Rolling your own password management solution

1Password has…

Speaking of password managers… I’ve been arguing against them for a long time, as I’ve always considered those companies to be a massive security risk and a “single point of failure”. Almost everybody on the other tech forums has derided my comments, coming close to calling me an idiot for my opinion about password managers.

Well, what do you know… one of the largest, LastPass, has now admitted that their recent security breach is way worse than they previously admitted. And what does the article author, and many of its reader comments, advise? To refresh their settings or switch to a different password manager or… what a bunch of nonsense. Putting bandaids on a broken bone.

Of course I’ll be scorned again for saying this… but all “cloud-based” password managers are a bad, bad idea and always were. Even a locally based password manager… unless you personally inspect and understand the code… bad idea. Especially for technically savvy people (like almost all of us here in this forum) you should roll your own password-storage method, and keep it on your own premises.

Back to the topic here… I haven’t been following this “passkeys” proposal closely, I figured I’d wait until it’s more than just another proposal before bothering to look into it… but does it, like traditional passwords, assume that most people will be using cloud-based storage for their passkeys?

3 Likes

I’ll also add that password data stolen from LastPass remains encrypted. Only by having an individual customer’s LastPass passphrase will anyone be able to access password data. LastPass themselves, like Apple with Keychain data, cannot decrypt the data stored on their servers. It’s pseudorandom data blobs without the customer passphrase.

3 Likes

@San: I agree with you to a large extent.

However, I’m of the opinion that having the ability to synch your password files (vaults/safes/etc.) between devices is an important feature.

What is your take on password managers which can use any form of “cloud” storage rather than a proprietary cloud? For example, Strongbox (https://strongboxsafe.com/) can use SFTP/WebDAV/OneDrive/Dropbox/etc for synch. There are a couple of similar managers as well, but that’s the one that I’ve looked at the most.

Thanks.

Cheers,
Jon

PS: This discussion, should we expand upon it, might be better moved over to the password manager thread (Password Managers).

3 Likes

I haven’t read the articles reporting the breach that closely, since I think it’s all crap… but the TidBITS user “bookrats” in the other thread at (Password Managers said “some of it encrypted, some of it not”.

Hi, Jon! (I assume you’re the Jon I used to know at the Boston Computer Society, R.I.P.)…

I actually don’t know how to move this part of the discussion over to that (more appropriate) thread, as you suggested, while maintaining the context. Feel free to do so if you like.

Why don’t I know how? For the same reason (in general) that I haven’t looked into other forms of cloud/password storage such as the ones you mentioned. I have an enormous, virtually endless to-do list, including many Mac/tech items that are more important to me than researching this topic, given that I’m opposed to any cloud storage of passwords in general. (For example, my attempted backups of an APFS boot volume to an HFS+ HD backup drive are all screwed up – remember when you used to help me decipher Retrospect backing up to a tape drive?) That’s a higher priority, frankly, than learning the variations on something I’m never going to use anyway.

A standard defense of password managers (any kind) is that most normies use the same password for all their accounts (a terrible idea) or use a password like “password” or “12345” or something moronic like that. Perhaps for them, a password manager is better than nothing… in the same sense that fast food (ugh!) is better than starving to death. But for anyone with a clue, setting up your own secure local system really isn’t that hard. Of course, since I’ve always had an unusually good memory, my attitude might be off-base for most people, even fellow geeks… I’ve actually memorized many of my most-used passphrases (and they’re not easily crackable). But I also have a local encrypted volume with hints on how to reconstruct my long passphrases, and even if UltimateHackerDude broke the encryption (unlikely), he still wouldn’t be able to reconstruct them.

The real security problem, however… which I’m struggling with right now… is impenetrable bureaucracies with unbelievable buggy web portals that screw up even if I do have all my ducks in a row. No password manager, or local system either, can fix that.

If you haven’t been following passkeys closely, why would we have any confidence in your opinion about “rolling your own” password infrastructure?
What is your experience with internet security?

My only experience with internet security is almost 38 years of not getting hacked or compromised (since I was online years before the web was invented, i.e. the old internet)… and also I’ve never heard from a client that any of the websites I’ve built have been hacked either. I don’t claim to be a security expert, never said I was. It’s just my opinion.

OK. Thanks.

I did say passwords, and they (and I believe user ids for stored passwords) remain encrypted. I believe info like the website address may be exposed; not sure. Credit card details are encrypted. Stored notes are encrypted. Software license info is encrypted.

I stopped using Lastpass when they sold to Logmein 5 or so years ago precisely because I worried that something like this might happen.

2 Likes

Well, not exactly. LastPass published the details of the August breach when that happened, updated that in September with more details, posted again when the November breach occurred, and just now posted with full details.

In each case, they acknowledge the incident quickly with what was known at the time and then followed up after forensic investigations revealed more details. There’s no indication that LastPass was concealing anything.

Let’s move discussion of the breaches over to the comments on the article I wrote about it, where there are actual details. This topic can continue with rolling your own password management solution, which might be fun for a techie, but certainly wouldn’t be safe for the vast majority of users.

3 Likes

How about a ROT13 BBedit file stored on Dropbox/iCloud/OneDrive? I’m only partially kidding.

Personally, I’ve used PasswordWallet since the Mac OS 9 days. It’s old school, but works and syncs just fine, without getting caught up in a big-target data breach.

My only experience with internet security is almost 38 years of not getting hacked or compromised (since I was online years before the web was invented, i.e. the old internet)… and also I’ve never heard from a client that any of the websites I’ve built have been hacked either. I don’t claim to be a security expert, never said I was. It’s just my opinion.

Been doing computer and internet security that long myself…and rollin* your own solution that is just a file on your computer encrypted somehow that has clues that only you understand the meaning of works just fine if you want a very basic solution.

As I noted before…length is just about the only password security step that’s really necessary these days…in the days of rainbow tables and dictionaries and such the only viable secure solution is to force the bad guys to use brute force…and length is your friend in that case. Upper case and a couple numbers and symbols are also good since they make the alphabet set larger and provide more entropy for a given length…but taking a look at Steve Gibson’s haystack page over at grc.com shows that easily. 3 or 4 or 5 random words with an upper case letter in each based on your personal system interspersed with a couple of digits and symbols…and that’s a great password…although in my case I try to make them easy to type on iPhone and iPad without too many keyboard swaps… ut mostly that’s a matter of choosing from the correct subset of available symbols. But if you want the rest of the features…sync, loud storage, multiple devices, auto backup, attachments, web browser auto fill based on the SSL cert, etc…that’s beyond the ability of the vast majority of Tidbits or even a programmer mailing list to roll your own. Hence…my suggestion in another reply to determine what combination of features you need and the various options mostly self select.

2 Likes

This is the key. Storing and tracking sites, usernames and passwords could be reasonably done by anyone with the necessary caution to make it secure. Getting the add ons is why I still use 1Password. I like being able to autofill sites and autogenerate passwords etc. I’m hoping Apple keeps working on Keychain Manager to the extent I can dump 1Password but it’s not there yet. Maybe once Passkeys become more common it will be less necessary.

It’s actually quite frustrating how many passwords are needed these days (I have over 360 in 1PW and I’m certain that’s not all of them). You can’t use many sites or apps without signing up for an account of some sort. It’s no wonder people use duplicate passwords.

2 Likes

Yes. I had a horror show with Keychain in the old days with it losing all my careful entries… or, another time, just losing all my encrypted notes… and I finally gave up on it. Has it become more reliable in recent years, does anybody know?

1 Like

Step-by-Step method for managing your own passwords (simple, no fancy features):

  1. Create an encrypted disk image file. (There are a few possible formats; a .sparseimage or .sparsebundle will save space on your drive.) If you’re not familiar with disk images, they’re files that can be double-clicked to expand into a volume on your Mac (behaves more-or-less like a real drive). Very useful for other things too; you can store all kinds of confidential files, like financial & medical stuff, in the same disk image. If your entire drive is encrypted, then encrypting the disk image (which you do when you first create it in Disk Utility) may be superfluous.

  2. You’d normally keep the disk image “volume” mounted on your Mac, just like your “real” drives. The passwords are stored in the “volume” in any kind of file that can hold text – plain text document, word processing document, snippet keeper, or serious database – anything that you can search within. If you’re comfortable enough with the search function, the login info for all your accounts doesn’t even need to be alphabetical. Or you can keep it sorted by category, like “Financial sites”, “Online shopping”, etc. Whatever seems logical to you.

  3. Store the individual login entries for each of your accounts something like the following. Note that the website name/URL and your username are stored literally, but your password isn’t:

Account: Nosuchbank.com/login/
Username: JoeyShmoey@whatevermailprovider.com
Password: Cccccc_nnnn_Yyyyyy;
…U&lc, where:
C = cat who lived next door but would never let me pet it
n = numerals from my childhood street address
Y = girl I fell in love with in the sixth grade
;

That’s it, you don’t actually record the password, just your hints. The above would be reconstructed, for example, as:
Floopy_4381_Mariah;

It contains upper & lowercase letters, numbers, and special characters to make it harder to crack. You could make it longer to be safer. The key point is that your hints are about things that you won’t forget, but are very unlikely to ever appear in one of the databases of those companies that are always scarfing up data about us and renting it to others online. So you wouldn’t use hints based on former employers, or your current or recent address or town, or the make of your car… those might be in a database somewhere. You also wouldn’t use anything that might be used as a security “secret question” like the name of your first pet or favorite movie. Just use things that you’ll never forget but others wouldn’t think to ask or record anywhere.

Even if your encrypted disk image (or entire drive) were hacked, which is very unlikely, they still wouldn’t be able to reconstruct the passwords from this.

Admittedly this is less convenient than a commercial password manager, or than Mac Keychain, but it’s also (IMHO) more secure – it’s so idiosyncratic that an evilHackerDude or criminal organization is unlikely to bother trying to decipher it. (Of course a state spy agency might, if you’re an important secret agent :sunglasses: ) And the inconvenience has an upside: you might find that eventually you’ll start to recall the login info for your more frequent logins by heart, and sharpen your memory that way (at least, that’s what happened to me).

If anyone has ideas about how to make this general approach more efficient or convenient (e.g. multi-device), I’d love to hear it. Hope all this is helpful to somebody!

Admittedly this is less convenient than a commercial password manager, or than Mac Keychain, but it’s also (IMHO) more secure …

If anyone has ideas about how to make this general approach more efficient or convenient (e.g. multi-device), I’d love to hear it. Hope all this is helpful to somebody!

Well…there are some advantages to just storing hints instead of the actual passwords… ut also some drawbacks in that you have to reconstruct the password in your head every time and can’t use auto fill. In addition…some of the info might be able to be gathered from the web or FB based on your hints…although that would be more trouble for the bad guy and thus they might skip it as too much work.

If you used one of the commercial sync capable apps instead of an encrypted disk image and put the hints in it instead of the actual passwords…you would gain multi device and sync while still keeping it arguably more secure due to using the hints… ut again that might just be a security fig leaf instead of actually helping…depends on how important of a target an individual might be.

And…it would probably not be any use in any sort of post death situation…since your kids don’t know who you were in love with. Digital legacy is important so heirs can get to stuff…that’s why our executor has enough info to get access to our password vaults when they need to. Of course…there are some things that one may not want heirs to get at…where the ex wife is buried in the woods, old risqué images, or similar…so those one makes other arrangements so they aren’t accessible.

1 Like

Until you reach an age where forgetfulness occurs.

I acknowledge that this is an interesting approach but not one for me.

2 Likes

Until you reach an age where forgetfulness occurs.

Well, that’s a good point… but I’m already pretty far along and haven’t been forgetting simple things, even from my early childhood… like the names of personal friends, notable teachers, addresses… I even remember my childhood phone number. What I forget sometimes are much more complex things, even from just a couple of years ago, like aspects of programming languages that I haven’t coded in a while or long poems that I used to know by heart.

But you’re right (and Neil is right too) that there are drawbacks to this pure-memory thing. I neglected to mention a hard-copy “safety” printout of the actual logins (not just hints), stored in an offsite safe deposit box. It’s even reasonable to store another copy of it in a locked steel filing cabinet in your home. I imagine you could even store it in a plastic bag buried in the park, provided it didn’t have your name or other personal identifying information on it. You might have to “hint” the usernames, rather than the passwords, in that case. (If you don’t even remember who you are, then I think online logins would be irrelevant anyway.) The main downside of this is that it’s hard to keep an offsite hardcopy updated with new or changing logins as time goes by.

Another possibility, a sort of hybrid approach perhaps…
I searched online for “password managers with local storage”. I didn’t even know if there were such a thing, but I found two webpages that list/compare them:

… Password Managers With Local Storage of 2022

… 5 Best Password Manager That Stores Locally

They even mention ways to potentially achieve remote-syncing, although I guess that waters down the concept of “local storage”.

What do you think of that approach?

They even mention ways to potentially achieve remote-syncing, although I guess that waters down the concept of “local storage”. What do you think of that approach?

Personally…I think that for the vast majority of us we are not necessarily low value targets but we are low value compared to celebrities or billionaires…and there are so many people that are reasonably well off in this lower value category that an individual getting targeted is pretty remote…and for that group I think that the convenience, flexibility, and usability of a cloud based system is the way to go. LastPass apparently had website urls non encrypted…which is one of the reasons they were eliminated from the field for me many years back…you want an app that encrypts everything…and IMO using a cloud service like DropBox for the vault storage and sync operations provides somewhat redundant protection…they need to get your DropBox password first or somehow get ahold through compromise of DB your encrypted blob…then they need to crack that. As long as you have a sufficiently long master password using the 4 basic password food groups…upper, lower, digits, symbols…then brute force is the only way to crack it…and most of the major players have paid for security audits of their code to root out any back doors in the encryption algorithms…it’s just math after all. Don’t use something like the Gettysburg address of course…that will be in the dictionaries they try before the rainbow tables and end up with brute force attack…I’ve read that every book is already in those dictionaries but I think that’s an overly simplistic statement. I recommend against random gibberish master passwords because they’re hard to type and aren’t any more secure than a same length one of 3, 4, or 5 words with some symbol in strategic places as well as digits that are memorable to you but not easily discoverable…say the score of the AL Penn State championship game from the 70s or your first girlfriends phone number or measurements or whatever…as I said memorable to you but not discoverable by rooting through your FB posts…although even if they figured out your digits were 4, 2, and 7 that doesn’t help because you’re the only person who knows where they go in the master password…and whether they’re at the end just like in all your other passwords or interspersed in the words or whatever is irrelevant since length is the criteria that matters. In late 2022…somewhere in the 22 to 27 characters long is plenty secure…and one just increases the number of words or whatever over time as cpus get faster. Taking a look at Steve Gibson’s haystack page…once the massive offline cracking scenario gets up to anything in the centuries…any longer time is just overkill and while technically it is better…in this case better is the enemy of good enough.