Using a Password Manager
I’ve had several conversations recently where I’ve mentioned responsible password management and people make it clear they have no clue what I’m talking about. With the number of sites with which we interact, and with the increasing probability that one or more of those sites are or will become compromised, using a password manager is more important than ever!
What is a Password Manager?
More often than not, when I have these conversations with people, I learn they don’t even know what a password manager is. I can’t rightly blame someone for what they don’t know, but as much as we depend on accessing information on the internet, I feel compelled to do what I can to spread the word and raise awareness.
So what exactly is a password manager? A password manager, or password vault, is software that stores your passwords – crazy, eh?. Most modern password managers have password generator functions which allow for unique, strong passwords to be created for each site and provide mechanisms for copying passwords from your database to paste them into the application- this is nice because it circumvents the need to manually type long, complex passwords. Stored locally, or online, these databases collect all the credentials for sensitive services and they’re all protected by one “master password”.
Picking a Password Manager
As with most things these days, there are several solid choices in password manager software. I highly recommend putting several through the pace and determine which is right for you. As with any other software solution, there is no right answer, no “silver bullet”. Each solution has it’s own positive and negative points and it’s up to you, the user, to decide which one works best for your needs.
Each year, there are several reliable sources who publish their “best of” list for pretty much everything and password managers are no exception. While there are many lists published, a few of the sources I tend to follow closely are PC Magazine, Tom’s Guide, and PC World. I recommend taking the time to read these articles and do your research as you pick two or three options to test. Then, when you have a couple contenders, put them to use.
As you start choosing an option for a password manager, there are several things to consider. Planning ahead can allow a more realistic test and will also ensure you’re evaluating candidates based off of features you want.
One feature to take into consideration is the user interface (UI). Once you start using your password manager regularly, you will find that you spend a lot of time interacting with it. Having a decent UI is important because the interface is the front line of the user experience. If you don’t like the interface, you won’t like the software.
How is the data stored? How is it protected? What controls are in place to keep your passwords safe from prying eyes? If you interact with sensitive services, like insurance or banking for example, you want a certain level of certainty that these passwords won’t be available to the world.
On top of keeping out those who don’t belong, what does your password manager do to ensure your data can’t be manipulated by anyone other than the authorized parties? This becomes a concern when you have multiple people accessing the data. Make sure the password manager you pick gives good control over users and the level of access to the data.
One of the biggest struggles I’ve had personally, has been the availability of my data. I’ll explain in a future post the methods I use to manage my credentials, and you’ll find that even as someone who has spent years improving my credential management my system has faults and isn’t perfect. As you evaluate password managers, make sure you are able to access your data reliably. This may mean across multiple devices or operating systems, may require having an offline solution in the event of no internet access, or may even depend on multiple users or collaboration features.
I’ve outlined a few of the key features that have proven important to me as someone who manages hundreds of passwords. While these certainly aren’t all of the important features they are certainly good food for thought. As you test potential candidates, take time to note things you like, things you don’t like, and things you can’t live without
Types of Password Managers
Another consideration as you evaluate potential password manager solutions is the type of software. As of the time of this writing, there are two basic types of password managers.
Locally Installed Software
Password managers are commonly found on the user’s personal computer or mobile device in the form of a locally installed software application. These applications can function offline, the password database being stored independently and locally on the same device as the password manager software. Alternatively, password managers may offer or require a cloud-based approach, the password database depending on an online file hosting service and stored remotely, but handled by password management software installed on the user’s device.
One good example of a locally stored password manager would be Keepass. I’ve used Keepass personally, a topic I’ll expand on in later posts, but it seems that locally installed solutions are coming to be less favorable to their web-based counterparts.
Web Based Services
Online password managers are web applications which securely store credentials. They are a web-based version of the what used to be more common locally installed software. In recent years we’ve seen the popularity shift from the locally installed applications to these hosted solutions.
There are several advantages to online password managers over desktop-based versions such as portability (they can generally be used on any computer with a web browser and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC – also the same risk is present for the server that is used to store the users passwords on. This is nothing new as we should all be in the habit of backing up our data by now!
The biggest disadvantage of online password managers lie in the requirements that the user trusts the hosting site and the computer used to access the site isn’t compromised. All too often our compensating controls are circumvented due to poor security practices. All too often users forfeit security for convenience.
With the increased security of these applications, their popularity has skyrocketed to surpass that of the locally installed counterpart. These hosted solutions resolve many of the concerns that users have to address on their own, or just go without. I have begun to explore web-based password managers, choosing LastPass as my first test subject. In future posts, I’ll aim to share my experiences and then compare the two.
Why Use a Password Manager
It is important to use a password manager because responsible password management without help is difficult. People are certainly capable of creating complex passwords but the way passwords are managed often introduce vulnerability:
Using the same password for multiple sites and/or never changing passwords. is called password reuse. This practice is often the downfall of organizations during compromise. More often than not, when I’m performing penetration tests, a single compromised account leads to further access and additional stolen credentials.
Simple passwords are short in length, use words found in dictionaries, don’t mix in different character types (numbers, punctuation, upper/lower case), or are otherwise easily guessable. Unfortunately, password policies are often ineffective. According to NIST SP 800-63, updated password best practices include:
- Minimum of 8 characters
- Maximum of 64 characters
- Applications must allow all printable ASCII characters, including spaces
- Applications should accept all UNICODE characters including emoji
Note: This is just a few points and NOT a comprehensive list of password best practices. Please refer to NIST SP 800-63 for detailed information.
Using a password manager allows complex, unique passwords to be generated for each application.
Poorly Secured Passwords
Another big weakness is how users store and secure their passwords. In the field, I often find passwords on sticky notes on monitors, in a notepad by the computer, or in a document on the computer. There are many ridiculous places people think their passwords are secure but they are not. Using a password manager eliminates the need to worry about where or how this data is stored and allows responsible storage of credentials in an encrypted database file.
Users often tell each other passwords, send unencrypted emails containing passwords, or contractors use the same password for all their accounts. Using a password manager can provide a safe way to share credentials that can be tracked and audited.
In addition to all these points, using a password manager can also defend against phishing attacks by recognizing malicious login portals and preventing submitting credentials to an illegitimate source. Password managers also combat keyloggers by eliminating the keystrokes during authentication.
The Dark Side of the Moon
If the passwords are stored in an unencrypted fashion, it is still generally possible to obtain the passwords given local access to the machine. As a general rule, if a password manager doesn’t use encryption, it should be avoided.
Some password managers use a user-selected “master password” to generate the key used to encrypt the protected passwords. The downside to this method lies in the complexity of the master password. If the master password can be easily guessed, or if the master password itself is stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable.
As with any system involving a user entering a password, the master password may also be compromised using key logging or other nefarious means. Some password managers offer virtual keyboards as a compensating control but these are still vulnerable to key loggers which take screenshots as data is entered. Because of the many ways passwords can be captured, it is always wise to implement multi-factor authentication wherever possible.
Web-based password managers, which run inside the user’s browser, are particularly worrisome. Here are a few of the security concerns associated with web-based password managers:
- Authorization flaws – One possible problem is mistaking authentication with authorization. Several web-based password managers had, at one point in time, such flaws. Several web-based password managers were found to insecurely allow users to share credentials with other users. For the most part, these issues have been resolved as well.
- User Interface flaws – Some password managers will ask the user to log in through an iframe which is known to be insecure. This method trains users to fill in her password while the URL displayed by the browser is not the one of the password manager. This could be exploited in a phishing attack by creating a fake iframe and capturing the user’s credentials. A more secure way to do this would be to open a new tab where users can login to the password manager.
- Web flaws – General web vulnerabilities can also be present in web-based password managers. Issues such as XSS and CSRF vulnerabilities may be exploited by attackers to steal a user’s password.
As a final consideration, password managers have the disadvantage that any attacker just needs to know one password to gain access to all of a targeted user’s credentials and that such managers have standardized locations and ways of storing passwords which can be exploited by malware and unauthorized users alike.
To sum it all up, the password manager is just one layer of the onion that is a personal password management policy. Getting away from bad password generation and management habits are extremely important! If you’ve read any of this post and thought “hey, I do that”, please change how you do passwords! Even if you think you have a pretty strong password management process, implementing a password manager can only make a good thing better. I also plan to explore password aging , multi-factor authentication, and other layers of this onion that will help make password management make better sense while keeping you more secure. Until then, be aware, stay alert, and protect yourself!