Password Managers

3-Hat Information Security > Authentication  > Password Managers

Password Managers or better yet, PassPhrase Managers

    Password management has nearly become a requirement for the effective use of online services. With almost all online services requiring a distinct username and password for registration, there is often the temptation to reuse usernames and passwords. Luckily there are tools which can help you remember or even generate unique passwords to help you manage your online credentials without resorting to bad internet security practices. These tools are called Password Managers. However, it is worth mentioning that not all password managers are created equal, and choosing the right one will almost entirely depend on way you intend to use it. In this article we will be covering the different types of password managers, their differing approaches to security, and their practical applications.

	There are four primary types, or categories, of password managers. There are password storage vaults, application assisted password managers, keyboard/macro systems, and cloud-service password managers. This is not a definitive list of every type of password manager, these are just some of the most common types you can expect to use or see on a regular basis.

Password Storage Vaults
	Password storage vaults are one of the more secure options for password management. These password managers typically contain in-application encryption to ensure that passwords remain secure when not being actively views or entered. Typically, when you open a password storage vault you will be prompted to enter a master password in order to decrypt a section of your stored passwords so that you may copy them, or so that you can have the password manager automatically enter them into another compatible program. The main downside of this form of password manager is the lack of redundancy in the event of data corruption. Luckily these risks can be mitigated by following proper backup procedures on regular intervals to ensure that you always have at least two valid copies of your password database stored in different locations.

Application Assisted Password Managers
	Many applications, but typically web browsers, will have some form of rudimentary password management system. These can vary wildly by application but the base features you can expect are: Plain text password storage, encoded password storage, unique password generation, cloud backup, and automatic form entry. The main concern with almost all of the password managers in this category is the lack of encrypted password storage. If you were to be the victim of a successful cyber-attack, storing all of your passwords in an unencrypted database will almost certainly lead to them being stolen and used by the attacker. As the quality of this type of password manager can vary significantly, we recommend further research into the methods and security of the specific password manager you intend to use.

Keyboard/Macro Systems
	Some of the most basic, and by far the least secure methods of password management, are the ones implemented on mobile device virtual keyboards. These typically store the passwords in plain text and openly display them to anyone using the virtual keyboard. Although these password managers offer a very high level of convenience, we recommend disabling this functionality for the sake of your password’s security.
Cloud Service Password Managers

	With great convenience, comes great risk. Cloud password managers typically provide an excellent user experience and truly deliver on their promises of convenience, but there are some downsides that we need to consider. The first downside is the requirement for an internet connection in order to access your stored passwords. This isn’t normally a concern due to the nature of how most people use password managers, but it can lead to unforeseen situations where you need a password and can’t get it. The second downside is the risk of mass password leaks caused by cyber-attacks on the cloud service provider. These are rare, but they do happen, and the fallout can be intense. In the event that a cloud service you use experiences a mass password leak, we recommend that you change each of the passwords that were stored in their database as soon as possible.

	It is worth mentioning that some password management systems will use one or more of the above methods in combination to aid with user experience and reliability. As always, we recommend further research of the password management system you plan to use prior to adoption.

	In summary, password managers are able to provide amazing levels of convenience and security when used correctly. But the onus is upon the users to do the research to ensure that a specific password manager is the right choice for them.
No Comments

Sorry, the comment form is closed at this time.