Short of a full network vulnerability assessment, you can assume they’re (generally) just as unguarded as the system that you’re using to access them.
Token-based password managers are much more secure in this respect, by requiring the user ‘unlock’ their passwords by requiring the use of a portable physical device. This eliminates the one-stop-shopping impact that software-based solutions are susceptible to. But even these solutions are still vulnerable if the password is used on a system that is already compromised. These also are usually much more expensive and less portable than software/web/cloud based solutions.
Is it safe to write your passwords down? Technically, writing your passwords down and keeping them in a secure place is essentially a “manual” password management solution. By writing your passwords down – on paper, not on your desktop computer – you can eliminate any concerns about your entire collection of passwords being compromised by electronic means. Of course, this is only as secure as its location. For example, a sticky note under your keyboard would be an insecure location, whereas a slip of paper in your wallet would be significantly more secure.
Is it okay to reuse passwords? Yes and no. In my experience in performing penetration tests against business IT environments, we see passwords reused all too frequently, allowing one compromised password to provide access to a wealth of systems and sensitive data. In a corporate environment, I would not recommend this practice. However, as an individual, you may find the need to “register” for many different online services - discussion boards, to download a whitepaper, or other ‘non-critical’ web sites - just to get a low level of access. In this case, if the information that is provided or held by these sites is not sensitive and has no connection with your personal assets or other ‘critical’ services, it can be very convenient to use that ‘disposable’ password to satisfy the registration requirements of the site you’re using – with the caveat that you should never use that shared password for anything that even remotely has the potential to access something you find critical, like your personal or business email accounts. If your personal email is compromised, an attacker could easily gain access to other services you use by requesting password resets on other sites, such as your financial institution. Typically, these password reset requests get sent automatically to the email address you have on file with them.
One tip I received from my 14 year-old nephew proved to be quite effective: forgo the need to remember any passwords at all and to simply reset your password each time you use a web-based service. Most services require you to answer secret questions before resetting your password. Once you’ve entered those secret questions, an email is sent to the address they have on file that corresponds to your user account with a brand new, complex password. You merely check your email for that new password, copy/paste, and you’re in. By using this feature, you can also gain some insight into the overall security of the service you’re subscribing to. If the site does not ask for answers to secret questions, it should serve as a warning that best practice security measures may have been set aside for ease of use. If the email you receive from the site contains your existing password – in clear text – and hasn’t reset it prior to sending, the site clearly does not store your password in an encrypted format and is a sign that the site is likely in poor security standing. When I receive this type of reply, I tend to look elsewhere for competing services that maintain a higher level of security.
- Mike Weber
Blog post currently doesn't have any comments.