At the scale of present-day secured-systems use, this becomes fairly cumbersome quickly.
The typical person, as long ago as 2015, had around (and possibly over) 100 accounts. I'm seeing people referring to many hundreds managed by LastPass or other password-management systems.
Using, say, a paper-based system whether in a bound journal or a set of index or Rolodex cards, a 500-account archive would take up most of a journal, or a pretty hefty chunk of cards, and that archive itself would require physical security (though at least data exfiltration would be slower than from a digital archive). It's not the sort of thing you could easily carry around with you, or access from multiple locations, should you need to do so.
In corporate use, the problem is compounded by:
- Multiple people requiring access to systems.
- Both shared-account and multi-account systems (e.g., a shared root to servers, master DBA account, or embedded / appliance devices with a single account).
- Multi-office (or remote / home office) access.
- Multi-device access (as in people are accessing systems from multiple devices).
This doesn't necessarily mean that a third-party service is your best or only option, but it strongly tends toward a managed third-party system being convenient where "convenient" means "our business which lacks a true CISO role would be dead in the water without it".
Mind: I'm not defending LastPass here, and I don't use it. The solutions I've seen in the past which have impressed me most were based on managed SSH keys with SSH access to critical systems, and the bare minimum of shared accounts.
I'd also like to see:
1) Far fewer authenticated services where that authentication is not necessary. For the most part, if I can avoid creating a new account, I do. (My circumstances leave me considerable latitude that many people wouldn't have, in this regard.) Systems based on asserted identity through PGP seem to me one option (e.g., rather than logging in and posting content, you'd post PGP-signed content, which the remote system would vet. Similarly, reading private content would be encrypted against your keys. This doesn't address all account-based interactions, but it does cover a large bit of landscape.
2) Physical-token based security particularly based on NFC or Yubikey-type devices. Keep in mind that an earlier widely-used technology, RSA keyfobs which would generate one-time PINs as a 2FA, turned out to have a nasty vuln some years back.
But fewer accounts, PKI-based auth, and physical 2FA ... seem increasingly necessary changes.
As numerous others apparently do: I use a local, encrypted, password keystore that is not managed by a third-party service.
(And don't even get me started on third-party data privacy doctrines.)
The typical person, as long ago as 2015, had around (and possibly over) 100 accounts. I'm seeing people referring to many hundreds managed by LastPass or other password-management systems.
Using, say, a paper-based system whether in a bound journal or a set of index or Rolodex cards, a 500-account archive would take up most of a journal, or a pretty hefty chunk of cards, and that archive itself would require physical security (though at least data exfiltration would be slower than from a digital archive). It's not the sort of thing you could easily carry around with you, or access from multiple locations, should you need to do so.
In corporate use, the problem is compounded by:
- Multiple people requiring access to systems.
- Both shared-account and multi-account systems (e.g., a shared root to servers, master DBA account, or embedded / appliance devices with a single account).
- Multi-office (or remote / home office) access.
- Multi-device access (as in people are accessing systems from multiple devices).
This doesn't necessarily mean that a third-party service is your best or only option, but it strongly tends toward a managed third-party system being convenient where "convenient" means "our business which lacks a true CISO role would be dead in the water without it".
Mind: I'm not defending LastPass here, and I don't use it. The solutions I've seen in the past which have impressed me most were based on managed SSH keys with SSH access to critical systems, and the bare minimum of shared accounts.
I'd also like to see:
1) Far fewer authenticated services where that authentication is not necessary. For the most part, if I can avoid creating a new account, I do. (My circumstances leave me considerable latitude that many people wouldn't have, in this regard.) Systems based on asserted identity through PGP seem to me one option (e.g., rather than logging in and posting content, you'd post PGP-signed content, which the remote system would vet. Similarly, reading private content would be encrypted against your keys. This doesn't address all account-based interactions, but it does cover a large bit of landscape.
2) Physical-token based security particularly based on NFC or Yubikey-type devices. Keep in mind that an earlier widely-used technology, RSA keyfobs which would generate one-time PINs as a 2FA, turned out to have a nasty vuln some years back.
But fewer accounts, PKI-based auth, and physical 2FA ... seem increasingly necessary changes.
As numerous others apparently do: I use a local, encrypted, password keystore that is not managed by a third-party service.
(And don't even get me started on third-party data privacy doctrines.)