In a deeper exploration of password manager browser extensions and features for sharing as well as a survey of alternatives to password managers, Liz and Geoffrey go back to the topic of Loose Leaf Security's very first episode and discuss how password managers keep them safe in practice. In the news, a research firm makes dramatic claims about password manager security, and Facebook expands data tracking in worrisome ways.
- 1:08 - Security news: Google Nest's surprise microphones
- 2:18 - Security news: Facebook and phone number tracking
- 5:23 - Security news: Password manager security report
- 10:26 - Password manager integration
- 11:57 - Password manager extensions, origin tracking, and phishing
- 17:17 - What to do when a password is breached
- 18:22 - What to do when your password manager won't autofill
- 19:48 - Sharing passwords
- 22:33 - Using password managers without an extension, including your browser's offer to store passwords for you
- 26:03 - Third-party logins vs. password managers
- 31:02 - What happens if your password manager company shuts down
- 34:08 - How to use your password manager on shared computers
- 38:41 - Claimed features for limited-rights sharing
- 39:31 - What not to keep in your password manager
Show notes & further reading
New password managers reference page
We have a new reference page about password managers, which includes a comparison of popular password managers that we will be keeping up to date periodically.
Origins and password manager extensions
The concept of "origin" is a little messier than how we've described it in this episode. Unfortunately, the web evolved without a grand design for security up front (and it's not clear such a grand design would have been right, anyway), so different features have had slightly different definitions - notably, cookies use a somewhat different definition of "same origin" from most other web features. We mention this mostly because of a practical consequence for password manager security: there wasn't a standardized way to get the origin of a URL until a couple of years ago. So, particularly clever phishing attacks could trick a password manager into misinterpreting a URL and using the wrong origin. We'll talk more about the resulting vulnerabilities in our upcoming episode on password managers' security records, but by now, password manager extensions should be able to use the standard interface for finding a URL's origin.
In the news
Jeremy Burge observed on Twitter that Facebook is linking phone numbers used for SMS-based two factor authentication to the regular Facebook profile, which has worrying echoes of the misstep we saw last year where Facebook started sending notifications of activity to these phone numbers, posting replies to Facebook, and making those numbers searchable by advertisers. Probably the best step is to avoid using SMS-based two-factor authentication: Facebook and Instagram both support enabling two-factor authentication with just a code generator app and not providing your phone number. (This is fairly new for Facebook and newer still for Instagram, so if you were previously holding off on enabling two-factor auth for this reason, now's a good time to think about setting it up.)
The Wall Street Journal discovered that many apps are sharing sensitive personal information with Facebook Analytics (If you don't have a WSJ subscription, the full text of the article is syndicated through the Colorado Springs Gazette. NPR has an interview with the reporter, in which they discuss how they found the story and potential regulatory consequences. While Facebook didn't ask for this data - and in many cases quite specifically asked not to have this data - at the end of the day the data is still available to Facebook, and the Terms of Service permit it to be correlated with other profiles Facebook may have of you.
Independent Security Evaluators released a report on password manager security that expected "basic security best practices, such as scrubbing secrets from memory when they are not in use and sanitization of memory once a password manager was logged out and placed into a locked state" and claimed, "in all password managers we examined, trivial secrets extraction was possible from a locked password manager, including the master password in some cases." They have a polished demo video of extracting a master password which certainly looks impressive and scary. But we, along with many others, question whether this is a meaningful threat.
The researchers have a FAQ responding to common questions about their report, and the first question is just what we'd ask: "If an attacker has access to my machine, then isn't it already game over?" The researchers attempt to draw a distinction between an "advanced adversary" who can take over your computer, and a casual attacker like a coworker or housemate who sees your unlocked computer. While we do agree that protecting yourself from nosy coworkers or housemates is an important goal of personal digital security (it is perhaps the most common threat for most people), we're not sure the "advanced adversary" distinction makes sense.
The researchers haven't yet released their tool "multipass" because they want to wait for password managers to address the shortcomings they've identified. But a class of software called "remote access Trojans," or "RATs" for short, is widely available - and is commonly seen in attacks by unethical housemates or family members. A RAT enables persistent, remote access to a computer. It's a variant on legitimate remote access tools in that it hides its existence from the user of the computer. A "non-advanced adversary" with temporary access can easily install a RAT, and then gain convenient access at a later time, such as when the password manager is unlocked.
In addition to gaining access to the master password, an attacker with a RAT can more directly extract your cookies from a website you're already logged into, or intercept web requests you're making, or just watch your screen and read your private messages. An attacker with temporary access to your logged-in account can, in general, access the actual apps and sites you're using and has no need to get past your password manager to do so. It doesn't make much sense to defend against this specialized, non-public tool when generic, publicly-available tools are as straightforward to use and can cause as much damage.
There is one case where scrubbing secrets from memory is valuable: if the contents of memory are written to disk as part of swap or hibernation, then there's a risk that information will be recoverable from a powered-off machine long after it's been deleted (we discussed the difficulty of securely erasing data in our episode "Physical attacks to your computers and disk encryption"). But a good, robust solution to this risk is to encrypt your computer's hard drive.
So if you're concerned about these attacks, the best defense is just good security practice in general: lock your screen with a good password when you step away from it, don't share your account (and ideally don't share your computer) with other people, encrypt your hard disk, and so forth. And in any case, the researchers themselves say that these findings are not a good reason to avoid password managers - even under their threat model, you're still safer using a password manager than memorizing or reusing weaker passwords.
Liz Denys (LD): On the very first episode of Loose Leaf Security, Geoffrey and I talked about the importance of strong, unique passwords, and we also talked a little bit about password managers.
Geoffrey Thomas (GT): Mostly, Liz and I covered why you should trust your digital password manager and explained some of how they work behind the scenes.
LD: Today, we're going to discuss how to actually use your password manager, like how to most securely integrate it into your workflow and what you should do when you find out one of your passwords is in a breach.
GT: We're also going to go beyond the basics and share some of our personal workflows for things like effectively managing shared passwords when not everyone uses the same password manager.
Intro music plays.
LD: Hello and welcome to Loose Leaf Security! I'm Liz Denys,
GT: and I'm Geoffrey Thomas, and we're your hosts.
LD: Loose Leaf Security is a show about making good computer security practice for everyone. We believe you don't need to be a software engineer or security professional to understand how to keep your devices and data safe.
GT: In every episode, we tackle a typical security concern or walk you through a recent incident.
Intro music fades out.
LD: Before we get to our main segment on password managers, let's talk about some recent security news.
GT: Google surprised some users of their Nest security system with a new feature in a software update: the Nest Guard, the keypad that lets you enable and disable the alarm, now supports the Google Assistant. You can now ask it things with "OK Google" just like you can to a Google Home speaker.
LD: The reason this came as a surprise was that Google didn't advertise the Nest Guard as having a microphone, especially an always-on microphone. The standard Nest Secure kit only has motion sensors and door sensors: it doesn't record audio or video and you need to buy a separate Nest Cam if you want that. So you didn't have to worry about it watching or listening to your house if you didn't want that feature.
GT: Google says this was a simple oversight - they just forgot to list the microphone as part of the tech specs, and they didn't originally have any features using it. They say they might use it in the future for detecting sounds like broken glass and raising an alert, and they also say the microphone is off by default and "OK Google" needs to be turned on.
LD: Even if it was just an oversight, it's still pretty disconcerting that they shipped a product with a microphone and didn't say so. You want to trust your devices - especially if that device is a home security system - and it sounds like they broke a lot of people's trust here.
GT: A few episodes ago, we talked about how if you had given Facebook your phone number just for two-factor authentication, they'd started letting advertisers target that number.
LD: It looks like the problem has gotten even worse - as Emojipedia founder Jeremy Burge pointed out on Twitter, these phone numbers are now available for other Facebook users to search. While it's not listed on your profile, the default search setting is that anyone can look up the number and find your account. You can restrict it to friends, but you can't turn it off entirely if you want to keep using that phone number for two-factor authentication. Facebook is also sharing these numbers with Instagram, which it owns.
GT: Jeremy's Twitter thread makes some interesting observations about how this can be used for advertising profiles: even if you have separate profiles for Facebook and Instagram, they'll link the accounts internally if they have the same phone number. It's possible this could extend to other companies in the future. And they can say they have a legitimate business need for the number, so they can keep it.
LD: This is particularly frustrating because it undermines confidence in two-factor authentication for everyone - Facebook is taking these phone numbers people expected and trusted them to use only as a security mechanism and making them available for advertising and growth, and now you start to wonder if anyone else is doing it, too.
GT: Fortunately, it seems to just be Facebook and their other services like Instagram and WhatsApp, at least for now.
LD: Facebook and Instagram both support setting up two-factor auth with an authenticator app - this is a recent change for Instagram - so this is another reason to avoid using SMS-based two-factor auth. As we mentioned in our episode "Two-factor authentication and account recovery," SMS is pretty insecure, and we recommend using basically any other two-factor method if available.
GT: Facebook has also been in the news recently for running an analytics system that picks up sensitive personal data from various apps, even when you're not logged into Facebook in that app.
LD: A Wall Street Journal report found several apps that sent data from inside the app straight to Facebook Analytics. App developers can use this system to see how people are using their apps, which features are popular, what people are searching for, and so forth. But the Journal found that many apps, including six of the top fifteen health and fitness apps in the Apple App Store, sent personal data as part of analytics, despite Facebook instructing developers not to do that. These are things like your height and weight and the dates of your period - and they're sent to Facebook as soon as you enter them.
LD: Another Journal reporter found that just downloading a "What to Expect app" and starting it up got her maternity ads eleven hours later.
GT: Facebook has reminded developers not to send sensitive information to Facebook Analytics, but it's still going to track things like what apps you have downloaded. Maybe the best thing is to pay attention to the Terms of Service for apps and see what third parties they share your data with?
LD: I guess, but usually they don't even list what third parties they are. I don't think there are any great solutions here on the personal level - although it sounds like regulators are starting to take a look at this, and maybe data privacy legislation could help. In the meantime, maybe be a little judicious about what apps you download. At least on the web, content blockers and tracking protection can help you, but there isn't an equivalent of that for apps, at the moment.
GT: Our final bit of news fits pretty well with the main topic of today's episode: a security research firm called Independent Security Evaluators published a report analyzing four popular password managers, in which they claimed, quote "trivial secrets extraction was possible from a locked password manager." It's a bold claim, and the authors are careful to say that you should still use password managers - even though what they're saying sounds pretty bad!
LD: So it's worth digging a bit into what they're claiming and just how bad it is. They've got a slick demo of a program that can extract passwords from a password manager, but is that something you should be concerned about?
GT: Usually when someone makes a bold security claim - either "This is incredibly secure" or "This is hopelessly insecure" - I like to ask them what their threat model is. A threat model basically just is a clear statement of what the things you're trying to protect are, what attacks you're worried about, and how they might try to attack you.
LD: For example, if you're worried about someone finding a zero-day vulnerability on your phone to overhear your secret conversations at a popular diner, and you're not worried about them just sitting down at the next table, that's probably not a reasonable threat model.
GT: In this case, an attacker running their neat tool would need to have access to run programs in your user account. Most attackers don't have that access, and those who do can usually do a whole lot more bad things than just stealing your password. So it's not clear that their threat model makes sense.
LD: Someone who can run programs as your user account can generally read and write all the local data for the websites you visit, like login sessions. Because they're running real desktop software on your computer, they aren't constrained by the sandboxes your browser sets up for websites - or, as we called them in our episode "The history of the Web and an introduction to browser security," snow boots. Each website is isolated from each other, and a password manager extension definitely needs to preserve that. But your browser and your files aren't protected from other apps in general, and there's not much a password manager can do about that.
GT: There's a lot of access someone who can run a malicious app on your desktop can do - the easy thing is to install a remote access tool or "RAT", which lets them continue to spy on your computer without your knowledge. The demo tool is very scary-looking, and they haven't released it - but a RAT can do the same thing by just waiting for you to use that password, and there are plenty of those out there.
LD: So a practical defense - which is also one that protects against more likely threat models - is to prevent people whom you don't fully trust from having access to your user account. That's often basic stuff like locking your screen, not installing weird software from strange places, not inserting unknown USB drives and clicking on everything, et cetera - you know, stuff you should be doing anyway for security.
GT: And to be safe, don't let coworkers, housemates, maybe even family members have access to your account. Lock your screen when you walk away. And as we discuss in our series on laptop and desktop security, it's best to never let anyone else use your computer because there's a lot you can do with physical access. However, if you have to do this, it's safest to not let someone else use your account - give them their own non-administrator account, so that they won't be easily able to access your password manager, or anything else in your account. Then they can't read the memory out of your apps or modify your files, and they also won't use your logged-in websites or see your browser history by mistake.
LD: These researchers talk about wanting passwords to be protected when a password manager is "locked" - but maybe the better strategy is just to get rid of that concept entirely. You're better off locking your screen so your whole account is locked, instead of trying to keep one application safe from another one.
GT: Yeah, I don't ever intentionally lock my password manager, do you, Liz?
LD: Nope, I also don't - I do have a timeout because that's the default, but mostly I just keep physical control over my computer.
GT: At the end of the day, a password manager isn't going to keep you safe if your computer or your web browser as a whole isn't safe. And you're probably using those passwords on the same computer, anyway. So start with the regular stuff, like keeping your OS and browser up-to-date. Maybe even encrypt your disk, if you're worried about attacks on your physical computer.
LD: So we do strongly agree with the researchers that none of this is a reason to avoid password managers - in all the threat models we can think of, your passwords are safer in a proper digital password manager than somewhere else.
GT: And in particular, we're fans of password manager extensions, which have a unique security advantage: they can help you avoid phishing by checking that you're on the right website before giving up the password.
LD: Securely integrating a password manager with a web browser is a challenge, though, and there have been some serious security issues with a few password manager extensions under very common threat models, like just wanting to browse the web normally and keep your passwords safe.
GT: While our main segment today is about password managers, today we're focusing more on how to use password managers to improve your security than analyzing the specific security records of password managers themselves.
LD: We do believe it's helpful to understand the security model of password manager extensions, and we also think it's important to evaluate the security records of specific password managers, which is why this will be topic of a future episode!
GT: Our very next episode is a deeper dive into two-factor authentication, including a discussion of how to keep your two-factor auths tidy with the help of your password manager, but two episodes from now, we'll discuss specific password managers, their extensions, and their security records.
LD: Let's take a quick break before our main segment.
Interlude music plays.
LD: Now for our main segment, a more detailed look at how you can get the most of out of your digital password manager.
GT: If you don't already use a digital password manager but want to pick one to start using, you can check out our new resources page comparing the most popular password managers - it's based on the notes from our original episode in May 2018, but we've updated the info and added one more password manager to the list. There's a link in the show notes for this episode, and we'll keep it up to date periodically.
LD: As mentioned at the end of the security news, we will be discussing the security records of different password managers in two episodes, so look forward to that!
GT: In addition to wanting a password manager with a good security record, it's important to pick a password manager that integrates well in your workflow because you want it to be easy to use.
LD: Ideally, you want a password manager that has extensions for the browsers you use on your computers and for it to also integrate with your phone's autofill. Fortunately, most browsers will have extensions and both Android and iOS do third-party password manager autofill, so this likely won't be too limiting.
GT: But if you're using a less common platform like Linux, you should make sure the password manager you use works with your OS and your browser. I use Firefox on Linux frequently, which my password manager only added support for recently. Once they did I found myself going from using it rarely to basically all the time, and it was probably a mistake not to pick a password manager that worked on my browser previously because I would just never add stuff to my password manager. And when I had a password that was saved in my password manager instead of one that I had memorized, I'd have to open it up somewhere - I'd probably just open it up on my phone - and then type in the password by hand.
LD: Not only does that sound incredibly tedious, but without using a browser extension or the autofill feature on your phone, your password manager can't check the website's origin against the one it has stored.
GT: As we talked about in our episode "The history of the Web and an introduction to browser security," the web security model is based on separating "origins." At a high level, different web pages from the same web site share the same origin and can freely share data, while different web sites have different origins and your web browser isolates them by default.
LD: If you haven't already listened to that episode, we discuss how web browsers can put sites into what we called separate "snow boots" based on their origins. But to recap it quickly, when a website stores information, like a cookie to remember that you're logged in, that information is available to other pages from the same website, the same origin. But it's kept isolated from other websites. So pages on the same website can take actions on your behalf on that website, like sending messages or adding things to your shipping cart, but pages on another website can't even tell you're logged in.
GT: So, if you're going to have this security between websites for your logins themselves, you really should have the same sort of thing for access to the passwords that let you log in. Just like you don't want some news site to see your bank account info, you shouldn't let the news site see your bank account password, either.
LD: When you save a password, a good password manager will note down the origin of the website and store that along with the record of your password. That way, next time you visit the same website, it can detect that it has a saved password and offer to automatically fill in your login information.
GT: And if you're not on a website with the same origin, your password manager won't offer to fill it in. So if you're not on your bank's website, your bank's password just won't be an option.
LD: And in particular, if you think you're on your bank's website and you're actually on a page trying to steal your password for that bank, your password manager should be checking the origin for you. You might get fooled by a similar-looking website by typing the password in, but your password manager generally won't be fooled.
GT: If your password manager won't autofill on a site for a login you know you've stored, don't look up the password yourself in your password manager and enter it into that site - it won't do anything to stop you. Instead, go to the correct site either by typing https:// and then the site you know or looking up that account in your password manager and opening up the link to the website you have saved there.
LD: It's likely that your password manager won't let you access all of its records from within the web page, even if you just want to look at what you've saved instead of filling anything in - and that's for the same reasons. There have been some major security vulnerabilities from making a password manager's entire database accessible directly inside a web page.
GT: LastPass used to let you do this, and we'll talk about that incident in our upcoming episode on password manager security, but it's good that they no longer let you search in it's in-page UI. Instead, you should have to open up the password manager app, and it's fine if the in-page UI gives you a convenient button to do that.
LD: It's likely that this can still be really convenient for you - your password manager could open a new tab for its app or it could draw a pop-up over the browser so you don't have to deal with switching tabs.
GT: If it goes the pop-up route, you should be able to either drag it outside of the bounds of the webpage, like over the address bar of your browser, or your password manager should draw it somehow so it covers something outside of your webpage.
LD: That might sound a little silly, but that's how you can tell that pop-up isn't happening within the web page you're on - it's a visual way of showing you it doesn't suffer that search vulnerability.
GT: Also, it's a really good way of showing you that the UI is actually from your password manager and not from a site trying to trick you into typing your master password. Another benefit of your password manager doing this origin tracking is that your password manager ends up bookmarking the right site for you to go to when you want to log into that account.
LD: I've accumulated hundreds of logins over the years, and I generally know the right URL to go to for the ones I use the most, but for accounts I use less frequently, I look up the account in my password manager and check the site it's tracked.
GT: If a website changes - I think at some point the Wall Street Journal started authenticating on dowjones.com - you can update the website field in your password manager. Just, when you do that, be careful that it is a legitimate website owned by the same company and not a phishing page you ended up on by mistake - maybe type in the website name as you see it, instead of copying the whole URL you happen to be on, which might be trying to trick you with a URL that looks right but actually has a capital "I" instead of a lowercase "L" or something like that.
LD: LastPass only lets you have a single website per login, so if it is used by the same company in multiple places, you'll have to make a second login to get that origin checking protection, but 1Password will let you add additional websites. This isn't a great practice for a website, though.
GT: And if you imported your passwords manually into your password manager from something else and it didn't quite get websites right or for whatever other reasons it doesn't have websites for your logins, it's worth adding in the websites they're for whenever you see an account of yours doesn't have one stored, so that you get that added protection against phishing.
LD: Also, if you ever find yourself adding a new password to your password manager, that's actually a fantastic time to have it change your password - I did this when I first set up my password manager, and because my password manager generated new passwords, I knew I wouldn't have any lingering password scheme.
GT: Your password manager is only going to warn you about passwords that are exactly the same - if you've been using some scheme for making different but memorable passwords, like putting the site name or a random number in your password, it won't notice, and if you're using a good scheme it probably can't notice. Of course, since you know yourself if you're using a scheme, the best thing is for you to change your own passwords as you move them into the password manager.
LD: Right, that's why I made a point of doing this when I imported my passwords - it would have been pretty easy to get complacent about schemes once it was already in my password manager, and I wouldn't want to have missed updating them in case one of my passwords that followed a scheme was found in a breach.
GT: So if your password is found in a breach, you want to change your password for that site and on any other site you've used that password or a similar password. You can make this a little easier on yourself by asking your password manager if you have any duplicate passwords - in 1Password, this is in the Watchtower functionality, and in LastPass, this is the security challenge. Make sure you do this before you change your password on the site that was breached, so your password manager can actually check your old password.
LD: And, of course, the best thing is to not have duplicate passwords in the first place, so if you have a little time for a security checkup, ask your password manager if you have any duplicate passwords and change all of those passwords. When I say change them, I do mean all of them - you've compromised the password by using it on multiple sites, so you should switch to using it nowhere.
GT: To be even more secure, log into accounts where you previously had reused passwords or were in a breach, and double check that everything looks as you expect it to.
LD: So sometimes when I go to change my password, my password manager extension doesn't quite work automatically.
GT: Ugh, I hate when that happens. The forms for changing your password don't always follow the same format across websites, and some of the ways websites make them tend to break your password manager's ability to detect them and autofill into them - usually, I run into this when the change password dialog is split up across multiple pages.
LD: Unfortunately, when this happens, you'll have to copy paste passwords a bit. You should still let your password manager generate your password instead of making one up yourself, and after you're sure you've saved your new password in your password manager, select some other text and copy that so that you won't accidentally paste your new password somewhere you don't want to.
GT: Before you do that, make sure that your password manager actually has a copy of the new password. In many password managers, the password generator feature tries to help you out with this - if you change your password but forget to save it, it's still in a folder somewhere called "Generated Passwords" or something like that. But you should try it out with your actual apps and see what it does. For instance, the 1Password X browser extension saves them but doesn't sync the generated passwords to the cloud, so you can see them from the same browser but not on another app. This confused me for a bit but it turns out I had all my generated passwords kept safely.
LD: And if you can't even find a password change prompt, don't give up on trying to change your password - try to a password reset instead.
GT: It's poor practice for a website to not give you a password change option explicitly, but it's even rarer for a website to just disallow password resets, so there's usually a way to do it.
LD: When you're sharing passwords with your friends or colleagues, ideally, you'd all be using the same password manager, so you could just use its built in sharing.
GT: But if you aren't all using the same password managers, it's perfectly reasonable to sync up your passwords in person into each of your password managers or to just have everyone sign up for an additional account with the same password manager so that they can synchronize the passwords securely through that password manager. Both of those options are a lot more secure than sharing your passwords via phone calls or plain text email or text messages.
LD: Yeah, I have done this when collaborating on projects with people who don't use 1Password like I do. The biggest disadvantage to 1Password, in my opinion, is that it isn't free, and some of my friends have explicitly told me that's why they don't use it. So I actually have a LastPass account, too, that I use really infrequently for sharing passwords with project collaborators who only use LastPass, and I just store my LastPass master password in 1Password.
GT: Storing a strong master password for a secondary password manager in your primary password manager is actually a reasonable security decision, despite all the warnings that you should never write down your master password or tell it to anyone. You're only telling your own, encrypted vault in your primary password manager, which is protected by a strong master password which you haven't written down anywhere or shared with anyone. There's a little bit of additional risk here compared to memorizing a second, strong master password, but if your primary password manager is doing it's job with security, it's a good tradeoff for making sure that your secondary password manager is also behind a strong password.
LD: Right, I'm notoriously bad at memorization, but typing my primary password manager's master password frequently is the only reason it's cemented in my brain. Since I only very occasionally use LastPass, my secondary password manager - only when I need to share a password update with my friends - I'd risk forgetting my master password for it.
GT: And you don't want to have a weaker password for that second account.
LD: Yeah. Also, I don't actually use LastPass's extension ever - I copy the shared passwords out of my LastPass account into my main password manager, 1Password, and then access them through 1Password's extension like the rest of my passwords. This works a lot more seamlessly, especially with my phone's autofill. If one of my collaborators ever changes one of our shared passwords, I'll have to grab the password from LastPass again, but that's a pretty minor inconvenience to me.
GT: When I share logins with other 1Password users, they're just in a shared vault and work seamlessly with the extension and phone autofill.
LD: Another thing I do to keep better track of logins I share with people who don't use 1Password like I do is tag them as "shared" in my password manager and add whoever they're shared with in the notes. If it's a login that I share via LastPass, I also tag it as "LastPass". If it's something I sync up in person, I'll tag it as "SyncInPerson". This way, if I ever have to update that password, I'll know how to get the new one to my friends and collaborators.
GT: Oh, that's clever. I have a couple of shared passwords, and I should tag them so I don't have to remember that I did share them and I need to update my friends.
LD: So, we've mostly been talking about standalone password manager products that have browser extensions. There are a few other popular options for keeping track of your passwords, but they don't all have the same benefits.
GT: Many browsers have a built-in saved passwords function, and if you're logged into an associated account, you can synchronize your saved passwords between browsers. For Chrome, there's Google Accounts, and for Safari, there's iCloud, which will sync with your iPhone. Microsoft Edge will sync passwords through a Microsoft account, and Firefox has its own account system for this.
LD: These are pretty good options because they'll do the same sort of origin checking for you, and they'll definitely do it right because it's built into the browser. But it's only really a good choice if you're using the same browser or account everywhere.
GT: Right, if you mostly use Chrome on your laptop but have an iPhone and you want to use accounts in apps on your iPhone, maybe Google Accounts isn't the best place. If you're using the Chrome app on your iPhone, you'll get passwords there, but you won't get them in other apps. So you might end up in the place I was before my password manager supported my browser, and just find yourself not using your password manager that frequently.
LD: Oh, speaking of using your password manager on your phone - a few password managers have built-in web browsers that you can use to autofill passwords for sites.
GT: Now that both Android and iOS have native password manager integration, you should probably just use that: you can get your password manager to work with your existing browser, and also with apps on your phone. Again, having it integrated with your normal browser and your normal workflow is going to make it more likely that you'll use it.
LD: If you can't get native password manager support, maybe because your phone is on an older version of Android, using the browser inside the password manager is definitely better than copying-pasting. It will do origin checking for you, and also there's less risk of copying and pasting your password into the wrong place. But if you have the option of using your regular browser, there's really no reason to prefer the one inside the password manager, and doing less things inside your password manager itself reduces the attack surface.
GT: Another thing you could do, but probably shouldn't unless you have to, is going to your password manager's website and copying passwords from there, instead of installing the password manager software. The major password manager services all have web apps you can log into, and Google has passwords.google.com, but that's really only for use if you have a device you definitely can't install a password manager on.
LD: Apart from losing the origin-checking protection, if you're copying and pasting passwords regularly, you might leave it in your clipboard and paste it somewhere else by mistake. A good password manager app is likely to empty your clipboard after a couple of minutes or so to protect you from this, but just to be sure, you should copy other random text to clear out your clipboard.
GT: Your password manager's website probably isn't going to be able to do this because it doesn't have access to your clipboard in a way that an extension or an app would, and so you're going to have to make sure on your own that you copy something to clear out the clipboard. And doing this for every login is likely to be really tedious, and you want to set things up so that doing the secure thing is the easiest thing to do. For myself, I've found that having a third-party password manager that works with all my browsers and all my devices was the thing that really got me to start using it regularly and move away from my old password scheme.
LD: Let's take a quick break before talking about a popular alternative to password managers - using things like "Login with Google" or "Login with Facebook".
GT: After that, we'll discuss different situations where you might not have access to your password manager.
Interlude music plays.
LD: There's one popular alternative to password managers, which is clicking "Login with Google," "Login with Facebook," or so on. It promises you the same benefits - you only have to remember one password for your Google, Facebook, or whatever account you choose to use the login from.
GT: But there's a significant difference with these services and password managers. A good password manager stores your credentials offline, and they're only decrypted on your own computer. You're still logging in to each site with its own password, the password manager is just taking care of that for you. By contrast, if you click "Login with Google" or "Login with Facebook," all of that authentication happens online between this third party company's servers and Google's or Facebook's servers, and you don't have the same protection that you have from this offline, local authentication to unlock your password manager.
LD: One consequence is that, if you lose access to your password manager, you can usually reset the password by email or some other means. Your password manager is a tool - it's not actually owning your account. If your login is associated with an account from Facebook or Google or something, and you lose access to that account, many sites are not going to let you turn that into a normal password-based account and do an email reset. You can usually switch it once when you've logged in, but if you haven't logged in yet, it might not let you switch it.
GT: Earlier this year, a travel blogger posted a story about how her husband's Google Pay account picked up a permanent security alert, for circumstances that seem beyond their control, and as a result, he lost access to his cell phone service through Google Fi. He basically had to give up both his email address through Gmail and his phone number which was stuck on Google Fi, and start anew, which is a cautionary tale about centralizing your services - and those are just Google services.
LD: Oh, this is also a concern if you store all your passwords in Chrome or in the macOS Keychain and sync with your Google or iCloud account - the likelihood that something will happen that disables your account for a third-party password manager account is a lot lower than an account you're using for several other things.
GT: Right, I think you mentioned this actually in our original episode on password security that if you use Gmail and you use Google's password manager, it's a lot of centralization risk if you ever get locked out of your Google account or someone takes it over because you can't do password resets by email anymore. It seems safer to try to keep some of your eggs in different baskets.
LD: There have also been reports of "Login with Twitter" not working if your account isn't active. So if you make an off-color joke with one of your friends that you're going to kill them and Twitter disables your account because Twitter doesn't know it's a joke, well, there goes login to whatever service you linked to your Twitter account.
GT: And if you ever decide you want to delete your Facebook or Twitter account, you're going to have to go through everything that's linked and switch it over, first.
LD: Which is basically as much work as keeping a list of accounts in your password manager. So for most people, a password manager is the better choice.
GT: The risk of centralization also goes the other direction. If someone gets access to your Twitter or Facebook or Google account, they immediately get access to all the sites that you've logged into through that account.
LD: You might remember Facebook's very bad authentication bug from last September with the "View As" feature, where they accidentally built a way for any user to get a Facebook access token as anyone else. As we mentioned at the time, the "Log In with Facebook" functionality was at risk from this vulnerability, too.
GT: You might ask, well, what if my password manager has a bug? Isn't that the same sort of risk? Well, it's a lot smaller risk: your password manager just has one job. It's not going to accidentally let other people take over your account because of an unexpected interaction between the video upload feature and the feature for seeing what your profile looks like to others, because your password manager just doesn't have a video uploader or a profile page accessible to others or really, like, a website that's being shared with other people at all. It just manages passwords and just makes them available to you and only you.
LD: And the data in your password manager is all encrypted with your master password, so even bugs that get access to your account won't get access to your passwords themselves. That's very different from someone getting your Facebook access token and then immediately getting access to other websites.
GT: There is one case in which I'd say maybe consider doing a login with one of these big services, which is if the site you're logging into doesn't offer two-factor authentication, or only offers SMS-based two-factor or something, you'll have a lot more secure options for two-factor from Google, Facebook, Twitter, and so forth. And so if you're logging into one of these sites using Google, Facebook, or Twitter, they'll be protected by that stronger two-factor option.
LD: Oh, true. Google, Facebook, and Twitter also let you use security keys, the most secure form of two-factor authentication, and all of them let you turn off SMS-based two-factor. But if it's so important for your login to be secure, shouldn't the website itself offer two-factor authentication?
GT: Yeah, most of the sites I care about, like my email provider, my website, etc. all have pretty good two-factor authentication options on their own. And the things that don't aren't so important that it's worth dealing with remembering which sites I have which third-party logins on.
LD: Oh, also maybe you don't want Twitter or Google or Facebook correlating your data on that site for advertising, either.
GT: Yeah, honestly, going back to that news segment earlier, I'm a lot happier if these big companies don't have the ability to follow me around as I'm using the entire internet.
LD: Another concern people have with password managers is what happens if that company ever shuts down. This is a good reason to pick a well-known password manager with a good track record and some ongoing popularity, so they're less likely to decide to go out of business and you won't have to switch to another one in a hurry. But even if they do go out of business, you're not going to lose access to all of your accounts.
GT: Ideally, they'd tell you they're shutting down before they do so, which would give you enough time to switch to a different password manager, but you shouldn't be out of luck even if they don't. Most password manager apps work offline, which means they have all your passwords stored, encrypted behind your master password of course, so even if the service itself shuts down, you'll still be able to access your passwords through those apps until you migrate to another password manager.
LD: If your password manager requires you to be online to use it, that would be a risk, You can check for yourself if that's the case by putting your phone in airplane mode or turning off wifi on your computer and making sure you can still see all your passwords. If that works, your password manager will work even if the company shuts down.
GT: The major password managers all work this way - even though most of them have online accounts, once you log in on a device, it downloads your encrypted password store and keeps it around locally. For password managers like KeePass where you sync devices on your own, make sure you have reliable copies of the synced data, and maybe add it to your backups.
LD: A few password managers offer two-factor authentication for access to the passwords themselves. If you have this set up, you should see if it requires their service to be online to use the two-factor method, for instance if it sends you a text message or a push. If that's the case, you might want to disable this on at least one device so that you have an option when their services go down.
GT: By the way, setting up two-factor authentication to access the passwords in your password manager isn't a replacement for having two-factor authentication on your actual accounts. It won't protect you at all if an attacker gets one of your passwords through a breach. Also, most password managers will stay unlocked for a while, which would leave your passwords potentially accessible to an attacker anyway.
LD: Right - neither of us put two-factor authentication on our password manager. Instead, we try to be thorough about setting up two-factor auth on all the websites that support it and are diligent about keeping physical control over our devices so an attacker can't get to our unlocked password manager extensions.
GT: For emergency access, you could also download an export of your passwords just in case, but using an app is safer because the passwords remain encrypted. If you have an old phone lying around, it's probably a good idea to sign into the password manager just so you have a backup copy of all of your passwords, in case worst comes to worst.
LD: I'd say it's probably okay to download an export of your passwords if you need to switch password managers, but you should be extremely careful when doing so because as we discuss in our episode "Physical attacks to your computers and disk encryption," fully deleting all traces of your files can be really hard.
GT: I already trust any laptop I'm willing to sign into my password manager on, so if I needed to switch password managers, I would just do the export and the import on that laptop. Instead of trying to securely erase the file, I'd just go ahead and enable full-disk encryption on that laptop beforehand if I hadn't already encrypted it, just so that my passwords aren't on disk if someone gets a hold of my computer while it's locked or powered off.
LD: Occasionally, you might find yourself in a situation where you need to use a password on a shared computer - maybe you're at a hotel business center or a library and you need to print something. Personally, I'd try to avoid typing even a single password into an untrusted computer and see if I could email the front desk my boarding pass from my phone instead of logging into something.
GT: Or look up your ticket with just your confirmation number, an option that makes it easy to avoid having to trust hotel business centers. But it's possible you'll need to print something that you'd only be able to access through your account, and it's a lot safer to access that on your own laptop or phone and then forward just that single document to someone at the hotel who can print it.
LD: Yeah, I feel like I always travel with my phone, even for very short trips, so that's generally what I do. If you somehow encounter a really stubborn front desk and need to log into something yourself on a shared computer, you should not log into your password manager on that untrusted, shared computer in order to get your passwords.
GT: Instead, you should use the password manager on your trusted mobile phone to view your password. By the way, this is another great reason to make sure that your password manager works offline, in case you won't have a data connection when traveling.
LD: That trusted mobile phone doesn't need to be an active cell phone - if you don't currently have a cell phone plan, it's perfectly fine to wipe an older phone or a friend's old phone and use it for your password manager and two-factor authenticator apps.
GT: Two-factor authenticator apps will work offline, and you can sync your passwords to your password manager app on that device over wifi. Honestly, even if it's a phone too old to get updates, it's still probably a better tradeoff, all things considered, to use it compared to not using a password manager or not using two-factor auth - just don't use other apps or browse the web on it to limit your exposure to the vulnerabilities in older software.
LD: By reading a password off your password manager on this trusted device and typing just that single password you need into the shared, untrusted computer, malware that could be on that computer would only give access to that one account - you wouldn't be possibly compromising all your accounts as you would if you had typed your password manager's master password in.
GT: I'd also think about what account you're logging into. If a ticketing company sends the ticket to your email but it's also accessible through the account for that ticketing company, I'd log into the ticketing company instead of into my email because my email is a much more important account and could be used to reset passwords for other accounts, whereas if someone get's access to my account with that ticketing company, that's a much more reduced exposure.
LD: Hey Geoffrey, remember like ten years ago when we were working on the software that ran on MIT's computer labs?
GT: Oh yeah - those were basically public access, anyone in the university could log on, and it wasn't that hard for unaffiliated people in the neighborhood to wander in, too. Those basically ran on trust - we didn't actually try to prevent people from installing software, though we did do some cool stuff to try to clean up after you if you weren't trying to be malicious about what you installed.
LD: Yeah, at the end of the day, if you really wanted to install something as administrator and keep it installed, you could just reformat and reinstall the computer, and then you'd have complete control over it - and the ability to mess with anyone who logged into it.
GT: It's pretty unlikely that a business center at a random hotel or a lab at a library is likely to be more protected than this. There is a market for software that tries to make it hard to tamper with the computer, but again, someone can just reinstall the computer, and the chances that anyone at the hotel front desk is going to notice that a computer in their business center was tampered with are pretty slim.
LD: Another thing you can do to help keep accounts you use on a shared computer secure is to change those account passwords once you get back to a device you trust. If you've changed that passwords, you don't have to worry about any malware on that shared computer having recorded that password because it won't be the same password and it won't work anymore.
GT: If you have a two-factor authentication on an account you log into on a shared computer, anyone who gets your password won't have access to that changing second factor, so in theory you shouldn't need to worry about changing your password. But it's probably a good idea to do so anyway, just for security hygiene.
LD: Although we should be clear that this doesn't actually make it safe to log in on a shared computer. If someone had installed malicious software beforehand, they can get access to your login session by stealing cookies as soon as you log in. Against a lower-effort attack like a keylogger, changing your password will make the logged keystrokes useless, but if someone really wants to attack all the users of a public workstation, it wouldn't be that hard for them to cause some real damage.
GT: But even so, sometimes logging into one specific account is the best solution to a bad situation. While it's not a difficult attack for someone to actively monitor use of a certain public workstation, it's also honestly not that likely. So if you do need to print one important document before your flight or send one message in an emergency, maybe the best decision is to log in, do what you need, and then immediately change your password from your phone.
LD: And using a digital password manager makes it a lot less painful to change that password!
GT: So some password managers offer features for sharing passwords with limited rights - they might claim this kind of sharing allows a user to use a password but not to actually see the password - and if that worked, you could hypothetically create an account to use on shared computers and have your real account share your passwords to that account with limited rights. Unfortunately, at best, those "limited rights" features just hide the password from view from an honest person using the password manager.
LD: At some point, the password manager needs to give the website unencrypted, plaintext password, and an attacker could intercept and see your password at that point, too.
GT: In general, these limited rights features don't really work. Even if you could prevent the password from being seen, someone who has access to that account could log in, and then go to the change password page and then autofill the old password and pick a new password of their choice, and then they'd lock you out of your account anyway.
LD: So one last passwords-related topic I wanted to cover today is something I don't think you should put in your password manager. I actually mentioned this in our very first episode, but I think it's worth repeating: I don't think you should put your email password in your password manager.
GT: I actually wasn't as sure of this when Liz mentioned this last year, but now that I've thought about it more, I do think it's definitely better not to have your email password in your password manager. If your password manager ever messed up its security and exposed your passwords, you'd want to make sure you could still reset your accounts through your email.
LD: In theory, your email is important enough to have two-factor authentication on it, but it's always possible that your email provider also messes something up with two-factor and lets an attacker in without that second factor.
GT: Okay, Liz, you're assuming your password manager gets broken into and also the two-factor on my email doesn't work? That's pretty paranoid, even for me.
LD: Yeah, you're probably right, Geoffrey, but as we said that episode, if you can memorize one strong password, you can probably memorize two - your master password and your email password.
GT: Absolutely. I mean you don't want to memorize fifty passwords, but two isn't that hard and it gets you a lot of security. So that wraps up our discussion about how to actually use your password manager.
LD: We'll be back next time with tips on how to keep your two-factor authentications tidy.
GT: And in two episodes, we'll talk about the security model behind password manager extensions and evaluate the security records of specific password managers and their extensions.
Outro music plays.
LD: Loose Leaf Security is produced by me, Liz Denys.
GT: Our theme music, arranged by Liz, is based on excerpts of "Venus: The Bringer of Peace" from Gustav Holst's original two piano arrangement of The Planets.
LD: For a transcript of this show and links for further reading about topics covered in this episode, head on over to looseleafsecurity.com. You can also follow us on Twitter, Instagram, and Facebook at @LooseLeafSecure.
GT: If you want to support the show, we'd really appreciate it if you could head to iTunes and leave us a nice review or just tell your friends about the podcast. Those simple actions can really help us.
Outro music fades out.