Password Protection: Why Password Management Applications Are Doomed To Fail
Mat Honan wrote a harrowing piece recently in Wired Magazine called “Kill the Password: Why a String of Characters Can’t Protect Us Anymore.” In it he described how having had a single password stolen from him by a young hacker literally turned his life upside down:
This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.
Security companies have long striven to devise that killer app to provide an iron-clad fortress around our passwords. Password Managers are the much-hyped internet security apps of the moment, and security giants like Symantic (Norton) and Kaspersky have jumped the bandwagon with their own variations on this model.
Here is how Neil Rubenking of PC Mag describes the core functionality of these apps:
When you log in to a secure site, your password manager captures the username and password; when you revisit that site, it offers to fill in the saved credentials. That, at its most basic, is the function of a password manager.
Many of these applications require that you manually enter each of your user names and unique passwords into their application. Because you will never have to remember them again, you can make each one of them as complex as possible, such as 20+ digit hodgepodge strings of letter/number/symbol combinations. Some of these security companies will even encrypt them locally on your PC, so that when they are stored up on the cloud not even an odd rogue employee in their ranks will be able to figure them out.
And most significantly, since they will be automatically filled in by the Password Manager, a malicious keyboard logger will be unable to hijack all these unique passwords from you.
Iron clad security!
So how will you be accessing this Password Manager so that it can begin to log you into ALL your online accounts with these highly uncrackable passwords?
Oh right, you’ll need to come up with a single password that you can remember to log into your Password Manager. Hopefully this SINGLE memorable password won’t get picked up by a malicious keyboard logger, or somehow cracked by a malicious hacker. Because if that were to happen, he would gain instant access to EVERY SINGLE ACCOUNT YOU HAVE.
The entire logic behind this idea is fatally flawed. It is akin to using the same password for all of your many accounts — something every security professional warns you against doing.