Monthly Archives: January 2014

Password Managers & Escrow

Five years ago I made a decision to move from PasswordSafe to AgileBits 1Password.  As someone in the security field I’ve always tried to practice what I preach and using different passwords for different sites and cycling passwords (changing passwords every N months) is important.  I looked at a number of different password management solutions.  I enthusiastically moved to 1Password as it offered everything I was looking for.  Early on I used a local database but after becoming comfortable with the product I moved to using a shared database stored at DropBox.

One of the other password managers I looked at was PasswordBox.  PasswordBox offers an application that includes the capability to sync passwords back to ‘cloud’ storage at the developers site and is available for Mac, Windows, and mobile platforms.   When I first looked at this my concern with PasswordBox was that there was no knowing how my passwords would be secured given the applications storage model (i.e stored where?).  With 1Password storage is either local or at DropBox.  The 1Password folks have been called out on encryption (Cult of Mac 2012, Lifehacker 2013TraxArmstrong 2013 ) numerous times over the past years.  I followed that controversy and think the AgileBits team handled it well so I have no reservations recommending 1Pasword with DropBox.

Using any password manager one of the harder problems seems to be keeping the browser plug-in alive.  As Firefox has marched through release after release I’ve had to update the plug-in and recently had to uninstall / reinstall the plugin after the 1Password major version change.  That’s just one browser.  I try to keep 1Password running in Firefox, Safari, and Chrome.

Something that I have been looking for as a feature of a password manager has been some way to do password escrow.  That is creating the means to pass on information in my password manager should something happen to me.  The simple way of doing this is to give someone I trust the password to my password manager.  The downside is that the act of giving that password information creates a potentially huge point of friction.  You have to ask yourself ‘Will the person I gave that password to do the right thing at the right time?’.  Giving someone the password also equates to giving them the keys to everything.  You lose the capability to purge some information you don’t want to pass on.  One way around that is the capability offered by an application such as Legacy Locker.

Legacy Locker and other apps like it (Perpetu) offer a service that passes on usernames and passwords that you select to some person or people that you designate in the event that you ‘in theory’ pass away or become permanently incapacitated.  All of these offer some form of credential or service escrow capability.  They solve a very difficult problem that is faced by virtually all Internet based service providers; how to allow someone other than the user who agreed to the terms of agreement and opened the account into an account.

My advice regarding password managers is that more people should use them.  They are an important tool to maintaining one’s individual security on the Internet.  In order to be truly useful across multiple devices a password manager needs to use some common storage point and using Internet Cloud based storage works.  The key to using Cloud based storage and keeping your passwords secure is making sure the manager supports strong encryption.

Advertisements