Ask Mr. Science: How to securely manage your passwords

Too many passwords

Panel from “Dilbert” by Scott Adams for April 6, 1998. Full strip here.

Hi there, Mr. Science!

Hello, Bobby! It’s nice to see you again.

I have a question, Mr. Science. With all the different sites that are getting hacked these days, what can I do to protect my personal information online?

Why, I’m glad you asked, Bobby! The first thing you need to do is start practicing good password hygiene.

Password hygiene? What’s that, Mr. Science?

Have a seat, Bobby, and I’ll explain.

The first thing you need to understand about passwords is that you can only stay secure if you use a different one for every Web site and app and online service you need to log into, because each of those systems is a target for hackers. And if you use the same password everywhere, when those hackers actually get into one of those systems and pull your password out of it, they now can log in as you everywhere. So the only way to compartmentalize the risk is to use a different password for each service.

That makes sense, Mr. Science.

But this is complicated, of course, by the fact there are┬áso many services in our lives that require passwords these days. Your bank needs one. Your credit card needs one. Your email needs one. Your Facebook and Twitter and Tumblr accounts all need one. The first step to doing anything online is always setting up yet another username and password. And if you diligently try to do the right thing and give each one its own unique password, you quickly discover that there are so many that it’s impossible to remember them all, or which one goes where.

Gosh, Mr. Science, you’re not just whistling Dixie! I’ve got so many online accounts I can hardly keep them all straight.

Nobody can, Bobby. So what you need is a tool which can remember all that stuff for you. And that kind of tool is called a “password manager.

A password manager is a computer program that remembers all your passwords, so you don’t have to. They’re basically little databases that keep track of which usernames and passwords go with which sites. Then, when it’s time to log in, you just copy the password from your password manager and paste it into the appropriate password field. And many of them will even integrate with your browser, so that you don’t even have to copy and paste; the right password just gets inserted automatically.

That sounds convenient, Mr. Science! Computers are way better at remembering things than I am. But my browser can already remember my passwords for me. Isn’t that enough?

Not really, no; the security level of browsers’ built-in password managers are all over the map. So you really want a purpose-built tool for this sort of thing.

So which one should I use?

Well, that depends, Bobby.

Depends on what?

Well, basically there’s two types of password managers: online password managers, and offline ones. Online password managers connect to an online service, and store all your password information there. (Example: LastPass.) Offline password managers, on the other hand, store your passwords in an encrypted “vault” on your PC itself. (Examples: KeePass, Password Safe.) Some password managers, meanwhile, try to straddle this distinction by letting you choose whether to store your data locally or remotely. (Examples: Dashlane, 1Password.)

Gee whillikers, Mr. Science. I don’t care about all this stuff. Why do I need to pay attention to it?

Because, Bobby, there’s an important tradeoff you make when you decide where to store your password database.

Online managers are super convenient, because your data is always available, regardless of which machine you happen to be using at the moment. (As long as you have an Internet connection, at least.) But if your data lives on some remote server out in the cloud somewhere, it’s only as secure as that server is — if the server gets hacked, all your passwords are potentially at risk.

Offline managers are (theoretically) more secure, because your data isn’t sitting on a remote machine that’s a juicy target for hackers because it’s mixed up with a bunch of other peoples’ data too. But now, if you use more than one PC, you need to figure out a way to synchronize the password database between them so that they all have an up-to-date version of it available. And you have to be careful how you do this, because you certainly don’t want someone being able to grab a copy of the database as it zips between one machine and the others!

So there’s no clear one that’s better than the other, Mr. Science?

That’s right, Bobby. There’s no absolute winner and loser here, just different sets of tradeoffs that are more or less appropriate for different kinds of people.

But I’m just a kid, Mr. Science. I don’t know which is better or worse for me. Maybe I should just pick a password manager that can work either way?

If you don’t feel qualified to decide between offline and online password managers, what makes you sure you’ll make the right decision if the tool just leaves it up to you?

Gee.

And we haven’t even gotten into the distinction between open-source password managers versus commercial ones, either. (Open source is generally preferred for security tools, because it means that third parties can audit them to make sure they’re not doing something nasty behind the scenes. But open-source tools are generally less polished and easy to use than commercial, closed alternatives. So now we’re looking at trading off security and convenience again.)

Or the question of whether the password manager you want to use is available on all the platforms you do your computing on. There’s nothing less fun than loading all your passwords into a manager on your Windows PC, only to discover that there’s no way to open the database on your Mac laptop.

All my computers run Windows, Mr. Science. So —

All of them, Bobby? Even your mobile phone?

Ohhhh.

A modern smartphone is basically just a computer that fits in your pocket, Bobby. You probably have a bunch of sites and services you connect to through it, so you’re going to want to have access to your password vault there too.

Except that the vast majority of smartphones on the market are running mobile-specific operating systems like Apple’s iOS or Google’s Android, so you can’t just load the app you use on your desktop and laptop onto them.

Gosh, Mr. Science. I don’t even know where to begin with all these decisions. I give up! Just tell me what you use, OK?

I use an offline password manager, syncing the database between machines using the (Edward Snowden-approved) file syncing service SpiderOak.

Hooray! We’re done now, right?

Sorry, Bobby, but no. Now that we have a password manager, we have to figure out how to use it securely.

Yo dawg I heard you like passwords

Oh no. What?

Think of it this way, Bobby. Regardless of whether you store your password vault locally or remotely, it’s basically the same thing — a little box you’re loading a bunch of really sensitive information into. A good password manager will encrypt that box, so people can’t just pop it open and start rooting around in it. But you need to be able to open it, or else it’s useless, right? So we need to set it up so that you, and only you, can do that.

That makes sense, Mr. Science.

Out of the box, most password managers handle this by having you create a “master password.” Which is exactly what it sounds like: one more password, this one to be used to unlock the box where all the other passwords are stored.

But Mr. Science, I thought the point of all this was that I wouldn’t have to remember passwords anymore!

You won’t! Except for this one, I mean. Which you are definitely going to have to remember.

Oh.

And did I mention how if you ever forget the master password, your password database will become completely inaccessible? That’s right, there’s no way to reset it if the password database is actually secure. (Some managers do offer a password reset option; this is a good indication that behind the scenes data stored with them is not actually 100% locked up.)

Argh!

I know, right? So you’ll probably want to write your master password down somewhere, just in case.

Wait, isn’t writing down passwords a terrible idea, security-wise?

Oh, most definitely!

And isn’t this password now like the one most important password in my entire life?

Yup.

So why would I ever write it down, Mr. Science?

In case you forget it.

But now all someone needs is to find the place I wrote it down, and they can see all my passwords!

Right. So we need to take this a step further. We need two-factor authentication.

What’s that, Mr. Science?

Security nerd-speak for setting up your database so that it can’t be opened with a single key. You need two keys, used together, instead. And ideally, those keys will be completely different kinds of things, so that it’s hard to lose them both at once.

What do you mean, different kinds of things?

Imagine a simple padlock that you open by twirling the dial to a particular combination, Bobby. This lock has a key, but the key isn’t anything you can touch — it’s that combination of numbers, which is a secret you carry around in your head. Security nerds call this type of key “something you know.”

Now, think of the front door on your house. You probably don’t open it with anything you carry around in your head; most likely you open it with an actual object, a physical key. Without that object, the lock can’t be opened. This is a different type of key — “something you have.”

In a good two-factor authentication setup, to get access to the data that’s behind the encryption, you need to provide both of those kinds of keys. (Hence the name — two kinds of keys means two “factors.”) You need something you know, like the master password. But you also need something you have — some physical object that the system is set up to recognize as a valid key. It’s the combination of both these things that unlocks the data.

So with this type of setup, it doesn’t matter if you have your master password written down somewhere, Bobby. Nobody can open your password vault unless they have the matching physical key as well.

So how do I get one of these physical keys? I can just go down to Best Buy and buy one, right?

Nope. Nobody’s really created a good physical authentication token for consumers yet. (There’s options for big business, but they’re crazy expensive.) So you’re probably going to need to roll your own.

Oh.

There’s some different ways you can do this. One is to install some software on your smartphone; this turns the phone into a type of physical key. (Example: Google Authenticator.) There’s some setups you can do that use an encryption key stored in a file that you carry around on a USB memory stick. Or you can try a device like a YubiKey, though in my experience those don’t really work very well.

I dunno, Mr. Science. This all sounds really complicated.

It’s not for me, Bobby! I actually enjoy it. In fact, I put aside a little time every week to review my password management strategy, lingering thoughtfully over the merits of various peer-reviewed encryption protocols.

You’re weird, Mr. Science.

Don’t judge me, Bobby.

But what are people who don’t enjoy all this stuff supposed to do to stay safe online, Mr. Science? I mean, I think I understood everything you just explained, but I could never explain it to the other kids in my school.

You are correct, Bobby; unlike you and I, most people are stupid.

And even if I could explain it to them, they’d never follow it all, you know? It’s just too much work.

Or lazy, I mean. Stupid or lazy. Or both! Many people are both.

Well, yeah, Mr. Science. But just because someone is stupid or lazy, that doesn’t mean they deserve to get hacked, right? Shouldn’t even stupid and lazy people have some protection online?

You’re starting to sound like a Communist, Bobby. You’re not a Communist, are you?

Gosh no!

That’s a relief.

Thanks, Mr. Science!!!