Passwords Again

In the wake of this week's issues with LastPass, I see today's brilliant Saturday Morning Breakfast Cereal takes up the topic.

The hovertext for this cartoon is, "The trick to passwords is to just reset them every time you need to log in".  Which is kind of an interesting idea, and one that I would like to consider from a security point of view, because I hear it proposed in less jocular contexts than this one.

The standard model of a password is that it's the "something you know" among the three factors considered for authentication: something you know, something you have and something you are (i.e., biometrics).  Using a second factor greatly improves the overall security, and I recommend it regardless of what else you decide about this.

If instead of recording or remembering your password to every site, you simply use the password reset function, have you improved the safety of your authentication to that site?  Before you adopted this strategy, your main points of weakness were the manager providing storage of your very-complex password, or the too-simple password  you chose so your would not need a manager.  Now, at least, you have a really complex password (right?  RIGHT?), and you're not storing it anywhere.

But now your main point of weakness is your email account.  Which is probably also vulnerable to the manager providing storage of your very-complex password, or the too-simple password  you chose so your would not need a manager.  Not only have you simply shifted the same exact issue, you have concentrated it into the single resource that affords access to all your other resources.  It takes an already vulnerable situation and makes it a single point of failure for your entire online life.

Until we can get rid of passwords completely, somehow, I'm afraid there are not many shortcuts available.  So: make a strong password you can remember.  Use it to secure your password manager.  And, enable a second factor for every site that offers the option.