Password Manager or Strong Passwords?

Which is considered stronger security?
LVL 2
Peter WilsonITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You need Strong Passwords for sure. Password Managers are optional and not really related to password strength. Use only strong passwords.
0
btanExec ConsultantCommented:
In fact, password manager is dependent on stronger password too. So it is a matter which is stronger. You still need a strong password either way.

The password manager stores your bag of passwords and, evidently most use.it not because it is stronger but more of conveniences. The problem is that when you subscribe to a lot of different services, you’re usually also forced to generate a lot of different passwords. This is actually a good thing. Password managed provide relief with remembering a strong master password. This is the one "key" to all the rest of the other passwords.

The matter of fact is the measure of strong password has now reach a turning point. The NIST (standard body) advises her agencies to jettison outdated password complexity rules in favor of user-friendliness. It also introduces new password encryption standards and requires multi-factor authentication for any service involving sensitive information.

Read on as it meant to take away password complexity but in favor of longer password.
Conventional wisdom says that password complexity can only be a good thing. But in reality, complex password requirements can do more harm than good. Making users' lives easier, not harder, is the way to ensure stronger passwords.
https://auth0.com/blog/dont-pass-on-the-new-nist-password-guidelines/

It affects not only public but also private industry. The morale of the story is we should say 2FA is stronger than strong password.

You may like to catch this for strong passphrase instead.
https://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html
3

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
AlanConsultantCommented:
Hi,

I use a password manager in order to have stronger (longer) passwords that are all unique to the site / resource in question.

Uniqueness is critical in that you are trusting the other party to keep your password safe, and we all know how often there are breaches with passwords (or more commonly hashes) being disclosed (Yahoo currently winning on 3 billion!)  If you re-use a password, and one party lets it out, you may be exposed at other sites / resources.

I only have a few passwords that I remember myself:

Bank
Email
Password Manager
Domain User Password

They are, ironically, my weakest passwords, but they are all at least 31 characters long.

For other passwords, I use a password manager, and I always try to use a random, 63 character password if that is allowed by the site / resource in question.  Unfortunately, many sites seem to limit the length of password to 15, 23, or 31 characters, which is scary on the grounds of 'what are they doing with it that makes them limit to such a short string'.

Now I think about it, maybe I should start trying 127 character passwords, but I suspect I will not get many that accept that yet.

Happily, Windows seems to be happy up to 127 characters :-)

Finally, if you can use 2FA on a site / resource, then definitely go for that.  If your credentials are ever compromised, but the 2FA is properly implemented, then your account is probably still safe.  Unfortunately, too many places don't implement 2FA properly, or allow weak second factors such as txts to mobile phones, rather than a Time-based One-Time-Password, but any 2FA is usually better than not having it.

Alan.
2
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Peter WilsonITAuthor Commented:
@ALL, I'm trying to determine which is better between having a single point of failure vs controlling all your passwords with some being shared. if a site I were using was hacked what is the probability that they would OWN me? In other words, knowing every site I have duplicate passwords on and thereby gaining access across the board? So the argument to me is simple which poses more vulnerability: a password manager with single point of failure (password) coupled with blindly trusting hackers are not going to start targeting cloud password managers vs having strong but dissimilar passwords across many different sites. Most mainstream sites will not allow to you run dict/DoS attacks on the account level as the account will hit its lockout threshold. The underscoring theme here is that hackers are going after penetrations that yield grand rewards/entire dBs not single accounts. So unless your and admin for one of these companies the probability of account ownership attack is nill to null. Thoughts?

@Alan, 63 character passwords are bordering on absurdity/paranoia and is only successfully making your life more difficult! I'm looking for serious security expertise here not paranoia. At that point (roughly a 380-bit entropy) the probability of "hacking" your password alone would be pointless as it would take roughly 6 quinquatrigintillion years. Hackers don't use those type of methods in general unless they are targeting you and I'd highly doubt you are being targeting while still remaining in public. Correct me if I'm wrong but hackers are going to exploit the easiest vulnerability for the biggest gain. A single password vs dB hack...they will always go with social engineering or sys hack over single user password unless probing has determined its worth it and easy cascades into a larger reward. I agree with you on the 2FA part - that will dramatically increase security.
0
AlanConsultantCommented:
Hi Peter,

I'm trying to determine which is better between having a single point of failure vs controlling all your passwords with some being shared

Instead of the simple black and white options that you are looking at, consider things to be a bit more nuanced - hence me doing both.


if a site I were using was hacked what is the probability that they would OWN me? In other words, knowing every site I have duplicate passwords on and thereby gaining access across the board?

Pretty high based on past experience.  It appears to be fairly common practice to apply any passwords they can get to, perhaps, the top 1000 sites, but that number is just going to go up.

Consider also that essentially all compromised password files get sold so will end up be used my many people, moving further down the 'tail' of popular websites.


So the argument to me is simple which poses more vulnerability: a password manager with single point of failure (password) coupled with blindly trusting hackers are not going to start targeting cloud password managers vs having strong but dissimilar passwords across many different sites.

As above - I would suggest not looking at it as a binary choice.


Most mainstream sites will not allow to you run dict/DoS attacks on the account level as the account will hit its lockout threshold. The underscoring theme here is that hackers are going after penetrations that yield grand rewards/entire dBs not single accounts. So unless your and admin for one of these companies the probability of account ownership attack is nill to null. Thoughts?

Not sure what you mean here - if the DB of passwords is exfiltrated and cracked, then any account *might* be compromised?


@Alan, 63 character passwords are bordering on absurdity/paranoia and is only successfully making your life more difficult! I'm looking for serious security expertise here not paranoia. At that point (roughly a 380-bit entropy) the probability of "hacking" your password alone would be pointless as it would take roughly 6 quinquatrigintillion years. Hackers don't use those type of methods in general unless they are targeting you and I'd highly doubt you are being targeting while still remaining in public. Correct me if I'm wrong but hackers are going to exploit the easiest vulnerability for the biggest gain. A single password vs dB hack...they will always go with social engineering or sys hack over single user password unless probing has determined its worth it and easy cascades into a larger reward. I agree with you on the 2FA part - that will dramatically increase security.

The point is, that with a password manager, having a 63 character password is exactly the same as having an 8 character password in terms of 'ease of use', therefore, why would you not go for the longest password the site allows?  You have to choose a length, so choose the maximum - any other choice is illogical if you don't ever need to remember or type it in yourself.



Hope that helps.

Alan.
1
Peter WilsonITAuthor Commented:
Thanks Alan for addressing those points...you made a lot of sense. I guess I just needed to hear the explanations.
0
btanExec ConsultantCommented:
if a site I were using was hacked what is the probability that they would OWN me?
> Once penetrated, you are no longer in control. You should just activate your incident reporting, change all login access etc

In other words, knowing every site I have duplicate passwords on and thereby gaining access across the board?
> It depends on time to detect. The shorter the window, the faster for you to contain the damage (leaks) if you activate the mass changes. It is a rat chase whereby you will be many step behind, if poor practice is used throughout your asset safeguards.

The underscoring theme here is that hackers are going after penetrations that yield grand rewards/entire dBs not single accounts. So unless your and admin for one of these companies the probability of account ownership attack is nill to null. Thoughts?
> Let say if your website has holes that are poked through like unpatched CMS, unharden configuration or have vulnerability for SQL injection (as example), it doesnt even need to brute force login and just run some scan and exploit the gaps. Password is not your last line of defence, it make it harder but not impossible. There have been instance the whole DB is leaked with the SQLi attacks and your only safeguard at that point is to determine the DB has the password been salted hashed instead of plain text. In short, damage control is far more than you can recovered hence to whatever ability, you should always reduce attack footprint. Convenience should not take prime if you are security paranoid that one of the admin will be targeted.

Go for 2FA minimally for your privileged user and any form of remote access. TOTP can be another form instead. Longer passphrase is preferred eventually. Manager is a good to have but fundamentally the awareness of keeping a sufficient long passphrase may work out better .. user is your weakest link no matter how good controls you may have put in place.
1
Shaun VermaakTechnical Specialist/DeveloperCommented:
Password Manager facilitates the use of unique passwords and because you do not have to remember them, they can be super complex without hassle.

All my passwords are unique and between 64 and 128 characters.
0
serialbandCommented:
Your password manager still needs to have a strong password and store strong passwords.  They're not mutually exclusive.  You'll need a password manager only because you'll have too many strong passwords to remember correctly.  I also store some password, but some are never stored, but all passwords must be strong passwords.
0
AlanConsultantCommented:
Hi Peter,

How are you going on this?

Thanks,

Alan.
0
Peter WilsonITAuthor Commented:
I should be closing this shortly. thx for your patience.
0
AlanConsultantCommented:
No problem - let us know if you have any other queries before closing it.

Thanks,

Alan.
0
Peter WilsonITAuthor Commented:
I'm awarding now. sorry for the big delay.
0
Peter WilsonITAuthor Commented:
Thank you for helping me understand the differences and nuances.
0
Kaitlin CCommented:
We highly recommend both. Most of today's password managers, including RoboForm, offer a password generation tool. This is an efficient way to generate strong and unique passwords for every site. Once generated, you can securely store them in the password manager and log into the site with a single click. RoboForm combines both security and convince. If you're interested in learning more about the features included within our password manager, please visit: https://www.roboform.com/key-features
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cyber Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.