Password Problems

k_man

JohnWinder said:

wiseonesomeofthetime said:

I just need to remember the one to access the password manager. 

There is a risk though. If I was to forget that password, I would have to spend a lot of time trying to regain access to accounts I cannot access via biometrics. 

I also personally do not record that password anywhere but in my head. 

Or, what about this: you establish an email account that no one knows about and you never use and has no identifying features, choosing one that can send 'out of office' replies. You compose an 'out of office' reply which is your PW manager master password. If you forget it, you simply send yourself an email and back comes the password. 

Or, you 'pepper' your master password (which is %dfj20?#hiermgi) by adding to the end of it one word or number sequence you can remember. You hide the '%dfj20?#hiermgi' fairly well, but if anyone finds it they're still missing the 'pepper'. The number sequence could be the phone number of a 'friend' in your contacts list who actually doesn't exist, but the baddies don't know who your friends aren't. Use my name; I'll never be your friend!

I am not keen on the auto reply suggestion.
This has the potential to leave a copy of your master password in your email account, so should that account be compromised your password manager may follow.
(When an email account is compromised, hackers can automatically scan the email for passwords, or strings that look like passwords).
Also gives the password to any spammer that happens to message that account (email recipient addresses are often auto-generated by spammers).
If this then looks like a password, it gets added to the big lists of passwords on the Internet.

Storing the one really important password online is not good security practice, unless it is encrypted, which just moves the problem one step down (need to remember the encryption key).


The pepper can work, but needs to be done well.
<random password><memorableword> 
doesn't take much deciphering

e.g
%dfj20?#hiermgiJohnWinder

Adding pepper (or salt) is a legitimate password storage method, but as part of encryption, or hashing, not plain text storage.

JohnWinder said:

Mmmm, length. Not sure writing the number '1' sixteen times is a great choice. I think we need to consider the randomness of the choice of characters and the number of possible characters in each of the sixteen spaces.

While 111111.. etc is bad, that is actually just because it will already be out there in password lists, and is a bit too simple (and vulnerable to shoulder surfing)

(Although not according to

https://haveibeenpwned.com/Passwords

Whereas 01234567890123456 has been in leaks 9000 times)

 and would be first on the brute force passwords to try (if using ascending alpha numeric).
Albeit that latter relies on brute force systems that are even attempting 16 character passwords, which is very unlikely, unless there is also an indication that only numeric characters were used.
Brute forcing 16 characters, based on a complex character set still takes a very long time (for now).

Once a small level of complexity has been added, length and uniqueness (as the most complex long password that is reused and that has been leaked is no longer secure) are by far the most important factors.

Add 2FA and you are good to go.

https://www.auditboard.com/blog/nist-password-guidelines/

As of 2021, NIST has added suggestions that users focus on password length over complexity,

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

Do not use complexity requirements 

Using complexity requirements (that is, where staff can only use passwords that are suitably complex) is a poor defence against guessing attacks

IvanOpinion

JohnWinder said:

Mmmm, length. Not sure writing the number '1' sixteen times is a great choice. I think we need to consider the randomness of the choice of characters and the number of possible characters in each of the sixteen spaces.

True, I made the mistake of assuming common sense, so to clarify I would not recommend all 1's or any other character (although to be fair all 1's is probably more secure than much shorter random passwords.

But memorable is more important than random.  In fact I now advise against changing passwords, but instead advise extending them.

JohnWinder

I am not keen on the auto reply suggestion.
This has the potential to leave a copy of your master password in your email account, so should that account be compromised your password manager may follow.
(When an email account is compromised, hackers can automatically scan the email for passwords, or strings that look like passwords).
Also gives the password to any spammer that happens to message that account (email recipient addresses are often auto-generated by spammers).
If this then looks like a password, it gets added to the big lists of passwords on the Internet.

Storing the one really important password online is not good security practice, unless it is encrypted, which just moves the problem one step down (need to remember the encryption key).

I agree it's not a brilliant solution, but this sort of security is a balance between secure and practical. if you can't remember a master password it can be written somewhere accessible as a second class solution.

What about an encrypted email account like tutanota? 'The built-in encryption guarantees that your mailbox belongs to you: Nobody can decrypt or read your data.'  If that's sound, it only leaves the spammer who happens to send you an email at '$#09485sigturn)4>dfeyp-ksf+weiru%9034@tutanota.com', and waits for the auto-reply. Don't know how to avoid that, but if you protect the PW manager with 2FA it's less of a problem.

Prism

JohnWinder said:

Mmmm, length. Not sure writing the number '1' sixteen times is a great choice. I think we need to consider the randomness of the choice of characters and the number of possible characters in each of the sixteen spaces.

Its because the only time password complexity really matters is when the identity database is stolen from the organization. At that point it makes little difference if the password is 'Tomato1' or 'T0m4t0!' - both will fall in very little time. However 'TomatoesAreFruits' will take much longer to hack simply because its longer.

All this assumes that people don't chose really a really simple password. Having said that, I imagine that sixteen 1's is still a better password than a complex eight character one.

masonic

Prism said:

All this assumes that people don't chose really a really simple password. Having said that, I imagine that sixteen 1's is still a better password than a complex eight character one.

There's a tendency to run 'common' and simple passwords through the system before moving on to a full brute force scan of complex ones. It is low-hanging fruit. Whether sixteen 1's is appreciably stronger than six 1's or the classic 123456, monkey123, qwertyasd et al is therefore debatable. A password of 5 random words (from a dictionary of 2000) would, however be quite sufficient and much much stronger than a complex password of 8 characters. Of course there are still websites/apps which set a maximum password length, some as low as 8 characters, so we must all adapt to the situation presented.

k_man

IvanOpinion said:

JohnWinder said:

Mmmm, length. Not sure writing the number '1' sixteen times is a great choice. I think we need to consider the randomness of the choice of characters and the number of possible characters in each of the sixteen spaces.

True, I made the mistake of assuming common sense, so to clarify I would not recommend all 1's or any other character (although to be fair all 1's is probably more secure than much shorter random passwords.

But memorable is more important than random.  In fact I now advise against changing passwords, but instead advise extending them.

And if you can reduce the number you have to remember, the ones do do are likely to be 'better'.

Just checked, and I have over 400 entries for passwords (or similar secrets, keys, PINs etc) in my password manager.

I am not going to remember all those without compromising security (reusing, using patterns, common phrases etc).
My case may be extreme, but most of us have many 10s of passwords.

Most people's brains are going to struggle do do all that in memory.

JohnWinder said:

I am not keen on the auto reply suggestion.
This has the potential to leave a copy of your master password in your email account, so should that account be compromised your password manager may follow.
(When an email account is compromised, hackers can automatically scan the email for passwords, or strings that look like passwords).
Also gives the password to any spammer that happens to message that account (email recipient addresses are often auto-generated by spammers).
If this then looks like a password, it gets added to the big lists of passwords on the Internet.

Storing the one really important password online is not good security practice, unless it is encrypted, which just moves the problem one step down (need to remember the encryption key).

I agree it's not a brilliant solution, but this sort of security is a balance between secure and practical. if you can't remember a master password it can be written somewhere accessible as a second class solution.

What about an encrypted email account like tutanota? 'The built-in encryption guarantees that your mailbox belongs to you: Nobody can decrypt or read your data.'  If that's sound, it only leaves the spammer who happens to send you an email at '$#09485sigturn)4>dfeyp-ksf+weiru%9034@tutanota.com', and waits for the auto-reply. Don't know how to avoid that, but if you protect the PW manager with 2FA it's less of a problem.

I wasn't even thinking if the security of the auto reply mailbox. This was more:

Forgot password

Go to normal email client

(Assuming that the password isn't in the password manager!)

Send to special mailbox (ideally not saved as contact Master password)
The AutoReply with password is now in normal email client.
Possibly goes into deleted items

Possibly Deleted items then do get securely deleted

Or, it is kept in main email for next time it us forgotten!

I just get nervous about a password being transmitted via the same channel/medium that is often used for other elements of security.
The mailbox can inadvertently become an unplanned password manager, also used for account recovery for multiple systems.

As you suggest though, using 2FA is an easy win to reduce many of the password related risks.
(Unless 2FA recovery defaults to email... Which many systems do.)

JohnWinder

k_man said:

What about an encrypted email account like tutanota? 'The built-in encryption guarantees that your mailbox belongs to you: Nobody can decrypt or read your data.'  If that's sound, it only leaves the spammer who happens to send you an email at '$#09485sigturn)4>dfeyp-ksf+weiru%9034@tutanota.com', and waits for the auto-reply. Don't know how to avoid that, but if you protect the PW manager with 2FA it's less of a problem.

I wasn't even thinking if the security of the auto reply mailbox. This was more:

Forgot password

Go to normal email client

(Assuming that the password isn't in the password manager!)

Send to special mailbox (ideally not saved as contact Master password)
The AutoReply with password is now in normal email client.
Possibly goes into deleted items

Possibly Deleted items then do get securely deleted

Or, it is kept in main email for next time it us forgotten!

I just get nervous about a password being transmitted via the same channel/medium that is often used for other elements of security.
The mailbox can inadvertently become an unplanned password manager, also used for account recovery for multiple systems.

As you suggest though, using 2FA is an easy win to reduce many of the password related risks.
(Unless 2FA recovery defaults to email... Which many systems do.)

Possibly goes into deleted items.. THEN HAVE A LOOK THERE. 
Or, it is kept in main email for next time it us forgotten. NO, SORRY I DIDNT SPELL IT OUT:  NOW YOU HAVE ACCESS TO YOUR PW MANAGER, YOU CHANGE THE MASTER PW AND TO BE CLEAR YOU CHANGE YOUR OUT OF OFFICE REPLY. 
I just get nervous about a password being transmitted via the same channel/medium that is often used for other elements of security.  WHAT OTHER ELEMENT OF ACCESSING YOUR PW MANAGER IS USING EMAIL?
The mailbox can inadvertently become an unplanned password manager, also used for account recovery for multiple systems. VIDE SUPRA, CHANGE THE MASTER PW, AND KEEP USING ENCRYPTED EMAIL SERVICES LIKE HUSHMAIL, COUNTERMAIL ETC. WOULD THAT SOLVE IT?

k_man

JohnWinder said:

k_man said:

What about an encrypted email account like tutanota? 'The built-in encryption guarantees that your mailbox belongs to you: Nobody can decrypt or read your data.'  If that's sound, it only leaves the spammer who happens to send you an email at '$#09485sigturn)4>dfeyp-ksf+weiru%9034@tutanota.com', and waits for the auto-reply. Don't know how to avoid that, but if you protect the PW manager with 2FA it's less of a problem.

I wasn't even thinking if the security of the auto reply mailbox. This was more:

Forgot password

Go to normal email client

(Assuming that the password isn't in the password manager!)

Send to special mailbox (ideally not saved as contact Master password)
The AutoReply with password is now in normal email client.
Possibly goes into deleted items

Possibly Deleted items then do get securely deleted

Or, it is kept in main email for next time it us forgotten!

I just get nervous about a password being transmitted via the same channel/medium that is often used for other elements of security.
The mailbox can inadvertently become an unplanned password manager, also used for account recovery for multiple systems.

As you suggest though, using 2FA is an easy win to reduce many of the password related risks.
(Unless 2FA recovery defaults to email... Which many systems do.)

Possibly goes into deleted items.. THEN HAVE A LOOK THERE. 
Or, it is kept in main email for next time it us forgotten. NO, SORRY I DIDNT SPELL IT OUT:  NOW YOU HAVE ACCESS TO YOUR PW MANAGER, YOU CHANGE THE MASTER PW AND TO BE CLEAR YOU CHANGE YOUR OUT OF OFFICE REPLY. 
I just get nervous about a password being transmitted via the same channel/medium that is often used for other elements of security.  WHAT OTHER ELEMENT OF ACCESSING YOUR PW MANAGER IS USING EMAIL?
The mailbox can inadvertently become an unplanned password manager, also used for account recovery for multiple systems. VIDE SUPRA, CHANGE THE MASTER PW, AND KEEP USING ENCRYPTED EMAIL SERVICES LIKE HUSHMAIL, COUNTERMAIL ETC. WOULD THAT SOLVE IT?

As we know, what we should do, and actually do are not the same, and we can slip into bad habits.
I think we have all at some point have thought... I will just temporarily:
Use a simple password, and change it later
Save it in Notepad
Keep that email copy of sensitive data

And then not tidied up later....

I prefer to avoid the temptation so try not give myself a chance to forget to clean up.

I just get nervous about a password being transmitted via the same channel/medium that is often used for other elements of security. WHAT OTHER ELEMENT OF ACCESSING YOUR PW MANAGER IS USING EMAIL?

Many systems, including some password managers allow email for lost 2FA recovery.
Good practice to keep them separate.

JohnWinder

Or, what about exporting a copy of your PW manager to a backup file which  you encrypt with a different password, and store off your computer. Your encrypted email account with an out of office reply that used to send the master password to you, is now sending you the password to that encrypted backup file?

Any baddie lucky enough to elicit your out of office reply now has to find the backup file which the password opens.

k_man

JohnWinder said:

Or, what about exporting a copy of your PW manager to a backup file which  you encrypt with a different password, and store off your computer. Your encrypted email account with an out of office reply that used to send the master password to you, is now sending you the password to that encrypted backup file?

Any baddie lucky enough to elicit your out of office reply now has to find the backup file which the password opens.

Firstly apologies to everyone else for the digression!

That is a quite a 'secure' solution but cumbersome (which reduces effective security as impacts usability and so availability):

It requires frequent backups of the password manager data (my passwords and other data stored in my password manager are updated or added to often).
Backups/export of password manager data often involve a plain text step*, so that introduces another risk step, that needs to be carefully cleaned up.

This method also removes/ bypasses the 2FA protection.

(That said having a backup of password manager data is a good idea, but this was more focussing on forgotten passwords)

A modified version is an offline encrypted file (encryption password in your AutoReply mail account), that contains only the master password. So that file only needs updating when the master password changes (much less often). 2FA still protects the live data.

This works, as long as

There is no copy of the unencrypted version of the file left on the computer (FYI some malware can search for deleted files).
The encryption is using a robust method, not susceptible to brute force.
Copy of the encrypted file is kept somewhere safe and offline

It probably isn't actually significantly more secure than a paper copy of the password, stored somewhere safe (as that leaves no traces on the computer).

Another solution is to split the password, and share parts with different people.
The solution I prefer is the phone a friend/ emergency access.

* an offline copy (in this context, offline meaning not connected to password manager) of the password manager database itself, encrypted with the master key introduces/increases the risk of brute force offline attacks, where software modifications can remove the lockout mechanisms.
Albeit a properly configured password manager (that allows offline access) should make even this difficult by using a large number of iterations of encryption to slow down brute force. But cloud computing 'cracking' can make even this less protection than hoped.
ETA:
Full offline copies also use the password at that time, so any offline attacks using old passwords (e.g from when 8 characters was considered enough!) are possible.
As such even encrypted data needs to be treated as sensitive.
E.g your master password leaks (accidentally typed in the wrong text box, potential keylogger), but 2FA protects you, or you realise in time and change your master password. Any offline db copies are now at risk.