Why Password Managers Are Not Secure

Trust Your Friends and Not Tech

·

12 min read

It is the early 90s and I am sitting at my terminal dialer Telix. My dad and I used it to dial over a modem into BBS systems such as Canada Remote Systems which ran PC Board BBS software. A BBS was a public computer with lots of phone lines running into it, and once connected, a user could exchange messages as well as download legal files and read and write on public message boards. As well there were some online text-only games, some of which feature blocky ANSI colour graphics. This was the precursor to the Internet. And security, back then, meant having a username and a password nobody else could guess. As once you dialed the phone number of a BBS you had to input both to gain access.

For about a year I didn’t think much about security and used the same password on all BBS systems. I didn’t even write it down, it was a word and a number, both of which I got from a product on my desk in my bedroom. I could not forget it for whenever I did homework I looked at this object, it was useful and not something I would throw away. I suppose this is sort of like writing down a password. But I knew nothing about how BBS systems were run, nor about hackers.

Not all BBS systems were official, public, and legal. CRS was one on which we used our family name to log in. But many BBSes in Toronto required an alias or a fake name. Many people associated strongly with their aliases. I suppose the closest thing to this system is a Twitter handle. Some used their real name, but back then everyone used a fake pseudonym. I was known as Death Stalker. I don’t recall where I got the inspiration for such a cool monicker, but it felt like I belonged with everyone else in the scene at the time, though I never thought my name was the coolest.

Some BBSes had warez, or illegal downloads, containing full copies of video games from stores, whose copyrights were cracked by cracker groups. Some downloads were demos and intros, or mathematically efficient code presenting cool graphics routines set to sound, a sort of music video but all calculated in real-time. Nothing was pre-rendered like a movie, it was all done in real-time and usually coded using C and assembler for efficiency. Each cycle of the CPU mattered. There were obviously sections for all kinds of porn, too. But what caught my interest the most was a section labeled “BBS Software”. It turned out anyone could run their own BBS, as long as they had a modem, and a phone line! Kinda how today anyone can register a domain name and get a Linux server together and so we all think we can be huge dot-com CEOs. It’s a dream thing. Naturally, I downloaded several BBS packages to try.

The one I stuck with was WWIV or also known as World War IV. It had a cool name, and I really liked the colour theme, green and yellow. The more elite boards used Telegard, which was all blue, and Renegade, which was all red. I always wanted to run a cool warez board but I knew these were not my thing - I was never the cool kid in school anyway, why would I be cool online? And the more professional places ran WildCat and PCBoard. I wasn’t a professional, so I download the shareware version of WWIV. Shareware means you get to try most of the features for free but if you want the full product you have to register. So I set up my own board on our three thousand dollar 386sx-16mhz machine, and it asked me for a SysOp password. A SysOp is a System Operator, or he who is God among ants, the one responsible for setting everything up. This is like the root password on Linux systems. This was the first time I realized I had to have a weird password. Today’s terminology is a strong passphrase. This was also the first time I wrote down a password on a piece of paper which I kept in a secret location in my bedroom. It was the first time I considered security seriously.

For a month I played with the shareware version of WWIV and then asked mom for money to register it. I mailed a cheque, and in a month came a floppy mailer containing several floppy disks. One of the perks of getting registered meant gaining the full source code to WWIV. There was a modem-to-modem networking system called WWIVnet. It allowed for the exchange of messages across area codes, thus a sort of Internet existed between countries even, allowing for email type of mail service. Any message could be exchanged, just not files. There were public message forums on many topics and as a SysOp you simply subscribed to them. This meant more hard drive space was required. To get a peer to exchange messages with you some required money, while others did not. Around this time I changed my name to King Hippo and began my own messaging network called HippoNet.

Everyone required a different unique password as you didn’t want one BBS, or board, to call and pick up messages for another board, thus stealing private conversations. This is the first time I needed a password manager, but none existed. So I kept a text file on a floppy disk into which I dumped all the passwords I needed to maintain my BBS. We had a second phone line in our townhouse and it was used exclusively for the modem. About this time I also switched from the terminal software Telix to Telemate which had, what I think, was the first password management program built-in. Along with modem init strings and phone numbers and name and description for each BBS in the BBS listings you could also specify username and password. And I began using it, filling it up. When I realized how easy it is for a SysOp to read the user’s password, I then realized an enterprising SysOp who was mischievous could read my password on their BBS and login as me on any other BBSes where I had accounts. This terrified me, and soon I had a unique strong password unique to each BBS. Just the way we have a different password today for each website and we store those passwords in a password manager, I was doing this back in the mid-'90s. So were all others who understood how BBSes worked.

However, Telemate itself wasn’t a protected program. Anyone with access to DOS could run Telemate and would be able to log in. This included my sisters and my dad. I trusted that they wouldn’t, and there was another problem as well. Telemate didn’t have a multi-user system. It envisioned that only one user would ever use it at a time. But my dad and I both dialed into BBSes, so where was my dad to store his passwords and usernames in case he dialed into the same BBSes as me? My dad kept a paper log of his credentials and logged in manually by looking them up on a piece of paper.

Back then I believed and trusted the people around me. I felt secure in my bedroom and trusted authorities like the Toronto Police not to invade our house looking for password notes. As well nobody encrypted their DOS hard drives. My password floppy also wasn’t encrypted. The only encryption alternative at the time to my knowledge was a password-protected Word Perfect document. But this was a password that could be cracked, as there were tools to do just that on many hackers' BBSes. So that wasn’t very secure either, for the techies anyway. Common folks like my dad or mom or sisters could rely on this security because they didn’t know any better. But there wasn’t SSL, SSH or PGP even back then. And if it did exist, it was on university UNIX machines which I didn’t have access to.

Then one day I woke up and it was the third decade of the 21st century. We all were using secure websites, and password managers, and many people, even old parents who are not into tech, had encrypted hard drives with one-button solutions like Apple’s FileVault built into the OS. It seems like we finally have freedom and can trust that our identities online are safe. But for all this glorious magic, a master password is still required. If we encrypt our hard drives using FileVault we must write down somewhere a long secret passphrase. If we use a password manager as a browser plug-in we must write down somewhere the master password. We also have to make sure it’s easy enough to remember so we can recall it when we are not in our bedrooms as many people these days use laptops on various WIFI networks spread all over cities and different nations. We have to know off-by-heart passwords to our bank sites, government logins, and even healthcare sites. Should we lose the master password or the FileVault passphrase, we lose access to everything. It all hangs on a single password, which we still have to manually keep in a safe space.

This problem has not yet been solved. As a teenager, I wondered often when I was at school if my dad was searching for my password in my bedroom. I knew I could trust my dad, and there was nothing to hide, but the possibility remained. If I invited a friend over, would he search for my password while I went to the bathroom? Paranoid much? No, these are real scenarios that could happen and until the password-on-paper problem is solved we wouldn’t be truly safe from evil hackers. As humanity has evolved through countless generations we’ve always wanted to be safe, at least the normal ones who aren’t looking for danger. Some pursue a dangerous life and even in this modern age do not use password managers relying instead on some system of single or multiple remembered passwords for all sites. This is a much riskier strategy but people are stubborn.

The trouble with password managers is they all keep passwords somewhere where it is accessible by others. If it’s kept in the cloud then governments have access to them potentially. A simple court order and all your sites are theirs. Even without a court order, as many are waking up to this reality, access can still be had with the right bribe, the right threat, or the right wink. If I write down my password and keep the paper reminder in my desk at home anyone with access to my apartment can find it and thus gain access to everything. This includes repair contractors, my landlord who has keys, family members who have backup keys to my apartment, or the local and often crooked police services. I was once in the bathroom past midnight, when my front door unlocked and in poured three armed police officers. They locked me up at that time even though I was innocent and did absolutely nothing wrong or threatening. To this day nobody from the police service has explained why they felt the need to unlock my door instead of knocking. But if they wanted access, also, to my digital life, they could unlock the door while I’m away at an appointment and they could get my GMail password and have access to everything including my password manager. The local police where I live are crooked, and I imagine this authority-trust problem exists in many places around our sad Earth.

So password managers are not the final solution. They are a convenience mostly and do not provide real security. If you think not writing down your password is safe, as nobody can read your mind, this is true as it is safer not to write it down. But it’s also riskier. There are countless examples in our world where complex passwords are forgotten. What happens if you experience head trauma like in a car accident or an accident? What happens if you have a breakdown or some other event triggers you to forget which character is where in the passphrase? This is why it must be written down. Some resort to using phrases from well-known books writing down only the pager number and line number and similar gimmicks. Regardless of how you hide it, currently, there is no safety because physical access to our places of residence is not secure.

Now Apple is trying to solve the problem by adding another complicated layer of security to this mess by using biometrics such as fingerprints. You simply push your thumb to an Apple device and all your passwords are available. No need to remember a master password. This works flawlessly in their lab environments where coders sit in a safe space that is pure and lacks any natural elements. But add in the reality of woodworking, constructions, home repair, martial arts training, sports, and daily paper cuts, and whenever the thumb isn’t kept in pristine order, whenever there are nicks, scratches or injuries, the entire fingerprint model fails and all of these devices failback on PINs or worse, passwords. And these we all have to write down. So biometrics isn’t a solution. As well they endanger the lives and limbs of those who use them. For if I need your thumb to gain access to your data I don’t necessarily need you if you catch my drift. This is even worse for eye biometrics.

We currently do not have freedom and security on any digital layer. We have convenience. We have the illusion of security. And that may seem sufficient to most but it isn’t sufficient for me. I was wronged by authorities, whom I trusted, whom I obeyed, and I was wronged by hackers, whom I didn’t trust, and I was wronged by friends, who should have known better, I was even wronged by lovers, but that’s not what this article is about. Maybe one day I’ll write a romantic novel, but not quite yet. What I’m getting at is, if you thought using SSH, GPG, and passphrases was the future, we had all of that in the ‘90s and access was still abused by the people whom we trusted the most. For all it’s worth though and for all my worries, my dad trusted me ultimately more than anyone else and respected me more than anyone else even now that he is deceased. He never once snooped on my files or my online activity. I was always free as a kid to explore any BBS system, even when I dialed long distance to Finland causing the family a massive phone bill. Glad I lived to tell the tale on that one.

To make this a better world, until real security is available, please be kind to each other. Help your neighbours, help each other and work cooperatively rather than competitively. Any village, no matter how big, is built by all the people who live in it and even by some who are strangers. A village is rarely built by one man alone no matter how skilled.

(editing note Feb 18th 2023: initial published title was "Why Password Managers Are Insecure")