I understand the utility in having one application remember a bunch of long, ran
ID: 661549 • Letter: I
Question
I understand the utility in having one application remember a bunch of long, randomized passwords, but all you'd need is one well-placed phishing scam or a keylogger and they get all the keys to the kingdom.
Has there been any progress in this area? I want to consider using a password manager but feel incredibly uncomfortable with putting all my eggs in one basket. I could theoretically have multiple managers and only remember 3 long passwords or so (try to diversify the risk), but I feel like that only goes so far.
It is frustrating that the best passwords seem to be exactly the ones that you cannot memorize well. Where do I draw the line?
Explanation / Answer
Password managers introduce different risks, they do not eliminate all risks. It is debatable if a password manager is generally more inherently risky than dozens of memorized passwords. Does the risk of a central password outweigh the risks of having dozens of poorly implemented passwords? It might all depend on the implementation.
Password managers automate the process of creating and 'remembering' unique passwords with maximum complexity, and can automate the renewing of passwords on a regular basis. Not only that, but they can highlight the fact that you are not on the login page for the website you think you are on. All these benefits are difficult to pass up, but you need to ensure that your password manager is properly secured.
You are correct in saying that by putting all your eggs in one basket, you run the risk of wide-spread access. But there are ways to mitigate that risk. For instance, some password managers require 2-factor authentication to access passwords.
"Risky" is always in the eye of the beholder. What is acceptable to one would not be to another. Each person/organization needs to make that determination for themselves.