One of my resolutions for the New Year is to upgrade my personal online security and the top priority is to improve my password management strategy. Being a security professional, I am totally aware of the risks of weak/reused passwords and I am super paranoid about my online security. I have been using KeePass as my password manager for quite sometime, but now I have moved to 1Password. This blog post summarizes my personal opinions/experiences in the process.
Who needs a Password Manager anyways?
I think this question is best answered by Troy Hunt's blog post - The only secure password is the one you can’t remember. I would strongly suggest you to read the blog post to answer the above question.
In summary, If:
- You use a unique password per website (say you have accounts in at least 20 different websites)
- Each password is "strong" (say, at least 15 characters long, non guessable, has a combination of upper case, lower case, numbers, special characters)
Then there is no way you can remember all of them.
How about some intelligent password schemes?
You can use some intelligent schemes to create hard-to-guess but probably easy-to-remember passwords e.g., Bruce Schneier has come up with this scheme. I have tried this for some time. This works only if you have, say, half-a-dozen passwords which you care about. This does not scale for sure. In fact, Bruce Schneier himself created a password manager - Password Safe - which is awesome by the way.
So yeah, if you have tens of passwords, you will need a password manager.
Why did I move away from KeePass ?
I've been using KeePass since a couple of years ago and it clearly meets its promises, so no complaints. The equation changed due to two main reasons:
Increased personal devices: I need my credentials on my personal laptop (Windows), mobile phone (iOS) and occasionally my tablet (android-based). The official KeePass installer is windows-only, but there are several unofficial installers for other platforms. Frankly, I am not comfortable using unofficial versions of a password manager whatsoever (my friend, who will most likely read this blog, uses an unofficial version of KeePass for his iPhone and I keep scaring him for fun :p). They may be secure., but I wouldn't use them. May be the issue is with my paranoia. Also, syncing across devices is still a pain.
Sharing accounts with family: I need to share some of my accounts (say online shopping, streaming etc.) with my spouse. I tried enforcing KeePass, but when clubbed with the above problem my family's convenience took priority over my paranoia and things were sub-optimal. I am pretty sure this is a common problem in every modern household.
So time has come to switch to a web-based password manager which solves the above two problems for me.
Which web-based password manager is better?
I have explored some of the popular web-based password managers and they are all very competitive. Most of the popular password managers have many good features in common with 1Password E.g., they have published security design and security audit reports, active bug bounty programs, password security reports and breach notifications, support MFA, cross-platform compatibility, good tech support etc. One of my friends uses Dashlane and it is pretty impressive. In fact, I was also considering Dashlane as an option, but went with 1Password due to the following reasons:
- Shared vault: This allows sharing accounts between family members - members login to 1Password with their respective master passwords. This solves one of the major problems I have today.
- HaveIBeenPwned (HIBP) integration: I have been following HIBP's updates since its inception and its integration into 1Password definitely means something for me.
- Detailed security design: I guess the detailed security design whitepaper of 1Password (pdf) greatly influenced my decision to go with 1Password (yes, I am a little old school - I will be relatively easily sold if someone documents something that makes sense in good detail)
If not for the above reasons, I would have flipped a coin to decide between Dashlane and 1Password ;) But you will not go wrong if you choose one over the other.
What if 1Password gets compromised?
There are a bunch of conditions the attackers must meet to get away with my passwords and that includes compromising 2 things that 1Password does not have (my master secret and secret key). Instead of me writing a long story about it, I would simply refer to 1Password's security design whitepaper, which starts exactly with this assumption.
However, two things can happen (well, this applies to any password manager):
- Design vs implementation gaps: 1Password's implementation may or may not match 100% with what they documented in the design. Being an Application Security Engineer myself, I have seen this in many reputed software services. But given that 1Password has been around for 13 years, the chances of this being prevalent are very low.
- Bugs: Even if the implementation matches the design, it doesn't mean the software will not have bugs. Every software will have bugs. But given the reputed support structure they have and the critical business they are in, I'm sure patches will be rolled out super quick.
If you are still paranoid and if you are in IT consulting space, just switch places and think how your customers feel when you sell your cloud offering to them :)
MFA and Hardware security keys!
Even if things go absolutely haywire and my 1Password account is somehow gone, I still have MFA to my rescue. I have configured MFA on all the sites that support them, so that gives me additional assurance which is totally under my control. Check out this amazing blog post - Your Pa$$word doesn't matter by Alex Weinert which highlights the importans of MFA.
To make things stronger, I use my physical hardware security key (Yubico's Yubikey 5 NFC) as my second factor and I have disabled SMS based 2FA altogether. If you are following password security related research you would know why this is super important. Nevertheless, check this scary blog post - The Most Expensive Lesson Of My Life: Details of SIM port hack
As a side note, check the following sites:
- TwoFactorAuth.org - List of websites which support 2FA
- Dongleauth.info - List of websites which support hardware security keys
- Yubikey catalog - List of websites which work with Yubikey
Thanks to the WatchTower feature of 1Password - This is what I was warned as soon as I migrated my passwords from KeePass to 1Password:
To be fair to KeePass, the problem isn't with its generation. Some of the passwords that I had in KeePass are probably more than an year old. I didn't generate them with KeePass, but created them by myself. I never knew about them as I always pasted them from KeePass and assumed they are strong/unique. Also, I did not enable MFA for 3 accounts and 1Password alerted me!
So I had an immediate win migrating to 1Password and this is totally worth it!
Frustrations with resetting passwords
While I was regenerating a bunch of passwords through 1Password and resetting them, I had a series of frustrations:
- Few websites did not allow passwords greater than a certain length, say 16 characters
- Few websites allowed only certain special characters, so I had to tweak my auto-generated passwords a little to satisfy the websites
- Few websites disable pasting in password/confirm password fields. Imaging the pain involved in typing a 24 character auto-generated password!
If you are a web developer, make sure you design login forms keeping password managers into consideration.
Why did I write this post?
Well, I am pretty sure someone would go through the same dilemma I was in if they are considering a web-based password manager. So I thought I could spare them some time and peace of mind by sharing my opinions/experiences.
Happy New Year everyone! Wish you a year of improved online security :)
Stay Hungry, Stay Foolish, and Stay Secure!!