This is a cautionary tale about using password managers. My brother is in a Russian prison and cannot manage his own electronic accounts. He uses a password manager but it has taken us 5 months to communicate and receive the master password. It’s risky, in his situation, since the Russian police have control of some of his devices. For reasons unknown, the password he passed through his lawyers to us didn’t work. Here’s how I bypassed his password manager and some of the poor security I ran into as I went about resetting his passwords to block police access.

Write Down Your Master Password(s)

This is exactly the issue we caution lawyers about, although the fact pattern is slightly different. If you use technology, you have at least one password (operating system). You probably have many more. If you die, if you are ill and indisposed, what will happen to your law practice? Is there a way for someone to access your passwords and manage your practice for you?

Before you go any further, do what I do. Write down your most important passwords (mine: Windows operating system PIN, KeePass password manager master password, lock screen pin for my tablet) and store that piece of paper somewhere secure. Tell someone where it is. In a worst case, my wife can now at least log in to my devices and access my accounts.

If we had had this password from the start, we could have immediately taken control of his accounts. Fortunately, early attempts by other parties to access his accounts were blocked.

We were hopeful, then, when we finally received a password that looked like it might be for his password manager. We cannot communicate with Paul directly, so it can take weeks or months between when we ask him a question and when we get a response. In light of all of his communication being reviewed by the Russian police, we’re reluctant to ask him to share something that could put him at a disadvantage.

Use Just a Password Manager

You can imagine my deflation when, upon trying the password we’d received, it was incorrect. He had transmitted one other password, for a Google Mail account, and a PIN. We reset the GMail account and the PIN was for something else.

I nearly missed this opportunity because I wasn’t thinking creatively. Here are my views about passwords:

  • use a password manager
  • don’t save or share passwords outside a password manager except for the 3 you write down and store securely

It’s pretty simple. So I missed a crucial piece of information because it didn’t align with my own password approach. My brother is one of the 12% of Americans who use a password manager, but also part of the group that saves passwords in a web browser.

First rule: use a password manager. Second rule: don’t store your passwords in your web browser if you’re using a password manager.

It’s all about balancing security and convenience. Do you:

  1. want to keep passwords out of your browser and have to type or cut/paste them in every time?
  2. want to keep passwords out of your browser but use a password plugin to auto-fill them in your browser?
  3. want to manage your passwords outside of your browser but enable the browser to auto-fill them for you?

It seems to me that relying on the browser is the worst of the three options if your goal is to keep your passwords private and secure.

Once I’d figured this out, it was a snap. I no longer needed to access his password manager. All I needed to do was log into Google Chrome as him and synchronize passwords (to download his passwords from Google’s servers). This populated the saved passwords screen in Google Chrome. It also turned on the export passwords function, which allows you to save the passwords in plaintext.

If you save your passwords in your browser, anyone who can control your browser has access to your passwords. From what I can tell, you can export passwords from Chrome, Firefox, Microsoft Edge (through Windows Credential Manager), Internet Explorer, and Safari (exporting the Keychain).

I now had an Excel spreadsheet with all of his password data (sites, usernames, passwords). I did a bit of de-duping, and then imported it into KeePass and created a new password manager file.

Now to change the passwords. This was extremely easy, even when two factor authentication had been activated. It was a bit scary, in fact, how easy it was to get around the second factor.

All You Need is a Password

As I reset the account passwords of a couple of dozen accounts, I was surprised by some really bad security. If you lose control of your password, there’s not always a lot to stop someone from accessing your site.

Security Questions

Let’s look at your Apple ID as an example. The Apple ID login screen is pretty straight forward – username and password. I had that, so I entered it. Don’t ever click Remember Me or you’re enabling your browser to skip asking you for a password.

The login screen to manage your Apple ID

Then I get the security questions prompt. If you have shared any of this information with someone you know, they can probably get through this layer. In my case, I only knew one of the two answers. No matter. Apple allows you to reset the questions!

You can reset your security questions – or someone else’s – so long as you have a username, a password, and any one correct security question answer.

All you need to know or be able to guess is ONE security question. Then you can reset them all.

A security question window on the Apple ID login.

No, my first dog wasn’t sir furry nuggums. But if it had been, I could have gotten to the next screen.

Upon successfully resetting the questions to new answers, I would be sent back to start the process again. This time, however, I knew all of the answers because I’d just created them myself.

This is one reason that I think security questions are a terrible way to secure accounts. I’ve written about it more thoroughly here and it’s why I use passwords as security answers. This is similar to what I would have entered, had I been answering for my own account:

Text as a Second Factor

Another site prompted me to receive a text to confirm my identity once I’d answered the username and password prompt. Unfortunately, the phone listed is in the FSB’s custody and so not a good one to get a text on. Helpfully, though, the site allowed me to change the phone number right there!

I changed the phone number, texted myself the second factor code, typed it into the site, and I had taken control of the account. It only confirmed in my mind that any two-factor authentication process should be offline. I use Duo Mobile now and have used Google Authenticator in the past. It resides on your device and the only person who can get those codes is the person with the device.

Increasingly, any site that relies on security questions or text (SMS) based two factor authentication is a site that I would prefer to avoid. Even Google’s support for an app-based authentication has become more complicated to use (you have to text yourself a code THEN set up the authentication, if you can find it).

Lots of lessons learned or reinforced, though:

  • use a password manager
  • don’t synchronize any passwords using a web browser
  • when analyzing a problem, look at it with all the information you have, not just the information you want to use and your own world view

It will be good to be able to confirm to my brother that, though the FSB had the same ability to get his passwords that I did, and may have tried to access his accounts, we’ve been able to reset and secure all of the passwords until he gets home.