Selling False Security

For the past two weeks the above ad has been appearing on my Facebook timeline. I would like to air my concerns regarding this ad.

There are some problems with the claims on this ad that I find to be very obvious. There is a flat assumption that storing your passwords in the cloud is more secure than writing them down. I would hope that no one would believe that without question.

First, if your write your passwords down, it matters how you write them down. If you write them on sticky notes on your desk/monitor, then they are revealed for everyone to see. If you write your passwords in a notebook (like the one depicted in the ad), then it is a little more secure, if someone has prying eyes, it’s a little more obvious. Also, sticky notes are easily lost and can go missing without your knowledge, which increases your vulnerability. If you were to maintain a notebook of passwords and keep it stored in a locked drawer to which only you have the key, then its probably pretty secure (relative to any digital solution).

A notebook for passwords has certain advantages. The biggest advantage is that there is a bit of obscurity. If you keep your passwords in a notebook that is a distinctive color and have it mixed in with other notebooks, its pretty easy for you to pick it out, but not so easy for someone that does not know which notebook you keep your passwords in, or someone that doesn’t even know that you keep your passwords in a notebook. On the other hand, if someone grabs your phone when you aren’t looking and sees the icon for a well known password management app, then there is no obscurity and your passwords would be easily compromised.

Storing passwords in the cloud is more convenient, you don’t have to look them up and often you don’t have to enter them when you go to websites supported by the app. There are some major concerns with this method though. All of your passwords are protected by a single master password. This means you have no more security than using the same password for everything you do. It also means that one compromised password means all passwords are compromised, or loosing one password resulting in the loss of all other passwords. In my opinion cloud-based password management is a bit too all or nothing. There is the same risk with loosing the notebook, but the notebook is a physical object than can be lost and then easily found again. Also, if the notebook goes missing, you will know that your passwords have been compromised and can therefore change them as soon as you notice.

That brings me to my next point. There is no such thing as secure software or secure computing, at least not in the absolute sense. There is always the chance for some problem, some bug, some error to result in compromised data. Keep in mind that software is written by humans and it only takes one programmer not being thorough (or being intentionally malicious) to create a security breach. Large amounts of data are stolen every day from various “cloud-based” services. Usually they are trivial pieces of data or trivial accounts, but major breaches can and do occur. If your data is stolen electronically it may take a long time for the breach to be caught. If your notebook is stolen, you will know the next time you look up a password.

Just because something is “cloud based” (for whatever that really means), does not mean it is the best option.

The best solution is to not use the app or the notebook. The best option is to create passwords and then memorize them. I use neither and somehow seem to function reasonably well. I don’t have a distinct password for absolutely everything, but I have enough variation and other modes of obscurity that it would be difficult for any sort of automated attack on my accounts to use the password similarity alone to breach multiple accounts.

Here are my suggestions for passwords:

  • Use a Javascript (client side scripting) or desktop application to generate a random password.
  • Use a combination of letters, numbers and symbols as well as a variation of capitalization.
  • Make your password 10-20 characters in length.
  • Don’t use different passwords everywhere. This is contrary to the most common advice, but its not humanly possible to remember all of those passwords and if you can remember them you won’t need to write them down and can use more complex passwords.
  • Use different passwords for different “levels” of accounts. Use a distinct password for your banks, use different passwords from online shopping compared to more trivial accounts (such as Twitter). 

A random 10-20 character password may seem impossible to remember at first, but just try using it for a few days (don’t use a save password function, force yourself to type it) and see if you can remember it. I find that remembering new passwords is sometimes hard to do at first, but after a few days I can remember the passwords pretty easily. My biggest issue is remembering which password is assigned to which account.