Password management

Many people need to create accounts for different things. Accounts for buying things, accounts for viewing things, accounts for participating in things. Then there are all the accounts they need for things like e-mail, terminal logins, etc.

I've heard of people who use the same password for everything. While it would be easy to remember this password it is also easy to compromise a single password. This risk increases if it is ever sent over a network or the Internet in plain-text. If someone could intercept the password while it passed over the network they would have access to every account protected by that password. This is dangerous.

I know other people who group all systems for which they need passwords into a couple of risk categories. Then they chose a single password to use for each category. While this approach provides more security then the first approach, it also suffers from a serious problem. Here's a scenario to illustrate. Imagine that I establish an account with WidgetCorp1 and another with WidgetCorp2. Since they are both vendors of widgets and share the same risk level, I use the same password for both accounts. What I have just done is decided that I trust the system administrators and database administrators at WidgetCorp1 not to order things on my account at WidgetCorp2 and vice-versa. This is too risky.

In my opinion, it is dangerous to use any approach that involves using the same password in realms that are not centrally managed. Even if all the resources share the same level of risk, the risk is increased by using the password within multiple realms as illustrated in the above scenario.

I use a different password for each system, regardless of what the associated risk level is. This mitigates the risk of cross-account attacks. However, there are two inconvenient results of this approach. The first is that I now have a multitude of passwords that must be managed and the second is a result of the first, I can no longer remember every password I have.

I solve both of these issues through the use of a password manager. The software allows me to store the resource, username, password and notes for each account. All the information is encrypted using strong encryption and protected by a single passphrase which I can memorize and change frequently. In this way I can quickly retrieve a username and password for a specific resource by simply entering my passphrase.

One natural question that could result from reading this is, "So, is single sign-on a bad idea?" No, I don't think so. You'll notice that I was very careful to say that I think "it is dangerous to use any approach that involves using the same password in realms that are not centrally managed". Single sign-on is a single realm where the password is centrally managed. Therefore, it is not susceptible to the risks outlined in the first and second approaches above. It is not free of all risk but, depending on the organization, the trade-offs could be worth it.

So, is federated authentication a bad idea? No, I don't think so. In a federated authentication situation the user's password is only known to their home institution and access is granted based on business rules of the federation and the institution providing the service to be accessed. Again, the password is centrally managed.

This all assumes that you can trust whoever is doing the central management of user accounts. If you don't trust the central managers or their systems, you probably shouldn't be affiliated with them and further emphasizes my point about not using the same password in multiple realms.


Password Managers:
PasswordSafe -- (open-source) versions available for all major operating systems, browsers, and mobile devices
LastPass -- (open-source) available for all major operating systems, browsers, and mobile devices
KeePass -- versions available for all major operating systems, browsers, and mobile devices
Keychain Access -- comes with Mac OS X (under Applications -> Utilities)

Single Sign-on:
LDAP -- for directory information
Kerberos -- for authentication
WebISO -- web initial sign-on

Federated Authentication:
Shibboleth
SimpleSAMLphp

Other:
Password Strength Meter