Is it crazy to be afraid of password managers?
I admit it: Like most people, I’m terrible at passwords. Too often I use too-simple passwords, and I don’t always come up with a new one for every site and service I log into. Then, when I do come up with a strong, unique password, I often forget it entirely and have to request an email to reset it—typically to something either too easy to guess or something I’ll instantly forget again.
+ Also on Network World: Stop using password manager browser extensions +
That’s why password managers exist. They’re designed to let you enter a single, secure password in one place and then generate new, strong passwords for every application where you need one.
It’s a great idea, but despite my deep password problems, I’ve been too scared to use one. Rationally or not, I was always afraid that relying on a single password manager would create a single point of vulnerability for all my passwords.
You’re not paranoid if you’re really in danger
I always thought I was being a paranoid ‘fraidy cat, but then again, maybe not.
Late last month, news surfaced that a Google researcher discovered a serious—but undisclosed—vulnerability in LastPass, a popular password manager with extensions and plug-ins for many leading browsers. Apparently, the problem could have let hackers steal your passwords and change settings in your account.
According to reports early this month, LastPass has pushed out updates to all affected browsers. The company now advises users to make sure their plug-ins are all properly updated to version 4.1.44 or later, and they should safe. (Warning: Network World’s Sean Cassidy still advises companies to “Stop using password manager browser extensions.”)
But frankly, that’s not enough to restore my confidence in LastPass—or any password manager really. Which leaves me back where I started: with weak, duplicated passwords that I still can’t remember. Even more annoying, many sites employ complex password rules designed to enforce strong passwords that simply make it even harder to remember your password, without really making you much more secure.
So, what’s the solution? If you ask me, it’s time to find a completely different approach. Basically, don’t just forget your password, forget the entire concept of passwords. After all, passwords pretty much suck—in a wide variety of ways. Apart from strong passwords being hard to remember, they just don’t do a very good job of providing security. Worse, many password schemes spend a great deal of effort making users jump through hoops to create super-long passwords or use capital letters, numbers and other characters, none of which, experts argue, helps make you any more secure.
There are myriad other approaches to security, including physical biometric solutions such as fingerprint, facial, voice and iris recognition and behavioral biometrics such as heartbeat or even gait authentication. Then there are temporary authorization codes, trusted-location sensing, or personal USB keys or other tokens.
Sure, all these alternatives have their own issues, but at this point, I’m ready to believe almost anything is better than continuing to rely on passwords—not to mention password managers.