All Posts by Date or last 15, 30, 90 or 180 days.
also by Lloyd: diglloyd.com photography and WindInMyFace.com

As an Amazon Associate I earn from qualifying purchases @AMAZON

Consult with Lloyd: cameras, computers, backup, etc...
Lloyd’s Patreon
Designed for the most demanding needs of photographers and videographers.
The fastest, toughest, and most compatible portable SSD ever with speeds up to 2800MB/s.
Highly Recommended!
External SSD wish listDeals on OWC
$220 SAVE $130 = 37.0% Western Digital 16.0TB Western Digital Ultrastar DC HC550 3.5-in… in Storage: Hard Drives
$680 OWC 2.0TB OWC Atlas Ultra CFexpress 4.0 Type B Memory Card in All Other Categories
$580 OWC 4.0TB OWC Envoy Pro Elektron USB-C Portable NVMe SSD in All Other Categories
$630 OWC 4.0TB OWC Express 1M2 USB4 (40Gb/s) Bus-Powered Portable NVM… in All Other Categories
$2380 OWC 72.0TB OWC ThunderBay 4 Four-Drive Thunderbolt External Stor… in All Other Categories
Newly In Stock: SEE ALL...
Sony Mirrorless wish listDeals on Sony
$2997 Nikon Z7 II Mirrorless Camera OUT OF STOCK in Cameras: Mirrorless
$2297 Nikon D780 DSLR OUT OF STOCK in Cameras: DSLR
$2997 Nikon D850 DSLR OUT OF STOCK in Cameras: DSLR
$720 ZEISS 32mm f/1.8 Touit Lens for FUJIFILM X OUT OF STOCK in Lenses: Mirrorless
$497 Pentax 70mm f/2.4 HD Pentax DA Limited IN STOCK in Lenses: DSLR

Using a Password Manager or Any Stored Passwords on a Portable Device is a Terrible Idea?

2023-02-25 • SEND FEEDBACK |
Related: Apple, Apple iOS, Apple iPhone and iPad, cyber social engineering, Don H, iOS, passphrase, password manager, security

re: cyber social engineering

I never have and never will store passwords for anything on my phone, not in any form, not with a password manager, etc. Nor do I have financial apps on my phone except for my bank (so I can remote deposit checks), and for that app I always manually enter a strong passphrase.

If my phone is stolen, I have no sensitive information on it that thieves could use.

Inconvenient? Yep. And it’s why I rarely sign up for services that require passwords—such a hassle to remember a different password for each of them*.

That’s going too far for many people. But for financial apps it’s risky to automate anything. And what if someone 'only' destroys your reputation via damaging comments or videos?

What would you risk if someone stole your phone and knew its passcode?

See also: Apple iOS: Major Security Hazard if Passcode Compromised?

* If you avoid password hassles by using the same password for all or short/easy passwords, you’re going to be hurt by that, it’s only a matter of when.

Password manager: the “Master Ring” for digital life

A password manager has its risks, but is almost certainly better than built-in features that remember passwords for you, because such features generally do not require any security measurees for unlocking, as well as doing auto-fill without user action.

A password manager is touted as a good way to secure all your logins. Is it?

One master key that unlocks everything?

Classic conflict between security and convenience. Risk your life savings for convenience?

What good does it do to have your passwords locked in a password manager when a phone/device thief need only force your thumb and/or face to do it, and/or threaten you with violence unless you provide an unlock code? Some good for sure and most of the time for most uses. But not when violence is involved.

At the least, use a 2Factor authentication device with a password manager, see discussion in reader comments below.

Rudimentary security check for password manager

If someone knows your phone passcode, is the password manager accessible? If so, game over; every account you have is now wide open. Of course the password manager had better use a different passphrase than the device itself. Try this:

  1. Lock your device.
  2. Immediately unlock your device.
  3. RISK TEST: can you use your password manager or other apps without now having to re-enter the password/passphrase for each of them? (which should be different for every one of them)

If the answer to #3 is “yes”, you are at extreme risk of major financial or other damage. Change your settings to require re-entering the password manager passphrase after unlock. And then reconsider what’s being stored and how risky it is.

And then consider all of the apps involved: do they just work without login after unlocking the device? That’s extremely risky.

Threats of violence

A form of cyber social engineering, violence beats cryptographic security like the game of rock-paper-scissors with scissors removed. And all you get is 'paper'.

Consider the threat of grave immediate bodily harm unless you provide a passphrase for the phone and/or password manager. Whether gun or knife or just getting beaten senseless your choices of permanent physical and/or pyschological harm are huge. Compound that with massive financial and digital harm and it ain’t pretty.

Recomendations

Do not use a password manager for financial/sensitive accounts

The higher the value to you, the more you should favor security over convenience. Memorize the login and always enter it manually.

Use 2-Factor authentication

Use a 2-factor device that goes onto your keyring for every account you can. Then if the thieves do not notice that device, you are in decent shape. If they do... that’s why you want to not have key logins in your password manager! See previous point.

Honey pot

Consider a dummy password manager so that the thieves can be satisfied seeing it unlocked, while you walk away. This is a sort of “honey pot” to buy you time.

Reader Comments

Reader Don H writes:

Just curious - do you have a recommendation for a 2-factor device?

MPG: see see 2-Factor Authentication (2FA) Ddevices.

View all handpicked deals...

Seagate 22TB IronWolf Pro 7200 rpm SATA III 3.5" Internal NAS HDD (CMR)
$500 $400
SAVE $100

diglloyd.com | Terms of Use | PRIVACY POLICY
Contact | About Lloyd Chambers | Consulting | Photo Tours
Mailing Lists | RSS Feeds | X.com/diglloyd
Copyright © 2020 diglloyd Inc, all rights reserved.
Display info: __RETINA_INFO_STATUS__