I've enjoyed delivering training to fellow educators at various points over the last ten years. However, whenever I am giving a session about privacy, more often than not I have had colleagues claiming to have been hacked in various ways. Wunderkind hackers aside, the odds of someone brute-forcing their way into your Google, Facebook or whatever account is ridiculously low. Far more likely is having a poor password, or leaving your device unlocked and unattended. It almost seems sometimes like people know that they have a terrible method of choosing passwords, but never seem to address this problem. The main problems as I see it are;

  1. Passwords can be easily worked out by computers using a dictionary-style attack.
  2. Passwords are re-used as people cannot remember multiple passwords for the multitude of different services they have signed up to.
  3. The combination of the previous points results in easily decoded patterns of behaviour making a data breach in one service automatically a data breach in other services.

Some of this can be blamed on IT department password policies which, in fairness, have rarely given advice that lends itself to some level of convenience for a user alongside their security. Indeed, the convenience vs security tradeoff underpins so much of the drive towards more secure computing for everyone. This post was somewhat inspired by this post and presentation (apologies for youtube content…ad blockers and anti-tracking plugins at the ready!);

What I find interesting about this is how the mathematical approach to making complex passwords has largely been a failure without consideration of how people use and interact with computers. I like the current thinking around pass phrases instead of pass words as it seems an elegant way of potentially marrying the mathematical with a more human-like approach to authentication security. Indeed, John Oliver spoke to Edward Snowden about it here;

However this is no silver-bullet. While the result of this phrases approach makes a dictionary attack far less likely, it does not address the aforementioned second and third issues. Certainly the most secure password is one that the user doesn't even know themselves. As usual, xkcd already considered this;

xkcd-security

In this case, an approach to satisying all of the issues mentioned previously, a password needs to be complex enough to avoid dictionary attacks and individualised for each service to avoid the potential for decoding of patterns. For this reason I believe a password manager, particularly one that is self-hosted, is the way forward. This gives a balance of security and convenience to users.

I have previously written about Bitwarden in this post as I feel it is one of the best solutions available at the moment. There are others, but as far as I am aware they cannot be self-hosted. For me this places an enormous amount of trust in an external organisation. I have found that the different Bitwarden clients available work for almost every browser and mobile device in widespread useage today and they have worked flawlessly for me. The integrated password generator allows for every service to have a separate, completely complex password. In short, I can be hit over the head with a $5 wrench as many times as possible but I essentially do not know my own password to my email account or any other online account.

However…

No security practice is fail-proof. Password managers still require a master password to access their database. In reality, if this becomes known it gives access on an unprecedented scale to a persons private passwords. That said, I feel the trade off if combined with the pass phrase over pass word approach is worthwhile. It seems more secure to me to try and maintain high security on a single passphrase than with multiple passwords/phrases or whatever. I feel that the latter simply lends itself to some form of repetition as we as humans simply cannot cope with that many different unique phrases for different services. To that end, it seems inevitable that some form of decodable pattern will emerge.

With all this said, it has to be stressed that security is a moving target. Having a password manager does not magically give you online security. It merely changes the type of attack which would need to be launched in order to acquire your data from dictionary brute-forcing to trying to brute-force your master password or even break into the database. There will always be a trade-off between security and convenience, but for now I feel that this approach to passwords is the best balance between the two…but it might be worth investing in a hard hat incase of $5 wrenches being wielded against you.