Passwords are hard. Yet, they are the one authentication mechanism supported by every service we’re using. Sometimes even the only one. Since they are so difficult to avoid, we need a strategy to cope with them. Let me show you mine.
The ideal password
The ideal password fulfills the following criteria:
- It’s used only for one account.
- It’s random and long enough to make brute-forcing impossible.
- It’s not stored unencrypted in a file.
So we have to create a long, random password for each website and remember it. That’s impossible.
Password managers
Password managers generate and store passwords for you. They help you to fulfill the above criteria. They employ encryption to protect your passwords from leaking. We can define two generations of password managers, depending how they use encryption.
First generation password managers
First generation password managers protect your data with a master password. The master password is chosen by you and needs to fulfill the same constraints as the ideal password. Failing to do so can end in catastrophe.
There was an incident at one of the largest password managers of first generation at the time, LastPass. The encrypted user data got leaked and then brute-force attacked. Users with weak master passwords saw their password cracked and data stolen. A security disaster. To avoid such incidents, second generation password managers were created.
Second generation password managers
Second generation password managers protect your data with a generated secret in a secure element. Such secrets are long and completely random, rendering brute-force attacks infeasible. They are stored in specialized hardware that avoids leaking them to software using the hardware. Sounds complicated, but is actually simple to use. Every phone has such a secure element. Every modern laptop as well.
Since this is all quite new, I couldn’t find many second generation password managers. There are plans to convert first generation password managers to second generation ones though. The only one that’s production ready (that I found) is Heylogin.
Heylogin
Heylogin is a german start-up. They are hosting in Germany and are thus subject to very strict european privacy laws (GDPR). Their solution works on Chrome, Firefox and Firefox for Android. They support FIDO hardware keys, phones and laptops as secure hardware elements. I’m using two FIDO hardware keys and my Android phone.
Usage is dead simple: If I want to fill in a password, the heylogin app sends a push notification. I unlock it with my fingerprint and the password gets filled in. Alternatively, I can plug my FIDO key in and unlock that way.
Desaster Recovery
What happens if my phone gets stolen?
I’ll use one of my FIDO hardware keys to remove the old phone and enroll a new one. I can also use the hardware keys without a phone.
What happens if I lose my FIDO keys?
I’ll use my phone.
What happens if heylogin stops working / loses my data?
I have an encrypted offline backup, stored on a USB drive. Passwords newer than the backup will be lost. I’ll restore those with my email. My email passwords are part of the backup.
Verdict
Heylogin works great. The only pain point is that it can’t fill in passwords in Chrome on Android yet. I don’t use Chrome on Android so I don’t care.