
passwords should be treated like underpants
Twice a year is reasonable to me.
Israel's newly appointed cyber chief has raised eyebrows by offering questionable password advice during a high-profile presentation. Yigal Unna, Director General, Israel National Cyber Directorate, joked that passwords should be treated like underpants: changed often and never shared. His point was contained in a slide …
How do you do the 180-degrees word flip?
Oh goody, lots of password managers to choose from, all which promise to keep all my passwords nice and secure so they must be good ... I'll pick one ... eany meany miney doh!
At which point do I trust one organisation, of which I have no specialist knowledge at all, with all my passwords? The only time this would be good advice is when I was running the password manager company and either I was (a) completely legit and wanted to help the world or (b) completely bogus and wanted to trawl as many passwords as possible. The third option is obviously good intentions plus more security holes than a Trump policy statement allowing access to miscreants anyway.
I don't have a solution but tell me how to find a trustworthy password manager ... and, before someone says it, reading a.n.other's 'reviews' is not a good way of assessing data security, neither is having 'an encrypted database' if the NSA decode and clone it every day, nor is having a local database if the app "updates regularly" by uploading unencryped password data to a C&C server ...
You don't trust them with everything, you ensure the route to changing the passwords is controlled by you e.g. you do not let them know your passwords for e-mail accounts, domain management etc.
That way should/when they are breached you are able to chance those passwords without too much hassle, you should also have a separate list of what services you change first kept offline e.g. banks, insurance companies, utilities, shopping accounts, healthcare services etc.
It's about risk, there's less risk with using a password manager, but the type of risks change.
You seem to assume "password manager" means a central server. It is terrifying and depressing to me that is anyone's first thought.
Rather, use a local solution. Use KeePass (open source, audited clients for all systems, including Windows, macOS, Linux, BSDs, Solaris, Android, iPhones; and no, all the clients I can think of either work entirely offline or can be configured to never connect out) and sync your database physically, with SCP on a cron job, or with Syncthing using a TLS certificate.
Alternatively, use a script, mobile app, or application that takes a site name and master password, generates a salt using the two, and then generates a password using all 3... Now you don't even need to save your passwords anywhere!
You could also write a shell script to encrypt/decrypt a json/etc. file using a secure technology of your choice (eg. something based on OpenPGP) and forego any fancy technology. Simplicity keeps the attack surface lower.
Or, you know, use a pen and paper, and rather than just writing down passwords, transmutate them using a shared secret present only in your brain, eg. always add a character to position X if Y is Z... Or, only write down hints, only to be used if you forget.
Password management doesn't have to be difficult, and "password manager" should not ever ever never ever mean giving your passwords to some company. Look at LastPass, bastards got compromised and they're somehow still in business and promise to keep your data safe. Not to mention, it's still not open source. Tsk.
I've 13+ years working in InfoSec for all manner of organisations.
In my experience there used to be a 50/50 split on InfoSec peeps who trust password managers of any stripe. Some of the most impressive people I've every worked with just point blank refuse to use password managers.
I can see both sides of the argument but in the last couple of years InfoSec people, in my experience, are trending towards password managers now...
Personally...I'll use my brain and continue to get pissed off every time I have to reset a password I've forgotten...
And yes I wear a tinfoil hat but only when I sleep.
On the top of my dizzy head after a looooong day explaining Visual Basic (eww) to fellow first-year-meds (translates as: as brainfucked as brainfucked could be):
Tiny infrared camera.
Pick the lock w/ a non-destructive object like a hairpin.
A secret camera to shoot the paper in transit to eye or while being returned back to the drawer.
.....but with the passwords written out as though for a game of hangman.
*
Sorry if this reference ("hangman") is unknown to readers of The Register.
Anyway, it means using underscore characters for missing letters. Example:
- Notebook entry reads: V _ _ _ _ Y F _ _ _ T _ _ _ _ _ _ Y
- Literate user knows: VANITYFAIRTHACKERAY
*
Another tip is to repeat some long word, and also use the hangman technique:
- Notebook entry reads: R _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ T S _ _ _ _ _ _ _ _ _ _ T
- Art lover knows: REMBRANDTREMBRANDTSELFPORTRAIT
*
Foreign language words, upper and lower case, numbers, parentheses.....all this can make these notes very difficult for a bad actor to interpret, while being reasonably transparent to the legitimate user.