1. 16
  1. 4

    The threat model of this approach is quite strange. The main problem is that the password manager would, for some reason, store the password locally to be used by anyone.

    If that is the case for you then you just set the password manager to never remember you, always ask for 2FA and you end up being so much more secure than having to remember a password in 2 parts now.

    1. 3

      your master password (the password to your password manager) is compromised due to a security breach or you left it in plaintext on a post-it/ email/ notes app

      I don’t know about Bitwarden, but 1pass won’t let you install your account on a new computer without access to the master password and the personal account key, which limits the damage someone with just the master password can do.

      1. 2

        Bitwarden supports 2-factor-authentication.

      2. 2

        To me this looks like an unencrypted equivalent of a master password: an extra password you need to remember and enter whenever you use your password manager. But unlike a proper master password that can be cryptographically protected, this one is sent in the clear.

        1. 1

          Not sure if this is comparable. You’re not writing that part down anywhere so it should be at least as save as any other password that is exclusively inside your head. But this is then multiplied with the security of an actually save password from a password manager. If their security is breached for whatever reason, the second factor aka Horcrux makes the breached data unusable.

          1. 2

            Master password isn’t supposed to be written anywhere either.

            A password manager can incorporate the master password in per-site passwords a cryptographically-secure non-reversible way. This is extra layer of security on top of the “Horcrux” method, because even sites that receive passwords in clear text (and then leak them and make them public to everyone) won’t leak the master password in clear text.

            1. 1

              A password manager can incorporate the master password in per-site passwords a cryptographically-secure non-reversible way.

              If you’re already using a password manager and are fine with passwords that you can’t remember, this seems fully inferior to just using CSRNG generated passwords.

              This is extra layer of security on top of the “Horcrux” method, because even sites that receive passwords in clear text (and then leak them and make them public to everyone) won’t leak the master password in clear text.

              But the horocrux isn’t a master password, it’s just one half of the password that isn’t stored in the password manager with the other half, and so them leaking that password would only impact the password for that one site, and you as a user can’t protect against that.

              1. 1

                CSRNG alone is vulnerable to loss of the master password. CSRNG + database of truly random per-site seeds gives you a second factor. To me this is analogous to horcrux + database of per-site passwords: two factors, one in your head (horcrux/master pw), another on your disk (pw manager), and you need both to get full per-site passwords.

                The horcrux method is:

                password = on_your_disk + in_your_head
                

                vs traditional encrypted password db:

                password = decrypt(on_your_disk, in_your_head)
                

                or even closer to a generator with per-site seeds:

                password = hash(on_your_disk + in_your_head)
                

                In all these cases you have two factors, each safe without the other part, and the only difference is that Horcrux method doesn’t hide the in-your-head part as well as other methods.

                This makes Horcrux less secure, because if you leak on_your_disk half and any one of the generated passwords, all the passwords will be compromised. Other methods can survive that case.

                1. 1

                  CSRNG alone is vulnerable to loss of the master password.

                  But so would the “A password manager can incorporate the master password in per-site passwords a cryptographically-secure non-reversible way” approach as well though.

                  CSRNG + database of truly random per-site seeds gives you a second factor.

                  I’m confused as to what you’re getting at here. The CSRNG would just be used to generate a password that’s then stored in your password manager, the same way that most people that use unique passwords and a password manager already does it? But most people don’t use local password managers, so for them it’d still just be one thing you know, the master password.

                  To me this is analogous to horcrux + database of per-site passwords: two factors, one in your head (horcrux/master pw), another on your disk (pw manager), and you need both to get full per-site passwords.

                  For hosted password manager services, this would be 1+(number of services) things you know, and nothing you have, unless the service has 2FA support.

                  For local password managers, it’d be 1+(number of services) things you know, but also at least one thing you have, the database. (Though with my PGP key on a YubiKey it would be 2 things I have, the database and my YubiKey.)

                  1. 1

                    I’m confused as to what you’re getting at here

                    Sorry, misunderstanding. By “CSRNG alone” I’ve meant solutions like https://lesspass.com that don’t have an on-disk part.

                    By master password I mean solutions like https://keepass.info that have on-disk database encrypted with a master password.

                    I don’t understand your distinction between hosted and local password managers. I assume any decent password manager that has online sync would never reveal passwords or your master password to the host, which makes security of hosted and local pw managers identical. If the host gets passwords in plaintext that’s fundamentally broken software, and I wouldn’t try to save it with any DIY method.

                    1. 1

                      Sorry, misunderstanding. By “CSRNG alone” I’ve meant solutions like https://lesspass.com that don’t have an on-disk part.

                      Ah, right.

                      I don’t understand your distinction between hosted and local password managers. I assume any decent password manager that has online sync would never reveal passwords or your master password to the host, which makes security of hosted and local pw managers identical. If the host gets passwords in plaintext that’s fundamentally broken software, and I wouldn’t try to save it with any DIY method.

                      While they definitely shouldn’t have the plaintext passwords, the fact that they’re available through an online service means that the password database itself isn’t another factor that you physically possess, it’s something anyone can theoretically query to try to bruteforce their way in.

                  2. 1

                    This makes Horcrux less secure, because if you leak on_your_disk half and any one of the generated passwords, all the passwords will be compromised. Other methods can survive that case.

                    I believe that you’ve misunderstood the article here. “You split your password into 2 parts” to me means that you have a unique horocrux per site, so it leaking won’t affect the passwords for any other service. And this would be why they suggest potentially only doing it for high-importance passwords if it seems like much effort. Otherwise it wouldn’t be any more effort for 10 sites than for 1.

              2. 2

                You’re not writing that part down anywhere so it should be at least as save as any other password that is exclusively inside your head.

                Except that you are giving it to every site where you have a password. In my experience, the likelihood that at least one site where you have an account is compromised at some point is high; at which point a motivated attacker with access to your password manager can figure out your horcrux very quickly.

                To me this seems like additional work (you can no longer use browser-based autofill for your password manager*) for not much security gain. Edited to add: that said, it does add some security, so if you’re comfortable with the tradeoff it’s not a bad thing to do!

                I’d also note that physical security keys that implement WebAuthn/FIDO2 are dramatically better than OTP apps in terms of phishing resistance and ease of use; I strongly encourage their use over OTP apps wherever possible.

                * I think there’s a fair argument that you shouldn’t use this at all, because it increases your risk surface dramatically; if one bad site can somehow convince your password manager is at a particular origin, zero-touch autofill could cause you to lose all your passwords at once.

                1. 1

                  Except that you are giving it to every site where you have a password.

                  Except that you’d give a different one to each site that you’re doing it with, which is why they suggest only doing it with important accounts if it seems like too much effort.

            2. 1

              This is an interesting approach but I think it might be too much effort for most. What do you think?

              I also think it should not only be one single word (as someone already mentioned in the comments). This might be a good candidate to pair with a passphrase system, that pairs openly available information like a website name with some secret.