Why I Still Don’t Use Password Managers

Recently Lastpass made more of its service free by making multi-device syncing non-premium. We have covered that in detail here. This looks like a ripe moment to try out LastPass as I have been anti-password manager advocate for a long time.

cp-password-manager
Real Geeks don’t use Managers | Shutterstock

There is no personal enmity I have against any of the password managers, but the concept of a separate app just to manage your passwords seemed out of place to me. I know it may not make much sense, but I have my aberrant reasons.

But I gave LastPass a try. Having used it for two weeks on my smartphone, laptop, iPad & desktop PC, I have had a mixed experience. So let’s see what are the reasons and my DIY for managing passwords.

Why I Don’t Like Password Managers

Passwords are supposed to be personal and confidential, not to be revealed to anybody. So from the beginning, I felt a little insecure about handing all my passwords to a third party.

I know that the passwords are safe with them (you never know, though) and such services don’t snoop on the user data, but still, there was a hint of uneasiness for me.

Moreover a few years ago not every damn website and service required you to sign up. Nowadays the forceful signups have increased and so has our digital presence.

It’s over if the master password gets compromised

Finally, there was one last straw of weakness, the master password which you enter every time you need to autofill credentials to a site using the manager.

You are done for good if the master password gets compromised. Also, many of the password managers even do the job of generating a secure and unique password for different logins. So in case the database of the service gets compromised or you can’t access the service for any reason you are pretty much out of luck.

My Method: Convenience over Safety, Somewhat

So getting the rant out of the way, I personally use a method to keep a record of the passwords which allows me to remember them for several sites easily.

But before I go on explaining what it is, I would like to make it very clear that this method is flawed. From the point of view of strict conventions that one needs to follow for an unbreakable password, my method takes many liberties.

So you should use it only if you are ready to take the risk and know your way around the web to distinguish the good sites from the bad ones.

passwordstructure

We all know the golden rule — you should use a unique password for different accounts. So in case if one of the accounts get compromised the others remain safe. But it’s easier said than done and I don’t follow it.

As per human tendency we choose the simpler ways and a memorable password, though unsafe, is preferred by many. My method also uses the same password across sites but with a twist, as shown above.

The Base Password: How Long Should it be?

Starting with the base password, it remains almost same across sites. Now as we are already ignoring the golden rule, this base password needs to be a strong one.

Password length is one of the things which dictate the password’s strength, other being the contents, but more on that later. Researchers say that long passwords with a minimum length of 12 are secure.

11_digit_password
Just increasing the length from to 11 to 12, the brute force time increases from minutes to years! | Haystack Calculator

And one with at least 16 characters is recommended. Taking this into account, it’s wise to set the base password of more than 16, right?

No, because many websites have limits on how long the password can be, so a really long base password will create problems in accommodating the unique extras we will be adding to it.

But your base password should be minimum 12 characters at least. If 12 is not possible, then try incorporating as many different characters in as possible as this will increase its entropy.

Password Entropy

Password’s strength depends on its contents. In scientific terms, Entropy, meaning randomness defines the strength of the password. The more randomness the password has, the harder it is to crack.

For example, a dictionary word such as garden123 is like a walk in the park to crack using brute force instead of 1&[email protected]&. As a thumb rule, your password must contain the following:

your-password-should-contain

Password Padding

Now that we know what makes a password strong, we move on to create secure but memorable passwords. Your imagination plays a big role here.

For explanation purposes, lets take ajinkya799 as a base password. Punching this in Dashlane’s password strength tool gives a brute force time of 1 day.

As I explained earlier, the base password needs to be at least 12 characters long. And this is done by padding which means adding alphabets, numbers or symbols to it. The optimum way of padding is to use all the things as shown in the image below.

optimum-padded-password
I made the first letter capital, adding @ symbol and dots at the end for padding

In a similar way, you can add symbols, numbers & letters to your simple, memorable password to make it stronger.

The Unique Salts

We have made the base password stronger but using it as it across all sites is unsafe as we know. So we add extras to it, so it differs from site to site.

One way is using two capital letters of the respective site. Again taking [email protected] as the base password, for Amazon it will be [email protected], for Facebook it will be [email protected] & so on.

In the same way, you can devise your own system for different websites. Finally, you can also add a not so random salt to the password. For example, you can add a number corresponding to the letters on the website, as shown below.

salts-for-pw

Or number the websites & increment the number as and when you use the password for a new site. Of course, that will require you to maintain a numbered list, which brings us to how to maintain the list if your memory is like mine.

The Records

I use an Excel sheet to maintain the passwords; again a frowned upon method. One column for the base password, one for the website related salts and one for the random salts. And to not be nominated for the Trump of the Year award, I password protect & encrypt it.

password_excel_list
Base password is written for representation only

Further to improve security, I don’t even write the base password except where it has been modified to fit the length restrictions.

Moreover, I also swap the order of columns to confuse further if someone breaks open the file. You can also imagine other such several ways and please don’t name that excel file as Password Master List or something similar.

Conclusion

My method obviously overlooks some basic digital security rules but doesn’t completely ignore them. And it involves some creativity on your side too.

From padding of the base password to setting the identifiers for different websites, you can tweak it to your liking.

Where you will need to be careful is the handling of that Excel list. And again, follow this method at your own discretion. If you have any doubts or suggestion, do share with us through comments.

By

See more posts by this author.

Show Comments Hide Comments