Risks of Password Managers

Technology users are increasingly employing password managers to increase security and efficiency. Password managers provide a number of benefits but are not without risks. I’d like to touch on some of these benefits and potential pitfalls, but first, let’s provide a little background on why password managers are needed in the first place.

Passwords are a means of authentication that rely on some secret word, phrase, or string to gain access to a system or application. Despite the increased adoption of multi-factor authentication methods, passwords are still the most common method of authentication in use. This is not likely to change soon, since password authentication is relatively easy and economical to implement. Most users today have dozens of online accounts. Unfortunately, since we typically must remember a password, they are often weak, rarely random, and usually consist of a short combination of letters and numbers, including common words. For this same reason, we are often tempted to just reuse a memorized password for multiple sites or applications. In this case, if one password is stolen, guessed, or cracked, it gives access to multiple applications. Hence, we see the genesis of password management solutions.

Password managers attempt to address these issues by securely storing multiple strong passwords that can then be accessed when needed with a single set of credentials. This eliminates the necessity to memorize numerous passwords, and consequently, the passwords can be made much more complex and difficult to guess or crack. At its simplest implementation, passwords are stored in an encrypted file (sometimes called a vault) that is accessible when supplying credentials only known to the user. Credentials can themselves consist of a user identifier and password, or can be some combination of identifiers, passwords, and other factors such as hardware tokens or one-time passcodes. For ease of use, most password managers go the extra step of automatically inserting credentials into the login fields of your applications. If the password manager's encrypted storage is cloud-based, your passwords may be accessed from multiple devices.

As we can see, password managers can be implemented in numerous ways. Simple password managers operate either on a single device, or employ a single password store. There are numerous free and open source password managers that use this approach and if your computer usage is limited to a single device, this may meet your needs. Cloud-based password managers are typically subscription solutions as the password storage and management are hosted on internet servers. This enables the use of the manager on any of your devices with internet access and can automatically synchronize the password vault across those devices. In theory, that could cause a potential problem if you lose access to the internet. Fortunately, some solutions create a local copy of the password vault, and only use the cloud server to synchronize the vault between your devices.

There are many benefits of password managers, including some we’ve addressed above. They can facilitate the use of stronger passwords and avoid re-using passwords across applications. They can eliminate need to try to memorize many long or complex passwords or phrases. Indeed, many solutions will generate very strong random passwords for you. They can increase efficiency by auto-filling your credentials into web and local applications, and in some cases can fill other sensitive information such as account or payment data. Additionally, they can provide a more secure storage solution than using a browser's built-in feature to save passwords. Nonetheless, like any tool, there are some potential pitfalls.

The most obvious weakness is the potential for a single point of failure. A password manager may rely on a single master password, which if compromised, gives access to all your passwords. While the master password is typically not stored, it could be intercepted via a key-logger attack, or a man-in-the-browser attack. Likewise, the password store or vault becomes an enticing target for hackers since it essentially holds all your “eggs in one basket”. These both could represent a single point of failure, since loss of either could essentially lock you out of all your accounts. Fortunately, there are practices and options that can help counter this risk. Below is a list of common recommendations to minimize the risk of using a password management solution.

Use a strong master password/passphrase. You wouldn’t want to use a physical key box that is unlocked or easily pried open. Likewise, your master password should be strong enough to provide the same level of protection that your individual passwords do for your sensitive applications. However, since you don’t want to store the master password, you must create something that you can remember. The simplest way to do so, is to use a long passphrase. A passphrase can be a sequence of words, or a sentence that you can remember and type, but long enough that it is extremely difficult to guess or “brute force” by trying every combination of characters. It doesn’t have to make sense, just be memorable. I’d recommend that if you use this approach that you consider a phrase of 24 characters or more, but If you must use less, then at that point, I’d recommend incorporating a mix of upper case, lower case, numerals and symbols.

Don't rely on a master password alone. One problem with using only a master password is that it is possible than an attacker could use malware like a keylogger, or a browser exploit to intercept the password. While anti-malware solutions might catch these, you don’t want to rely on that alone. The best way to avoid this single point of failure is to employ multi-factor authentication. Multi-factor authentication is the method of using not only things you know, like a password and user ID, but also something in your possession (something you have), or biometrics (something you are). Hardware tokens are one option commonly consisting of a USB “key” that contains an encrypted digital certificate or other cryptographic function. If your device doesn’t support hardware tokens, then you might use an out-of-band authentication method, such as a one-time passcode sent to a registered phone or device. Employing multifactor authentication helps ensure that an attacker cannot easily access your password store, even if they somehow get your password.

Ensure that your password manager is disabled when not in use. If you remain logged into your password manager, and another user gets access to your device, they essentially have access to all your applications and private information. If your solution has an automatic log off feature, you should enable it, or failing that, adopt the practice of manually logging off each time you are not using the device or system.

Ensure a zero-knowledge implementation. Any good password manager should employ a “zero-knowledge” implementation. You should confirm that your candidate solution never stores the master password in the cloud and that encryption keys used to protect the password vault are only stored on your device. This way, the service provider has zero knowledge of your passwords.

Disable your browser's auto-fill and remember password functions. If you leave your browser’s auto-fill function enabled, it will essentially circumvent your password manager by storing another, potentially less secure, copy of your passwords. Disabling the built-in auto-fill functions in your browser will ensure that your passwords are only stored using your password manager.

Ensure that your solution keeps a local copy of your encrypted store. If your password manager keeps a local copy of the password store, then you can continue to use the password manager to access local or intranet applications even if internet access is lost.

Ensure that your solution uses strong standards-based encryption. While most password managers use a “reasonably” strong encryption algorithm, you don’t want to leave this protection to chance. Since the encryption is what will keep attackers from getting into your “basket of eggs”, I recommend that it employ a minimum of AES-256 encryption.

While there are better alternatives to password authentication, passwords are likely to in use for a long time. Password managers have the potential to improve the security and efficiency of password authentication if used properly. Understanding their potential weaknesses and countering them with these best practices and proper tools can help significantly improve the security of your online data and applications.