On Using Password Managers

For a long time, I was reluctant about using a password manager. One of the advantages of using one is the ability to have a strong and unique password for each service, without having to memorize each password. It drastically improves security.

xkcd #936 – Password Strength

Without a password manager, we unavoidably start reusing (bad) passwords across several services. Sometimes those services get hacked, and our info gets leaked, and you already know how this story ends.

A password manager nicely addresses those problems, but it also introduces new issues. Now, the reason why I was reluctant to use one was twofold:

  1. Trusting a third-party with all my passwords;
  2. Being unable to log in a specific service because I don’t have access to my password manager app.

The second reason is also why I use two-factor authentication very selectively — only on services that offer a reliable recovery method and/or are critical for me. And by a reliable method I mean one-time recovery codes. Using SMS as a recovery method is not always the best option for me because I travel abroad quite frequently nowadays and I can’t count on being able to receive SMS.

Sure, I can always reset my password and change it temporarily in case I don’t have access to my password manager (as long as I have access to my email account).

But it would also be annoying if I wanted to access something on my mobile phone for instance, and having to type a long random string doesn’t sound very fun. So it would be good to have a mobile app to sync my passwords across my devices.

Having passwords stored in a cloud server weaken a lot the security factor of such services. Even though my info will be encrypted using industry standards (well, at least I have to trust they are doing their best), that means my passwords will be stored in an external storage and will probably be jumping around other servers in multiple backups and so on.

A chain is only as strong as its weakest link.

Even having the best technologies, the most secure servers, and strongest security features, none of this really matters if you don’t trust the company behind the service. Social engineering is known to be one of the most effective security attacks. There are many examples out there, for example when an attacker used social engineering to trick a Namecheap support employee to gain access to an account protected by two-factor authentication.

You also need to trust on their processes and personnel.

This year, when Troy Hunt announced the partnership between  1Password and haveibeenpwned.com, I thought about giving it a shot. I’ve been using it since then, and I never looked back.

1Password is such a great product, and it still amazes me how much thought they put into some of its features. For me, the best thing about 1Password is the browser plugins, so you can log in just by hitting the shortcut ⌘ + \. This is so convenient and just works.

The second best thing is the ability to have 2FA stored inside my 1Password vault:

1Password 2FA integration

This is awesome because if I lose my phone, I don’t need to set up all my 2FA again or go through all recovery process. Also, the workflow is so smooth. After you hit ⌘ + \ to log in, it will automatically copy the one-time password to your clipboard, so you simply press ⌘ + V after that to complete the authentication. After you are logged in, it will automatically restore your clipboard with whatever was there.

Another cool thing about it is that you can store secure notes, credit card pin code, software licenses, and serial keys.

To be fair, I don’t trust all my stuff there. Especially my main email accounts that are used to register to other services. For those, I keep unique passwords stored only on my mind. That way, even if I lose my recovery key from 1Password, I’m still able to regain access to the software and services that I use. But other than that, it’s been my standard way of storing sensitive information.