Here’s our latest Naked Security Live talk, where we answer the thorny question, “What if my password manager gets hacked?”
We often recommend password managers, as we did last week in our article Cybersecurity tips for university students.
We especially recommend password managers for people who would otherwise be inclined to take risky shortcuts, such as using the same password on every site (please don’t do that!)…
…but we also have to admit that a password manager is pretty much like putting all your eggs in one basket: if you drop the basket, you could lose everything in one go.
Watch now to hear our advice on how to deal with this dilemma:
Watch directly on YouTube if the video won’t play here.
Click the Settings cog to speed up playback or show subtitles.
Don’t forget that these talks are streamed weekly on our Facebook page, where you can catch us live every Friday.
We’re normally on air some time between 18:00 and 19:00 in the UK (late morning/early afternoon in North America).
Just keep an eye on the @NakedSecurity Twitter feed or check our Facebook page on Fridays to find out the time we’ll be live.
Laurence Marks
A return to the text format (or a transcript) would be nice. I don’t have the time or video-attention-span for a 21-minute video.
Paul Ducklin
Hmmm. We have never published video transcripts, so there is nothing to “return to” :-)
We do have plenty of written articles on password managers and how to secure them (just search on the site for “password manager”), so those who prefer to read and not to watch should be well cared for anyway.
Remember that our videos, like our podcasts (which are typically about 45 minutes long), are created in addition to, rather than instead of, our written content. We make videos and podcasts because a significant minority of our readers like to consume content in visual and audio form as well as in writing. Our experience has been that videos and podcasts, when transcribed, don’t make good written articles simply because written and spoken English are effectively different languages.
Having said that, my voice is surprisingly clear at YouTube’s 1.75x speed, even at 2x. And if you turn on captions at that speed you will get a sort of combo vidarticle/artideo that takes 10 minutes. Perhaps that’s a sort of half-way-house solution you could try?
PS. Transcriptions fall to me to do. It takes me hours, because I am not a stenographer, and I really mean that it takes hours. When we’ve tried transcripts for podcasts because listeners said how important they were, we used to get about 20 page views of the transcript, and that was in a good week. Often it was lower than that. From this we inferred that we should let videos and podcasts be just what they are: videos and podcasts. HtH.
Anonymous
Just turn up the volume and set the speed to 2x…
Simon McAllister
There’s some meat on the bone there that can help everyone, so it’s well worth the 21 minutes listen. I was brushing my teeth during some of that, Laurence ;)
And lmao at “1.75 speed” etc in Paul’s comment above. Like Louis in Ghostbusters with his workout videos :D
Paul Ducklin
Thanks, I appreciate your kind words!
Just in case anyone doesn’t realise: YouTube “speedup” is like a good podcast player’s speedup – at 2x the time is halved but the pitch is not shifted, so it doesn’t sound squeaky like a 33-1/3rpm record played at 45rpm or 78rpm would. (Discrete Cosine Transform FTW.) In other words, I sound like me only faster, not like a chipmunk.
John Knops
One password for each site is good risk management. I have several credit cards I carry and they all have the same “pin” number. I need the pin for purchases over $100. Now if I had different numbers for each of 5 cards I will be confused. A slip of paper in my wallet to remind me is the same as no pin when the wallet is stolen. I am trying to keep myself to one low limit card but it can get, and did get, maxed out. Also that “secret security number” on the back is less than secure when my wallet is stolen. The crooks know that I will put a stop via my phone on the card as soon as I realize it’s gone. That could take a while meanwhile the thief has within 5 minutes of the theft maxed out the card on easily sold stuff and most likely burned the card while smoking a $100 cigar. I am paranoid enough to know that crooks can get into password managers as easily as lifting my wallet. Every password manager has employees to guard the security. But who will guard the guardians? I keep my passwords locally on my iPhone and iPad. Not very safe, equal to my wallet and credit cards. The point is that we live in a very risky world and always have, before the explosion of credit cards in the 1960’s and the explosion of online shopping in the 1990’s and 2000’s we carried largish sums of cash in our pockets and purses, ready to be lifted. Thank you Sophos for giving us tips and strategies to minimize our risks.
Paul Ducklin
If you only ever use your cards online (or over the phone) at home, and carry them simply to have the chip-and-PIN capability, you could simply write the three-digit CVV codes down and lock them away at home, and then carefully scrape the numbers off the back of the card. That way, your cards don’t carry any record of their CVV codes, if you’re worried about those codes being stolen and immediately used online.
Anonymous
Or, write the CVV scrambled out of sequence (that you know) with the last 4 digits of the card in your signature area…
Paul Ducklin
Why? The CVV is already printed in the signature area and the last 4 digits are embossed on the front. (Also, in the unlikely event that anyone is thorough enough to look at your signature they are IMO likely to be diligent enough to reject the card because of the weird content in the signature section…)
gillytech
I can’t comment on the cards but I can say one thing about the guardians misusing your password manager data. The big ones that I have researched (Dashlane, LastPass, OnePassword) locally encrypt your entire password database using your password as the key. All the encryption and decryption of your personal data occurs on your device locally. When it is transmitted to the remote servers of your PM, it is in already strongly encrypted form and all they do is send you the whole blob of scrambled data when you go to log on, with, say another device. By this nature, even if the guardians were selling your password database to the highest bidder on eBay it would be useless to any crook because the data is irretrievably encrypted and the only way to unlock it is to supply the master password which only you know. So it’s really, quite secure. Well, as secure as your master password is.
Anonymous
Add the last 4 of each card to your current pin to make it unique for each card…
Igor
Here is a quick trick for credit card PINs. Pick a random number, choose one of the 4-digit sequence when you look at your credit card, and last pick a mathematical operation (+,-,* or /) and make up your new PIN on the go for any credit card you may have. Voila! You have a random very hard to guess PIN that you will remember every time. I hope that works for you. Cheers.
Mark Clarke
I like the video format. I don’t have time to read a long script.
Cassandra
Video has its place particularly for a question that a non-tech may ask – like “What if my password manager gets hacked”?
But this video is not the best example of the genre! Possibly written articles get more review and editing.
TL;DR? What if my password manager gets hacked?
Basically you’re b******d, because you have handed over the “keys to your kingdom”.
Avoidance?
Apply 2FA to your password manager and use (and remember) the strongest possible master password
Mitigation?
Don’t put the keys to the really valuable stuff (bank account logons etc.) on the same password “keyring” – instead of putting them in a password manager just remember a really strong password for each “valuable account”(+2FA)
Everything else in the video is garnish – quite useful garnish but not directly related to the question! This garnish includes scattered through the video a number of good arguments for using a password manager and 2FA.
I personally cannot see the problem with putting all really valuable accounts into the password manager IF they are also protected by 2FA.
What does hack me off is when my bank’s log in page is not “password manager compatible” and I am obliged to try to remember this really really valuable key outside the password manager (or have to keep it in a secure note within the password manager where it will not auto fill and I then have flick between tabs.) My bank’s login page requests (amongst other details) 3 random characters from my password – inevitably the password manager stuffs each of the three fields with the entire password or refuses to do anything. I can see the value of requesting 3 random characters from a telephone banking password – it means that the bank employee on the other end of the line never sees your entire password and would need to be lucky to receive numerous calls from you before they saw all the characters. But how does online security benefit from requesting 3 random characters rather than the whole password (other than from malware on the server – in which case the bank is b******d anyway)?
Paul Ducklin
The videos are live – they are meant to be a bit like the sort of informal talks people used to give or attend at user forums back when those things could take place – so they can’t be “edited”. Sometimes we do videos that are more like formal presentations, and those do get scripted for length and edited for clarity, but these weekly chats are meant to have a format and a style that’s a bit more informal and relaxed. Probably should be shorter, but that’s a separate issue that can’t be solved after I’ve done the talking :-)
As for institutions that insist on making you pick passwords that no self-respecting password manager would choose, or using them in peculiar ways – I don’t get that and I don’t know what to say other than to rant with you.
I also tend to fume when I use 32 hex bytes from /dev/urandom, giving me a true 128-bit password, and a website not only marks it down for low security but refuses to allow me to use it at all “because it doesn’t have any capital letters in it”, and even if I do put some of the hex digits in upper case, tells me it’s still no good because it doesn’t have any punctuation… then when I put in “Password55!” it not only accepts it but congratulates me warmly on making such a well-informed and expert choice. As far as life permits, I use this as a good reason to disavow that company’s service and go and spend my money/distribute my clicks/read my news elsewhere, though for some sites you simply can’t do that…
Tru Do
Thanks, Cassandra, for the TLDR
Tony Lymer
Hi Duck,
I currently use the free version of Lastpass , and have a very long passphrase. I have had a U2F key on my key-ring for about five years but I would only be able to use it if I payed for the premium product.
Can you recommend a good (browser friendly) password manager that allow sU2F 2FA and is available for both ubuntu linux and Windows?
Tony
Paul Ducklin
I can’t recommend you, I’m afraid… I use Linux (but not Windows) with a password manager of my own based on a loopback file encrypted with LUKS.
Any readers using U2F with a cross-platform non-premium-service password manager that might help Tony?
Anonymous
Tony,
Look at Bitwarden.
Anonymous
Thanks, great info.
Paul Ducklin
Thanks, glad you found it useful!
Anonymous
Another item you forgot… never add the secret first few characters of the passwords in your safe. For example, always use 19AZ before filling in your safe password. The 19AZ is the first part of every password, but, never stored anywhere. Makes the password safe even more safe. If they try the safe passwords; you will know because all your accounts will get locked out.
Paul Ducklin
If you get locked out of an account because a crook put in the wrong password too many times…
…how will you know which password or passwords they tried before the lockout happened?
Mike
Well, lots of ignorant people believe FOOLISH reviews from [REDACTED] recommending cloud (INSECURE) based password managers, so the first thing is to educate these ‘experts’ on cybersecurity.
Paul Ducklin
As some commenters have pointed out, many cloud-based password managers only ever upload already-encrypted passwords into the cloud where the cloud provider can’t extract them.
Ed Ong
You are due for a haircut. So sorry for the lockdown :)
Peter
Great overview. I would rather prefer 2FA via OTP/Mobile, but of course USB is also a great option.
One thing I think many modern password managers are missing is digital inheritance functionality. If something happens to the user, without digital inheritance it’s almost impossible for their loved ones to get access to the data.
As many password managers are also transitioning to document storage systems for various accounts, the lack of digital inheritance can become a big problem – basically it means that your family members won’t be aware of your accounts and assets, and won’t be able to identify and locate them.
I definitely recommend using password managers and online document management systems only with digital inheritance functionality.
Paul Ducklin
You could just export your encrypted data regularly onto a USB device that is itself encrypted with a password that you keep in a safe deposit box or other traditional secure storage location.
Anonymous
You never answered the question of what to do if your
password manager gets hacked. Only how to prevent it.
Paul Ducklin
Fair point, although the video was meant to be an encouragement to those who were afraid it was likely to happen and therefore rejected password managers out of hand.
If you think it has actually happened, change all passwords immediately. Ideally, work off a printed list by hand, the hard way. (Yes, it will be a hassle.)
As mentioned in the video, try to enable 2FA on all accounts you can to make the exposure of passwords less useful to the crooks. Simply put, you will need to do the same thing for all your passwords that you would do if any one of them were hacked – there isn’t really a short cut.