Background

Trevor posed a question about the nature and validity of using a password manager, given the current prevailing model of authentication on most web resources.

  • Caveat: this is not the naive question about whether password managers are insecure in general, Trevor knows that question has been asked and answered many times over (it's all about relative risk).
  • Caveat: this is also not the routine question of the relative risk profile between password managers and memorization and manual entry alone. Trevor is familiar with that discussion as well.

Questions

Trevor asked a question which calls into dispute whether password managers are obsolete on the basis of functionality.

If a user can reliably select "I forgot my password" on most web sites, and have a password-reset initiated and a link sent to their e-mail inbox, then isn't their e-mail inbox serving the same functionality of a password manager?

What is the benefit of trying to remember a password, or storing a password in a manager if a user can reliably get a password reset link every time they wish to login to the site ?

Note

This question is not identical to If I include a Forgot Password service, then what's the point of using a password?.

Although similar, this question is intended to uncover what relative advantage (or disadvantage) exists when the use-case is compared to a password manager.

In the other question, the use-case is compared to rote memorization, and does not identify the fact that a password manager may very well be equivalent to simply forgetting passwords and using a one-time login.

Community's user avatar

asked May 1, 2015 at 20:02

dreftymac's user avatar

11

Your argument is contingent upon using a web based service. If you use your password manager for SFTP, encrypted drives, desktop apps, etc. then you don't have a self service reset option.

If we then want to continue the argument only for web apps, here are some issues:

  1. This requires you to use one email address, which may not be practical (work versus personal email should not be commingled) or may not be desired (anonymity concerns, organization, shared email for a club, etc.). If you use multiple email addresses this also reduces the impact of one of them being compromised.

  2. This requires the service provider to require an email address, not all services request or require you to provide an email address.

  3. I am not sure you want to count on reliability of a reset service. This may take significantly longer for the reset email to go through. The service provider may (should) rate limit such requests.

  4. Password resets are not designed for this purpose. A password reset may be part of a comprehensive analysis to put the account on a higher alert for monitoring. The account was just reset, this is unusual, so apply more monitoring and checks because the reset may indicate an account takeover. Password resets are not generally considered the norm.

  5. For a password reset there is often challenge questions, so these still have to be entered each time. This is needed because the email account cannot be known to be secure or isolated to the user. Depending on who you ask, this is sort of combining "something you know" (challenge questions) with "something you have" (the email account).

  6. I would personally rather the attacker had to break into my computer rather then find a flaw in the email providers system, internal networks, etc. I don't really feel like my email on the Internet is secure or private.

  7. Even if this was super fast, in every case and there were no challenge questions, its still tedious, requires switching tabs, etc. You may also get distracted by your other emails, things may accidentally go to SPAM. I use a keyboard shortcut for auto-type, very quick and transparent. My password manager also clears out my clipboard.

At the end of the day, I think I have more control over my desktop password manager, it applies in many more scenarios, and its easier and more reliable.

answered May 1, 2015 at 21:07

Eric G's user avatar

7

My answer would be no, they are not obsolete. Your scope is too narrow. You are thinking all passwords stored in a password manager can be reset. You do not account for:

  • passwords for operating systems
  • passwords to protect certificates
  • passwords to protect network equipment

These passwords cannot be "reset" with a simple reset link and require more interaction from the user. Therefore your statement is false.

answered May 1, 2015 at 20:14

Lucas Kauffman's user avatar

2

I believe you are asking the wrong question. The correct question would be, in this day of 100 different accounts by each person (email, forums, websites, etc.) can you remember a different password for each one?

No, you realistically can't. And, with the prevalence of hacks that steal the password database (encrypted or not) from one website or another, reuse of passwords across sites is something that noone should be doing anymore. Ever. If you have an eidetic memory and can remember a different password for every site you visit, then by all means, do away with a password manager.

Don't try to use just 2 or 3 different passwords across all the services online that you use, because you're opening yourself up for a world of pain when one of those sites has crappy security and accidentally gives your password to the latest "Russian hackers". I guarantee they will try that exposed password on every financial institution to see if you reused it somewhere. It happened to me - thankfully I don't reuse passwords but since my username was the same they were able to lock me out of 3 of my financial accounts with failed login attempts.

answered May 1, 2015 at 20:29

Tony Maro's user avatar

2

What is the benefit of trying to remember a password, or storing a password in a manager if a user can reliably get a password reset link every time they wish to login to the site ?

This is roughly equivalent to Yahoo's passwordless authentication concept. It really only makes sense in scenarios where you authenticate rarely enough that going through an email loop is less of a hassle than the alternative.

The question of whether a password manager is relevant is completely unrelated, though. It's like asking whether password managers are obsolete now that Kayne West's new album is out. The one just doesn't follow the other.

Password managers make it simple to be significantly more secure online and offer significant protection from phishing. This value is in no way affected by the availability of email-based password resets.

Community's user avatar

answered May 4, 2015 at 1:48

tylerl's user avatar

You're basically correct that an email account via which you reset your passwords each time you use them is functionally equivalent to a password manager. The only difference in terms of security is the possibility of the email account being compromised vs. the possibility of your password database being compromised.

The main advantage of a password manager is not one of security, it's one of convenience. Even assuming that it's possible to reset your passwords each time they're needed, consider what that usually entails:

  • Answer at least one security question
  • Possibly solve a captcha
  • Wait for the email, sometimes for several minutes
  • Log into the site
  • Enter a new password that satisfies the often silly requirements

Total time: several minutes even if the reset email arrived right away.

Compare this to a password manager:

  • Type one password
  • Copy/paste

Total time: a few seconds.

answered May 2, 2015 at 18:12

Kevin Krumwiede's user avatar

What is the benefit of trying to remember a password, or storing a password in a manager if a user can reliably get a password reset link every time they wish to login to the site ?

Because if you can log into your account with your known password you know that an attacker hasn't changed your password.

Password resets create noise. In logs on the target system (which can sometimes be viewed by the user), and in the mailbox of the user for the password reset email, and ideally an email notification that a password was changed on the account.

An attacker who had access to your mailbox could delete these emails, as well as using the link to change the password and login. However, if you cannot log into the system using your password stored in your password manager it is an indication that your account has been compromised in this manner. If you simply used a password reset link each time you are never going to know this.

Of course it is just a red flag, not a definitive piece of evidence on its own - you should ask the administrators of the service to provide logs of when your password was reset (or look yourself if they have this functionality). You can compare these logs with your own in your password manager to find out when your password was last changed. If you didn't change your password at this time you will know something is amiss.

For this reason, securing access with a password can ensure the integrity of your account.

answered May 6, 2015 at 10:14

SilverlightFox's user avatar

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.