Inventing good passwords is hard and so is remembering them, that’s part of the problem. So, how about we get computers to do the tedious stuff for us? Turns out you can, using something called a “Password manager”. Are these things going to end the Federation Conversation? [This piece is part of that conversation.]
Introduction · If you already use a password manager and know the basics, you can hop down to the Thought experiment section.
First: To those of you who have a lot of passwords and aren’t using a password manager, I’d say: Start now.
Second: If you’re wondering which to use, David Strom’s Best tools for protecting passwords is pretty good, even though it’s enterprise-focused and spends time on management options that I don’t care about.
There’s a Chrome extension, so I click on the key, I type my master password, and 1Password is smart enough to notice that I’m at tripit.com and preselect that account, so I can click on that and my username and password are filled in just like that.
1Password sets a timer, so that if I go back for another login within a few minutes, I don’t have to re-type the master password. But the timer’s pretty damn short, so I end up typing it a lot.
On mobile, the picture is less pretty. When I log into my bank on my Android, I have to leave the bank app, get the 1Password app running, laboriously type in my master password, find the entry for the bank, hit the “copy” button, switch back to the bank app, and hit the “paste” button. I’m assuming this will get better.
By the way, I should mention that the password managers nearly all can be used to store other important secrets like account numbers for banks and insurance companies.
How it works · Your passwords have to be stored somewhere. And the managers take a lot of different approaches. For example, 1Password encrypts ’em all using your master password, and stores that on your DropBox. But there are lots of different approaches, and this matters, so I think providing a summary would be a mistake. Before you adopt a password manager, go and find out exactly how it’s going to manage them.
Thought experiment · Suppose everyone used a password manager. At the moment, a lot of non-geeks just won’t because the user experience isn’t good enough. But suppose we fixed that, made it totally slick — I saw a demo of a YubiKey making it a lot less painful on an Android device, so I think things will get better.
In that world, do we need Federated sign-in?
I totally approve of password managers; but I’m still not sure they’re the One True Path to reducing sign-in pain. The rest of this piece will mostly cover password-manager downsides, but once again: That doesn’t mean that I don’t think you should use one. You should.
Password paranoia · Now we all know that the spooks (both your own country’s and your country’s enemies’) are watching whatever they can and (more worrying) leaning on tech companies to install back doors, duplicate keys, and otherwise compromise your security.
This is one of the reasons why people worry about Federated sign-in with an IDP: “The spooks might be watching!” And yeah, they might; although the big Internet companies say repeatedly that they only respond to specific warrants.
But then, most password managers are closed-source commercial offerings, and you know what? The spooks can come after them, too. I’d say more but I don’t need to because the 1Password people wrote it up in totally clear no-bullshit language, in On the NSA, PRISM, and what it means for your 1Password data and a follow-up on Quora: “Is it reasonable to assume that developers of popular password management software (LastPass, ...) are/will be forced by law enforcement to install backdoors in their encryption algorithms?” Go read them.
Password expertise · Using a password manager supports you in choosing unique, high-quality passwords. But it doesn’t support the sites you’re signing into in doing a good job of authenticating you, watching for abusers and crooks and spooks, and protecting the passwords you send them.
If you care about that stuff (and you should), an IDP with a big team of dedicated security paranoids doing authentication starts to look better and better.
Take-away · A password manager reduces the probability that any one of your accounts will be hacked. And if one is, it reduces the probability that the information they get can be re-used elsewhere. Both of these are good things!
So yeah, go get a password manager and start using it. Bear in mind that even if Federated Identity becomes ubiquitous, you’re probably going to still have two or three different IDP passwords to remember, so let the manager take care of them.
But I don’t think this is a complete alternative to Federated sign-in, not even close.