2018-09-24
Why I don't set master passwords in programs
There are any number of programs and systems that store passwords for you, most prominently browsers with their remembered website passwords. It's very common for these programs to ask you to set a master password that will secure the passwords they store and be necessary to unlock those passwords. One of my peculiarities is that I refuse to set up such master passwords; this shows up most often in browsers, but I stick to it elsewhere as well. The fundamental reason why I don't do this because I don't trust programs to securely handle any such master password.
You might think that everyone manages this, but in practice securely handling a master password requires a lot more than obvious things like not leaking it or leaving it sitting around in memory or the like. It also includes things like not making it easy to recover the master password through brute force, which is a problem that Firefox has (and Thunderbird too); see Wladimir Palant's writeup (via). It seems likely that other master password systems have similar issues, and at the least it's hard to trust them. Cryptography is a hard and famously tricky field, where small mistakes can turn into big problems and there are few genuine experts.
I have a few core passwords that I use routinely and have memorized; these are things like Unix login passwords and the like. But if I can't trust a program to securely handle its master password, it's not safe to use one of those high value memorized passwords of mine as its master password; I'm not willing to risk the leak of, say, my Unix login password. That means that I need to create a new password to be the program's master password, and additional passwords are all sorts of hassle, especially if I don't use them frequently enough to memorize them. Even having a single password that I used for everything that wanted a master password would be an annoyance, and of course it would be somewhat insecure.
So the upshot of all of this is that I just don't use master passwords. Since all of the passwords that I do allow things to store are not strongly protected, I make sure to never allow my browsers, my IMAP clients, and so on to store the password for anything I consider really important. Sometimes this makes life a bit more inconvenient, but I'm willing to live with that.
(The exception that proves the rule is that I do have a fair bit of trust in my iPhone's security, so I'm willing to have it hold passwords that I don't allow other things to get near. But even on the iPhone, I haven't tried to use one of the password store apps like 1Password, partly because I'm not sure if they'd get me anything over Apple's native features for this.)
I don't have any clever solutions to this in general. The proliferation of programs with separate password management and separate master passwords strikes me as a system design problem, but it's one that's very hard to fix in today's cross-platform world (and it's impossible to fix on platforms without a strong force in control). Firefox, Chrome, and all of those other systems have rational reasons to have their own password stores, and once you have separate password stores you have at least some degree of user annoyance.
PS: One obvious solution to my specific issue is to find some highly trustworthy password store system and have it hold the master passwords and so on. I'm willing to believe that this can be done well on a deeply integrated system, but I primarily use Linux and so I doubt there's any way to have a setup that doesn't require various amounts of cutting and pasting. So far the whole area is too much of a hassle and involves too much uncertainty for me to dig into it.
(This is another personal limit on how much I care about security, although in a different form than the first one.)
Walking away from Google Chrome
Despite periodic qualms over Chrome extensions, I've been using Chrome for what is now a long time. However, that's a bit misleading of a statement, because I don't really use Chrome in a conventional way. Basically all of what I do with Chrome is use incognito mode as my 'just make this site work, I don't care' browser, with Javascript and so on all enabled in a way that I don't normally do. For a long time this also had the advantage that for me Chrome was faster than Firefox on Javascript-heavy sites.
In the recently released Chrome 69, Google made a significant change to Chrome's behavior; logging into a Google site automatically logs you into Chrome itself under that identity, leaving you very close to having Chrome sync your local Chrome data to Google whether or not you really want it to. A number of people are very unhappy about this; see, for example, Chrome is a Google Service that happens to include a Browser Engine (via) and Why I’m done with Chrome (via).
In theory, I'm not affected by this behavior. I almost never log into any Google site in the first place and I'm basically always doing so in incognito mode, where this doesn't (currently) apply. In practice, this has pushed me to deciding that this is a bridge too far and I no longer want to use Chrome if I can avoid it, and fortunately I can these days. Modern Firefox Quantum has sped up Javascript significantly, and anyways I have much faster machines now than I used to, and conveniently the last site where I had to use Flash recently finally moved to using HTML5 video. That leaves having Javascript and cookies turned on. In Firefox, the simple approach to get the disabled addons I had in Chrome's incognito mode is to make a new profile with a different set of addons. These days this is a process I'm already quite familiar with, because I already maintain several special purpose Firefox profiles with different sets of addons.
So now I have a new Firefox 'Javascript' profile all set up to allow
Javascript and all that but to throw away all cookies on exit, and some
new scripts to make invoking it as convenient as my existing ichrome
script. My early experience is positive, and in fact the experience is
clearly better than Chrome in two respects. First, I don't have my
Chrome cut and paste irritation. Second,
Firefox will offer to save website passwords for me in this profile;
incognito Chrome quite reasonably never saves passwords on its own, so I
always had to set them up by logging in once in regular Chrome.
(If I was really determined about this shift, I would change my
ichrome script to run Firefox in my Javascript profile instead
of incognito Chrome. I'm not quite there yet.)
I'm under no illusions that Google will even notice my departure from the Chrome fold, especially since I use Chrome on Linux (which is already a tiny OS for Chrome usage). But it makes me happier to walk away from Chrome here, and I even seem to be improving my browsing life in various small ways.
(This elaborates on some tweets of mine.)
Sidebar: How I want to set up Firefox to discard cookies and history
When I first set up this Firefox Javascript profile, I picked the obvious option for history of 'Never remember history'. However, this turns out to magically enable Firefox's private browsing mode, which has the side effect of disabling saving logins and passwords for websites. So instead I have it set to 'use custom settings for history', where my custom setting is not to remember downloads or search and form history and to clear history when Firefox closes, ie Firefox should never remember history. Cookies I have set to 'Keep until Firefox is closed'.
(Perhaps Firefox's private browsing would remember passwords if I set a master password, because that option is not greyed out, but in practice I don't do that for reasons beyond the scope of this entry.)