Cloud Security
Published in

Cloud Security

Password Management Alternatives

Risk mitigation comes down to trade-offs and personal choices

Wired author, @lilyhnewman, recently reached out for my thoughts on the topic of using third parties to manage all your login credentials. I’m a fan! You’ll find many references to her work in my book: Cybersecurity for Executives in the Age of Cloud. You can read her full article here:

Others have asked me questions like this many times before. Should I use a password manager? Is using Google authentication secure? It’s a very tricky question because it’s complicated, to begin with, and then there’s the fact that most end-users are not going to be willing to do the things I do with my passwords. Even though I try to be more secure, I’m still concerned that attackers will somehow get to them. There’s no easy answer to this problem.

I loved what Lily chose to write in her article. Since I struggle to condense this complex topic into a simple answer, I gave her a more in-depth collection of thoughts and let her pick and choose what she wanted to write. I thought she did an excellent job of summarizing my viewpoint and comparing and contrasting with others. I thought it might still be interesting to provide a more extended summation of my thoughts on the matter. Personal password management is a challenge for everyone, including me. It’s something I talk about more in-depth in my book.

When it comes to dealing with passwords, there are a series of trade-offs. I don’t think there’s one answer for every person, account, or scenario. Sometimes the answer is relative. One solution is more secure than another. One is easier than another, so more realistic that someone will use it effectively. Using a password manager or your Google account for authentication with a strong second factor such as a Yubikey or an application like Google authenticator is better than using the same username and password everywhere. Which one is better depends on several factors.

When you use a password manager on your local machine, an attacker may break into your computer and steal all the passwords via a vulnerability in the password manager. How secure are your network and your laptop? Could an attacker break in and steal the files associated with your password manager to steal the passwords, or overwrite the password manager with a copy of their fake software that somehow accesses the passwords? Even if attackers do not break into your system, they may find another way to access those passwords. Earlier this year, researchers tricked some password managers into giving passwords out to illegitimate applications.

When you use Google as a source of authentication for an application, you risk one compromised set of credentials providing access to all your applications. Bear in mind that Google also has made mistakes in the past. They stored G-Suite credentials in plain text for some users for 14 years. Google had to recall its hardware key due to a vulnerability after the initial launch. Google employees might find a way to access credentials by changing system code if that is possible. Your choice to use Google involves some level of trust in the company. That is true of any company you entrust with the security of your data.

In general, I believe that Google has relatively robust authentication mechanisms. Some people who can’t or won’t set different passwords for every system will be better off with Google than nothing at all. Is it more or less secure than a password manager? That depends on how you feel about Google having your credentials versus the security of your password manager. Neither case eliminates all risk, but they are better than the alternative of doing nothing at all and reusing the same password everywhere.

It is impossible to be certain one is better than the other because we can’t know all the details about how Google internally manages your credentials. Additionally, each home user may have a more or less secure home network, and different password managers may be more or less secure. For home users who don’t want to invest a lot of time, either factor is a decent option, in my opinion. For those who want to invest a bit more time securing their data, we can consider the risk factors and, instead, come up with a strategy to minimize losses, should credential compromise occur.

When you invest in the stock market, a common strategy is to diversify your investments across many different stocks rather than put all your money into a single company. That way, if something happens to one company that causes the stock to fall, you still have decent investment income from the rest of your portfolio to offset losses, hopefully. I like to think about my data and passwords in the same way. I use the concept of segregation a lot so that if an attacker gets one username and password, or gets into one particular system, they don’t have everything. I also tend to back up data to multiple sources and accounts that have different passwords. I use separate computers for different purposes and don’t log into them all at the same time.

Using a similar strategy, I choose not to count on any single source for all my password management. I’m a security professional, and some home users may not want to go through the trouble to do things the way I do. I might use one third-party vendor to log into lower-risk applications and store passwords in an alternate form to log into higher risk applications. I have multiple accounts at a single vendor for different purposes, so if someone accesses that account, they only get a subset of my data. For my most sensitive passwords, I don’t put them into electronic form. I write them down and store them in a safe if I write them down at all, and then I use the strongest form of second-factor authentication available.

My solutions may be overly-complicated for some people, and they still are not perfect. I still worry about someone accessing my data via a stolen password or compromised system. However, I do my best to prevent that by keeping software up to date, securing my network, and segregating resources to limit potential damage. As mentioned at the end of the article, choose any solution that helps avoid reusing the same password everywhere for the reasons I explain in my book. If possible, that solution should not include storing passwords in plain text (unencrypted) on a mobile device, laptop, or computer. Wherever possible, use multi-factor authentication.

Teri Radichel — Follow me @TeriRadichel

© 2nd Sight Lab 2020

____________________________________________

Want to learn more about Cloud Security?

Check out: Cybersecurity for Executives in the Age of Cloud.

Cloud Penetration Testing and Security Assessments

Are your cloud accounts and applications secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Cloud Security Training

Virtual training available for a minimum of 10 students at a single organization. Curriculum: 2nd Sight Lab cloud Security Training

Have a Cybersecurity or Cloud Security Question?

Ask Teri Radichel by scheduling a call with IANS Research.

____________________________________

2020 Cybersecurity and Cloud Security Podcasts

DOM XSS Attacks and Prevention ~ IANS November 2020 Webinar

Cybersecurity for Executives in the Age of Cloud with Teri Radichel

Teri Radichel on Bring Your Own Security Podcast

Understanding What Cloud Security Means with Teri Radichel on The Secure Developer Podcast

2020 Cybersecurity and Cloud Security Conference Presentations

RSA 2020 ~ Serverless Attack Vectors

AWS Women in Tech Day 2020

Serverless Days Hamburg

Prior Podcasts and Presentations

RSA 2018 ~ Red Team vs. Blue Team on AWS with Kolby Allen

AWS re:Invent 2018 ~ RedTeam vs. Blue Team on AWS with Kolby Allen

Microsoft Build 2019 ~ DIY Security Assessment with SheHacksPurple

AWS re:Invent and AWS re:Inforce 2019 ~ Are you ready for a Cloud Pentest?

Masters of Data ~ Sumo Logic Podcast

Azure for Auditors ~ Presented to Seattle ISACA and IIA

OWASP AppSec Day 2019 — Melbourne, Australia

Bienvenue au congrès ISACA Québec 2019 KeynoteQuebec, Canada (October 7–9)

Cloud Security and Cybersecurity Presentations

White Papers and Research Reports

Securing Serverless: What’s Different? What’s Not?

Create a Simple Fuzzer for Rest APIs

Improve Detection and Prevention of DOM XSS

Balancing Security and Innovation with Event-Driven Automation

Critical Controls that Could have Prevented the Target Breach

Packet Capture on AWS

--

--

--

Cybersecurity in a Cloudy World

Recommended from Medium

Q4 2019 Conference Recap

Smart Way To Protect Your Password in Linux/Mac

Last Week In Blockchain and CyberSecurity News — August 27, 2019 — LedgerOps

White House office seeks public opinion on crypto-climate implications

The true cost of an ICS attack

DogeFarm Platform and yDoge Yield tokenomics…🦊🦄

BitKeep Risk Alert

How many user accounts were hacked on Crypto.com ?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Teri Radichel

Teri Radichel

Cloud Security Training and Penetration Testing | GSE, GSEC, GCIH, GCIA, GCPM, GCCC, GREM, GPEN, GXPN | AWS Hero | Infragard | IANS Faculty | 2ndSightLab.com

More from Medium

Cybersecurity in 2022: What to Focus on

InfoSecSherpa’s News Roundup for Monday, January 17, 2022

Image source: Britannica

Exploring an obvious rise in Cyber Recon

Top 5 security tools and services for 360° coverage