(Attempting) practical password management

Why the hell do I care about security?

Bad people exist out there; it sucks, but there it is. That means you need to take precautionary measures to make sure that bad people can't get at your stuff. In terms of your online stuff, that means passwords. Lots of passwords. Lost of sufficiently complex passwords. Lots and lots of sufficiently complicated passwords (for me personally, I have over 150 accounts online of various levels of usefulness).

I realized a long time ago that not everyone makes good software. Whether it's out of incompetence, laziness, or by accident, there are plenty of websites out there which are not maintained in such a way to keep bad people out. This is why you need a unique password for each account, because once someone has broken into a website full of email addresses and passwords the first thing they do is try to use that information to log into more interesting websites. And you care about sufficiently complex passwords -- i.e. what makes a password unguessable -- so that if someone decides they want to personally steal your stuff they will have to try really hard to figure out your password instead of simply knowing your birthdate or cat's name (or simply just trying every combination of letters and numbers for passwords of 8 characters or less which is why passwords can't be short anymore and start aiming for 12 characters or more).

All of this led me to create Oplop. Originally designed so that I could run it on my Symbian s60 phone that I had during my masters degree (so between 2003 and 2005), I came up with a way so that I could create unique passwords easily that (at the time) were sufficiently secure. Oplop has made creating a unique password per account rather easy for me, and so I have been doing so for well over a decade at this point.

The point is that I'm quite aware of what it takes to follow proper security practices when it comes to passwords and even I find it to be a pain. But if I find it a pain and barely tolerable, how am I supposed to convince my family to do the right thing and create unique passwords for every account and make sure they are better than 12345678? For me Oplop goes a long way, but trying to explain how it works to my family is hard, so I'm always trying to find some solution that will do the minimum amount to get my family to have unique, sufficient passwords per account while somehow allowing me to have a heightened level of security for when I'm willing to put up with it. I'm also aware that Oplop has an inherent limitation of making it hard to change how it works to improve security without breaking all of your passwords which means at some point Oplop will either need to change or I will need to move away from it.

The scenarios

When it comes to security there seems to be an inverse relationship of being secure to being convenient to use.

The ideal scenario (that's a total pain to implement)

With infinite patience and care for the utmost security, the best option is to create very long, completely random passwords for all of your accounts. Probably the easiest way to do this is using Diceware passwords. Basically you print out a long list of words that correspond to all combinations 5 six-sided dice can have. When you roll your 5 dice you then look up the word corresponding to the values and that word becomes part of your password. Do that 6 or more times and you have a very secure password (there's a nice Diceware intro by The Intercept if that didn't all make sense). You could then write the password down in an address book so you can look it up later. Oh, and you should turn on two-factor authentication (2FA) for all of your accounts when available no matter what.

The issue becomes how tedious this is from start to finish. To start, using Diceware is a bit tedious in and of itself. It's so tedious in fact, that an 11-year-old has a business of charging $2/password to mail one to you. To do Diceware passwords properly you have to physically throw some dice around and you have to physically look up the corresponding word in what amounts to a book of words (you could use a computer to at least look up the words, but you would need to use something like a Raspberry Pi with no internet access and then you would need to destroy the SD card you loaded the OS and software on to in order to prevent the passwords from leaking out of that SD card somehow; this is what you have to do for a secure Bitcoin address, by the way). And then to actually use those passwords you really shouldn't use something that saves your passwords, so you need to enter those six-word passwords manually every time (and to be honest, you should also compile all of your programs from scratch as well, just to be safe). Oh, and don't forget that the book you keep your passwords written down in shouldn't leave your house to make sure you don't lose it, so that means if you can't memorize a password you simply can't log into an account unless you're at home.

In other words this is a massive pain that no one would want to do for every password they have online.

The less ideal scenario (that's a bit more probable if you're hardcore)

Now if you're willing to take things down a notch, one way to make this much more tolerable is to use a password manager you can trust. For most security folk that's KeePass/KeePassX (the only real difference between the two is the tech behind the programs). These are open source programs that are designed to manage passwords. Being open source means you can be as careful as you want about making sure the programs are not doing anything you don't want them to. And since there's an Android port (among a couple others), you don't even need to worry about not having access to your computers when you're away from home if you keep your password file synced between computers somehow (whether that's manually or writing it encrypted to a cloud storage provider is up to you and how careful you want to be).

For generating the passwords you're still best off using Diceware, but the KeePass apps provide ways to generate passwords as well. Assuming you trust the apps to do a good job then you can even get passwords easily generated for you. And you should still turn on two-factor authentication (2FA), but don't save any password for 2FA accounts on the same device you have your 2FA tokens on (else you're combining the "something you know" with "something you have", negating a key point of 2FA).

The practical scenario (that will work for both me and my family)

The problem with the KeePass apps is that they are not the slickest password managers out there. LastPass, Dashlane, and 1Password all have nicer UIs than KeePass and have made it easier to store your passwords thanks to browser extensions, mobile apps, websites, etc. But they are all closed-source and if you want them to sync between devices you typically have to pay for that. So there's definitely a heightened level of trust required plus a financial cost to having a nicer, easier password management solution to use.

But you know what? If it gets my family to finally use unique, secure passwords for their accounts online then I'm willing to take the practical solution of trusting these closed-source companies and recommend they use one of these services. Getting my family to have to remember one really secure password for e.g. 1Password to get them to use unique passwords everywhere is better than them using one or two weak passwords all over the place.

For me, though, I'm willing to go a little above and beyond. For me, there's two types of accounts. One type is where if someone managed to break into the account then I would be frustrated, but I wouldn't exactly be frantically making phone calls or rushing home to try and deal with the fallout; these are what I call "argh" accounts as I will let out a sigh upon learning of the security breach but I'm not going to flip out. On the other hand, there are accounts like with my bank, Google, or GitHub where if someone broke in I would be yelling "oh crap!" and racing home to try and figure out how to deal with the problem. For the former, I'm fine with using a password manager to store my passwords since the convenience/threat tradeoff is such that convenience wins out. For the "oh crap" accounts, though, I want very secure passwords like those created through Diceware which are not stored in any password manager (and somewhat ironically, a password manager is an "oh crap" account even though it only protects "argh" accounts because getting access to nearly all of my "argh" accounts is a much bigger deal than just one of my "argh" accounts). I also use identity providers like Google and Facebook whenever I can so that I don't even have to worry about an "argh" account's password since I just have to be able to log into e.g. Google which I always can securely. And finally, I turn on 2FA for any account that offers it since I worry a lot less about any account that offers it even if it is just an "argh" account.

What I'm planning to do

To start, I'm going to test out 1Password for Families with myself and my wife, Andrea. If Andrea ends up liking it then I will offer to pay for the subscription for 1Password to all adult members of my immediate family (it's $5/month for up to 5 family member, $1/month extra for each additional family member). I will also offer to help them set up 2FA on any account -- which will probably be just Google -- and also buy them a U2F security key to act as backup for their 2FA setup (although the security brought by a security key isn't that critical for most of my family as they don't travel enough without their own devices).

For myself, on top of using 1Password for my "argh" accounts I'm going to create Diceware passwords for my "oh crap" accounts. I will use https://www.rempe.us/diceware/ and the alternative wordlist to make them (I contributed a couple of changes to the project to make it easier to use on mobile and up the security slightly). I'll keep these critical passwords written down in an address book that won't leave my home and which will also contain all 2FA backup codes. I already have 2FA turned on for all of my accounts that already support it and that won't be changing.

I think this strikes a good balance for me and my family. It gets my family to start using secure, unique passwords everywhere, even if it is in a closed-source password manager as I would rather place trust in 1Password than my family doing the right thing unassisted. As for me, I think Diceware passwords are plenty secure for accounts that need that kind of security, and if I'm going to ask my family to trust 1Password then I should too for accounts that I'm not totally paranoid about.