Why I don't set master passwords in programs

September 24, 2018

There are any number of programs and systems that store passwords for you, most prominently browsers with their remembered website passwords. It's very common for these programs to ask you to set a master password that will secure the passwords they store and be necessary to unlock those passwords. One of my peculiarities is that I refuse to set up such master passwords; this shows up most often in browsers, but I stick to it elsewhere as well. The fundamental reason why I don't do this because I don't trust programs to securely handle any such master password.

You might think that everyone manages this, but in practice securely handling a master password requires a lot more than obvious things like not leaking it or leaving it sitting around in memory or the like. It also includes things like not making it easy to recover the master password through brute force, which is a problem that Firefox has (and Thunderbird too); see Wladimir Palant's writeup (via). It seems likely that other master password systems have similar issues, and at the least it's hard to trust them. Cryptography is a hard and famously tricky field, where small mistakes can turn into big problems and there are few genuine experts.

I have a few core passwords that I use routinely and have memorized; these are things like Unix login passwords and the like. But if I can't trust a program to securely handle its master password, it's not safe to use one of those high value memorized passwords of mine as its master password; I'm not willing to risk the leak of, say, my Unix login password. That means that I need to create a new password to be the program's master password, and additional passwords are all sorts of hassle, especially if I don't use them frequently enough to memorize them. Even having a single password that I used for everything that wanted a master password would be an annoyance, and of course it would be somewhat insecure.

So the upshot of all of this is that I just don't use master passwords. Since all of the passwords that I do allow things to store are not strongly protected, I make sure to never allow my browsers, my IMAP clients, and so on to store the password for anything I consider really important. Sometimes this makes life a bit more inconvenient, but I'm willing to live with that.

(The exception that proves the rule is that I do have a fair bit of trust in my iPhone's security, so I'm willing to have it hold passwords that I don't allow other things to get near. But even on the iPhone, I haven't tried to use one of the password store apps like 1Password, partly because I'm not sure if they'd get me anything over Apple's native features for this.)

I don't have any clever solutions to this in general. The proliferation of programs with separate password management and separate master passwords strikes me as a system design problem, but it's one that's very hard to fix in today's cross-platform world (and it's impossible to fix on platforms without a strong force in control). Firefox, Chrome, and all of those other systems have rational reasons to have their own password stores, and once you have separate password stores you have at least some degree of user annoyance.

PS: One obvious solution to my specific issue is to find some highly trustworthy password store system and have it hold the master passwords and so on. I'm willing to believe that this can be done well on a deeply integrated system, but I primarily use Linux and so I doubt there's any way to have a setup that doesn't require various amounts of cutting and pasting. So far the whole area is too much of a hassle and involves too much uncertainty for me to dig into it.

(This is another personal limit on how much I care about security, although in a different form than the first one.)

Comments on this page:

By Bill at 2018-09-25 05:08:32:

Does your skepticism extend to password-management tools in general? If so, then what do you store passwords in? I share your distrust of browser-based password management, since browsers are huge, complicated, difficult-to-secure things that get exposed to untrusted input all day long, and of "cloud" services in general, since outfits like LastPass and 1Password are both a.) high-value targets, and b.) could go away, like other as-a-service things have. I'm a lot more willing to trust something like KeePass that's just a local application that keeps a local password database. It's a much smaller program than a browser (and should thus be easier to make secure), and the password database is just an encrypted file that I can back up or move around myself. I've found the copy-and-pasting to be a pretty minor inconvenience well worth putting up with, especially considering there's no way I could remember more than a few strong, unique passwords without some kind of manager.

KeePass having cross-platform implementations helped. I suppose if I were Unixy to the core I could use pass, but I'm not that dedicated.

Till some time back I have found https://getvau.lt/ to be a decent password generator. It is browser based (but has no 3rd party js, nor makes any network calls to the server) and creates a password when user provides a passphrase and a service name. There's also an npm package for the same.

These days I am trying to move some things over to keypassxc since it provides me with a local (and more importantly encrypted) database for my passwords.

Coming to browsers, I am a FF user but one thing that tricked me with FF password manager is the fact that even if I set a master password on my machine, I'm able to sync the passwords on a different machine without the master password. Ideally, both the passwords and the master password should be synced and I shouldn't be able to access the passwords on another machine without my master password. Due to the same reason I'm gradually moving my passwords to keypassxc. It's a bit cumbersome but if one wants a bit of privacy these days then cumbersome is your friend.

Written on 24 September 2018.
« Walking away from Google Chrome
A problem with unmounting FUSE mount points that are on NFS filesystems »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Sep 24 21:30:27 2018
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.