Password Management

February 27, 2017 ยท 4 minute read

Over the past few years, many security issues have surfaced. Every time a website is affected, the advice given by security experts is to “change your password, activate MFA, and reset all active sessions.” This approach works well when the security event affects a single website. However, it is very hard to practice when the event affects a large number of websites. For example, the recent Cloudflare bug can potentially affect millions of websites.

My password manager currently has over 200 entries. Going with the most paranoia route means manually changing over 200+ entries because of this one security event. Limiting password changes to just websites without 2FA still gives me over 190 to change as many websites do not support 2FA. I could pull out URLs from my password manager, compare them against the list above to see what’s affected, then only changing affected sites. This method still takes too long. It’s also incomplete because some of my entries do not have the URLs associated nor do we know many websites are actually affected by this event.

If I, who is a security professional, have such a hard time going through this exercise, then I suspect many others are also in the same boat. Many experts have voiced their concerns on the password-based authentication system. There are also active R&D efforts into replacing passwords with another authentication method. However, we currently do not have a good solution to replace passwords. Most alternative authentication systems supplement password-based authentication rather than replacing it. Given the fact that we’ll be stuck with passwords for a while, what can we do?

Things to do

Below are a list of things that I practice to help minimize my exposure during a security event. Please note that these are my own practices, so not everything listed here is applicable to everyone. You also don’t need to do everything listed as you should only do things that you believe you can perform habitually.

What you’ll soon notice is that I heavily rely on a password manager. This could be my single point of failure. However, I believe this is less risky than using the same password everywhere or simply writing my passwords down on a notepad.

Use a password manager

I use a password manager to manage my 200+ passwords. There are many password managers to choose from. When I was trying to choose one, I decided to pick an offline manager as I am not comfortable storing all my passwords in a service that I don’t have enough visibility into.

I have a very strong master password to unlock my password database. The master password is rotated when I believe there is a slightest risk of it being exposed. All other passwords are randomly generated using the password manager’s built in function.

Use 2FA/MFA

I enable MFA on all websites that support it. I currently use Google Authenticator for those TOTP codes. For sites that support U2F like Google and Facebook, I use a UbiKey. However, I plan to switch over to an OnlyKey to handle both TOTP and U2F. While I can also use just the UbiKey, I like the idea of having more than 2 slots with the OnlyKey.

For important accounts that can lead to password resets and ownership verifications of other accounts, I disable phone-based (SMS or voice) MFA. I do have backup access codes in case my MFA method no longer works.

Use fake data

For websites that ask for secret answers, I make them up using the password manager’s password generator. In other words, I treat them just like additional passwords. They are also stored inside the password manager.

For sites that do not require my personal information yet ask for them, I make them up, and store those made up info as part of the website’s entry inside the password manager.

Use encryption

I encrypt important personal data when before storing them on the cloud. The encryption key is stored within the password manager. I do not encrypt everything because it would degrade the usability of the cloud storage service to the point that I’m not comfortable with.

What I did for the Cloudflare bug

Instead of changing all my passwords, I only changed passwords for websites matching these criteria:

  1. The website hosts my personal (and real) information instead of fake data.
  2. The website uses Cloudflare.
  3. The website does not have MFA enabled.

Wish list

We need to treat passwords like encryption keys. There should be an automated way to constantly rotate them. I believe this may be more solvable than coming up with an authentication method that can fully replace password-based authentication.