by Daniel
I’ve used password managers since 2014, from LastPass and Dashlane to the Chrome password manager and macOS’ Keychain. I’m generally a happy password manager user, appreciating the many great features and convenience. However, over time, as I notice product quality issues, I begin to worry.
One of my favorite features of password managers provides a high-level view of the state of the passwords stored. It highlights aspects that can be improved, such as password strength, password reuse, compromised passwords, and the use of multi-factor authentication. Recently, the list of reused or weak passwords showed inconsistent results, regardless of whether I used the Android, iOS, or browser apps. In one instance, the Android app alerted me of a password that I allegedly reused tens of times, and, in a different case, the list of weak passwords contained passwords that were not weak at all.
I contacted support with the issues. An excerpt of their response:
“This issue has been reported internally. While I can assure you that this is on our road-map, I’m afraid I do not yet have an accurate ETA to communicate. Please bear with us as we do our best to address your issue in a timely fashion.”
I appreciate the response, but I expect more than an acknowledgment of the issue to maintain my confidence in the product. A password manager has sensitive information, and confidence and trust are essential. Within a week, I canceled my family subscription, which was up for renewal in February, and signed up for 1Password.
When I started using password managers the premise was simple: use a strong and unique password for each service and store it in the password manager so you don’t have to remember it. It took me a while to fully trust the vendor I had chosen (LastPass). For a few months, I used it to store credentials for trivial things and once I was convinced, I used it for everything.
Over time, password managers gained new feature: use of multi-factor authentication, alerts when a stored password is found in a leak, or reused, or it is not considered strong. Whenever the topic of passwords comes up in conversation with friends and family, this is more or less, what I tell them:
A strong password is long, uses random characters, and avoids personal or easy-to-guess information. This increases the difficulty of cracking the password through various attack methods, including brute-force attempts, dictionary attacks, and more sophisticated techniques.
Increasing the length and complexity of a password exponentially increases the time required to crack it. As a user, using long, random passwords and enabling Multi-Factor Authentication (MFA) are effective defenses. Service providers can implement measures such as account lockouts and strong password storage practices.
When a password is reused across multiple accounts, a single compromised account can lead to multiple security breaches. This enables a type of attack called credential stuffing, where attackers use stolen username and password combinations to attempt access to various services.
To mitigate this risk:
Password managers solve the problem of remembering numerous unique passwords and often provide additional security features like MFA capabilities.
Cybersecurity is a game of cat and mouse where engineers in charge of the security of a system are constantly racing the bad actors trying to gain access to such systems. Some data breaches happen by pure luck or coincidence, some require malicious insiders, and some are the product of meticulous work of patient people.
If you spend long enough online, you will eventually receive an email warning about a data breach and advising or even requiring you to change your password. You may read about it in the news, or you may somehow find yourself in “Have I Been Pwned?”. In any case, a compromised password should be addressed sooner rather than later. The action to take in this case is straightforward: change the password ASAP!
Multi-factor authentication improves account security by requiring two or more verification methods. These typically combine something you know (a password) with something you have (a phone) or something you are (a fingerprint). Many modern password managers integrate MFA capabilities, allowing them to generate and store time-based codes or support hardware security keys. This integration makes implementing MFA across multiple accounts more convenient, encouraging wider adoption of this crucial security practice.
Once I completed the migration from Dashlane to 1Password, I analyzed the contents of my Dashlane data export, specifically, the credentials.csv file. Before I decided to migrate to 1Password, I had already spent a few days cleaning and improving the password health score by eliminating duplicates and changing a few passwords.
I do not have exceptional password hygiene, but I have worked on improving it. I’ve done my best. I set up MFA for the critical services, whether it is a Yubi key, an authenticator app, or SMS if no other option is available.
For this exploration, I have three goals:
The Dashlane data export contains several CSV files. One of the files is of interest in this case: credentials.csv.
The file has 609 entries, which is unsurprising considering that I’ve used a password manager for ten years.
Out of 609 credentials in the file, there are:
Are the duplicate passwords explained by duplicate entries? Let’s find out!
Having used a password manager for ten years, I can confidently confirm that the browser extension is not infallible. It is easy to create duplicates. Some examples:
The problem is that the password manager is intrusive. As a user, I want to perform tasks that require me to sign up for or sign in to a service to update some account details. My goal is to complete a task, be what it may be, and not keep my passwords organized at that particular time. If I see a message asking me if I want to add or update a password, I’ll spend a minimal amount of time thinking about what it means and click Yes, Accept, Save, or a variation of it and not risk losing that password to the wind (because having to deal with a password recovery flow is, to me, a terrible experience that involves several steps across devices and services).
I go over the list, one by one, and I confirm my theory:
I see all sorts of services and websites: ieee.org, slack.com, aa.com, live.com, and wired.com. Out of 54 entries in this category, I identified four passwords that are legitimate duplicate passwords that I have now changed and two passwords for accounts that I no longer have access to (I deleted my Dropbox account a few years ago, and I no longer have access to my university’s internal apps). After going over each of the 54 entries with twice-reused passwords, I identified additional ways in which the same password exists multiple times in the password manager:
I found nothing surprising in the five passwords that were reused three times each. The explanation is similar to that for twice-reused passwords.
For n=4, three entries are for accounts for different services. It is a somewhat old password I have not changed in 8 years. There are two pieces of good news here: 1) I have MFA enabled for this account, and 2) the password does not yet show up in HIBP (https://haveibeenpwned.com/).
Finally, for n=5, three of the entries are for the same user/domain, so we’re dealing with a password reused on three different services, and none of these are important in any way.
Overall, my password reuse is better than I thought it might be. One area of improvement is to remove duplicate entries to reduce clutter.
Passwords of length 12 and 16 represent 66% of the passwords stored in the password manager. This may be due to different defaults in different systems or platforms.
The three longest passwords are 28, 31, and 40 characters long, and the three shortest are 1, 4, and 5 characters long.
I chuckled when I saw what the forty-character password is (for example, if the credential is used to sign in to the planetarium’s ticketing system, the password is Tw!nkl3Tw!nkl3L!ttl3St@rHow!Wond3rWh@tYouAr3^17321). As for the 31-character password, it wasn’t lyrics to a song but a line from a poem. The 28-character password was randomly generated.
On the other side of the scale, the password with length 1 is just garbage - a password update poorly detected by the password manager’s browser extension.
Next on the list is a four-character-long password. It is a PIN for my local library account. I can’t do anything about this, as the library’s website only supports 4-digit PINs.
The five-character password grants me access to my local and personal development database, so I won’t worry about this one.
In general, I do not have concerns about the length of my passwords. Around 90% of the passwords have a length of at least ten, which is enough for now.
Out of 591 entries, there are 107 unique usernames. The majority are, boringly, email addresses. There are a few random word usernames and also a few UUIDs.
A breakdown of email addresses as usernames by provider:
The + and . tricks for Gmail and the masked addresses for Fastmail account for the majority of the usernames.
No service lives forever. Some are acquired, some rebrand, and some shut down.
I skimmed over the list and found a few defunct services:
I have a question: what happened to the data? Who has it now?
In some cases, the answer is probably buried in an email account.
This analysis would require checking external sources to fully understand the fate of these services and their associated data. It’s an important consideration when managing old accounts and their potential security implications.
After analyzing my password data, I’ve identified several areas for improvement in my password management practices: