Passwords get discussed a lot on this site, and there\'s quite a lot for both us
ID: 661544 • Letter: P
Question
Passwords get discussed a lot on this site, and there's quite a lot for both users and sites to do, to stay in line with "best practice".
Web sites need a password strength policy, account lockout policy, and secure password storage with a slow, salted hash. Some of these requirements have usability impacts, denial of service risks, and other drawbacks. And it's generally not possible for users to tell whether a site actually does all this (hence plaintextoffenders.com).
Users are supposed to pick a strong password that is unique to every site, change it regularly, and never write it down. And carefully verify the identity of the site every time you enter your password. I don't think anyone actually follows this, but it is the supposed "best practice".
In enterprise environments there's usually a pretty comprehensive single sign-on system, which helps massively, as users only need one good work password. And with just one authentication to protect, using multi-factor is more practical. But on the web we do not have single sign-on; every attempt from Passport, through SAML, OpenID and OAuth has failed to gain a critical mass.
But there is a technology that presents to users just like single sign-on, and that is a password manager with browser integration. Most of these can be told to generate a unique, strong password for every site, and rotate it periodically. This keeps you safe even in the event that a particular web site is not following best practice. And the browser integration ties a password to a particular domain, making phishing all but impossible To be fair, there are risks with password managers "putting all your eggs in one basket" and they are particularly vulnerable to malware, which is the greatest threat at present.
But if we look at the technology available to us, it's pretty clear that the current advice is barking up the wrong tree. We should be telling users to use a password manager, not remember loads of complex passwords. And sites could simply store an unsalted fast hash of the password, forget password strength rules and account lockouts.
Explanation / Answer
You are correct that a fully-integrated password manager works as a de facto SSO solution for an individual, but the risks are also the same. Once someone gains access to the password manager, they have the keys to the kingdom.
Also, it is difficult to recommend a certain product for this implementation. It is easy to suggest an approach, but once you start the discussion of, "you need a product," then you have to be able to answer the follow up of, "which product?" Every product introduces its own risks and there isn't a standardized way of dealing with them. What might be a better discussion is a standardized method of designing and implementing a personal password manager, just like we have for SSO frameworks. I'm personally in favor of the security community doing this.
Because of this extra liability introduced by recommending specific products, it is perhaps 'better' to recommend a complex password for each site and have users gravitate to password managers on their own.