Email as password manager?

A lot of people these days rely on some (software) password manager to keep track of all different passwords you need. Obviously there are two risks with this approach.

First of all you put a lot of trust into the software protecting your passwords. If there is a way flaw in the software all your passwords are at risk. Second all your passwords are now protected by a single password. That you need to remember. So what if you pick a bad password? Well then all your passwords are at risk.

There has been a few Kickstarter projects using hardware to protect your passwords and some people come up with clever algorithms to generate unique passwords for different accounts. But those systems also have a single point of failure.

So is there a solution? Somebody suggested in an article a while back to use your email as a "password manager". Well not really a manager... The basic idea was that whenever you need a password you use a long random string. Then the next time you need to log in you hit the forgot my password button and use another long random password.

Well sadly enough that solution is not that great either... First of all email can be slow. You also still rely on a single password to protect all your other passwords and the assumption is that there is always a forgot my password link to click. So no, email is not a better option.

So what is a better option? Well naturally if you are savant and can remember crazy randomly generated passwords you will be safe. For the rest of us password managers are not such a bad idea. It is all about risk management. Companies who provide password managers do it as a business. It is in their interest to do a good job or they will go out of business. Second use 2-factor authentication whenever you can (that is those codes being texted to you or that app on your phone generating codes).

The only way to secure your passwords 100% is to not have any passwords to protect. Everything else is about risk management.

No comments:

Post a Comment