Since I mentioned password management in passing yesterday I recall a question I haven’t seen answered yet: how do you manage your password management passwords?
My setup is this: as advocated by, eg Bruce Schneier and Troy Hunt (but not, apparently, by Florêncio et al 2014, although I’ve only read the abstract and some of the press) I use a password manager, which stores huge long random passwords for all the sites I use and is in turn password protected.
While I’ve been doing this for several years, a few flaws have emerged:
- Google passwords. You have no idea how often you need to enter a Google password on an Android phone until… you do. And you’ll be reminded for every new device and then every password change, even if you’re a Heartbleed-level-or-greater password changer. It’s very very difficult to survive setting your Google password to F]U8NScS+RP7eL5)v=gj7f*/bX~$&` or even F]U8NScS+R frankly as an Android user. (Especially since if you have two factor turned on, the way you authenticate to an Android phone involves entering your password twice.)
- shared passwords, often required in business in particular but also in (cough) personal households, and not handled by most password managers in a model other “a password database for you” and “a password database for you and your boss” and so on for potentially combinatorial values of “you and [colleague]”
There are some services that attempt to solve that second point within an organisation, eg, Lastpass Enterprise but even allowing for that, let us enumerate the password manager passwords that a hypothetical individual called Mary currently has:
- personal password manager password
- work password manager password
- household password manager password
- volunteer organisation password manager password
And at the point where this hypothetical individual is remembering four separate extremely complex and secure passwords it’s beginning to look like the promised land of “the last password you’ll ever need” is, well, turtles all the way down.