Using a Password Manager or Any Stored Passwords on a Portable Device is a Terrible Idea?
I never have and never will store passwords for anything on my phone, not in any form, not with a password manager, etc. Nor do I have financial apps on my phone except for my bank (so I can remote deposit checks), and for that app I always manually enter a strong passphrase.
If my phone is stolen, I have no sensitive information on it that thieves could use.
Inconvenient? Yep. And it’s why I rarely sign up for services that require passwords—such a hassle to remember a different password for each of them*.
That’s going too far for many people. But for financial apps it’s risky to automate anything. And what if someone 'only' destroys your reputation via damaging comments or videos?
What would you risk if someone stole your phone and knew its passcode?
See also: Apple iOS: Major Security Hazard if Passcode Compromised?
* If you avoid password hassles by using the same password for all or short/easy passwords, you’re going to be hurt by that, it’s only a matter of when.
Password manager: the “Master Ring” for digital life
A password manager has its risks, but is almost certainly better than built-in features that remember passwords for you, because such features generally do not require any security measurees for unlocking, as well as doing auto-fill without user action.
A password manager is touted as a good way to secure all your logins. Is it?
One master key that unlocks everything?
Classic conflict between security and convenience. Risk your life savings for convenience?
What good does it do to have your passwords locked in a password manager when a phone/device thief need only force your thumb and/or face to do it, and/or threaten you with violence unless you provide an unlock code? Some good for sure and most of the time for most uses. But not when violence is involved.
At the least, use a 2Factor authentication device with a password manager, see discussion in reader comments below.
Rudimentary security check for password manager
If someone knows your phone passcode, is the password manager accessible? If so, game over; every account you have is now wide open. Of course the password manager had better use a different passphrase than the device itself. Try this:
- Lock your device.
- Immediately unlock your device.
- RISK TEST: can you use your password manager or other apps without now having to re-enter the password/passphrase for each of them? (which should be different for every one of them)
If the answer to #3 is “yes”, you are at extreme risk of major financial or other damage. Change your settings to require re-entering the password manager passphrase after unlock. And then reconsider what’s being stored and how risky it is.
And then consider all of the apps involved: do they just work without login after unlocking the device? That’s extremely risky.
Threats of violence
A form of cyber social engineering, violence beats cryptographic security like the game of rock-paper-scissors with scissors removed. And all you get is 'paper'.
Consider the threat of grave immediate bodily harm unless you provide a passphrase for the phone and/or password manager. Whether gun or knife or just getting beaten senseless your choices of permanent physical and/or pyschological harm are huge. Compound that with massive financial and digital harm and it ain’t pretty.
Do not use a password manager for financial/sensitive accounts
The higher the value to you, the more you should favor security over convenience. Memorize the login and always enter it manually.
Use 2-Factor authentication
Use a 2-factor device that goes onto your keyring for every account you can. Then if the thieves do not notice that device, you are in decent shape. If they do... that’s why you want to not have key logins in your password manager! See previous point.
Consider a dummy password manager so that the thieves can be satisfied seeing it unlocked, while you walk away. This is a sort of “honey pot” to buy you time.
Reader Don H writes:
Just curious - do you have a recommendation for a 2-factor device?
MPG: see see 2-Factor Authentication (2FA) Ddevices.