Password managers – a problem or panacea for password security?
One New Year’s resolution that many of us should keep for 2019 is to have better passwords for our online activity. The evidence is, though, that we probably won’t. A recent list of the “100 worst passwords” of 2018 is most striking for its similarities to 2017 – and every other year.
Based on the most common passwords found in leaked datasets, “123456” was again the most popular, as it has been for the last five years. In second place was “password”. Variations such as “passw0rd” and different number sequences make up much of the rest.
These may take the form of passwords, but they don’t serve the function. If anyone is going to go to the trouble of trying to access your computers or accounts without authorization, they’re likely to at least have a go at guessing the password, and the most commonly used are well known. Moreover, most people use the same password across multiple accounts. That means they’re wide open to attack. So why do people use these options when they provide so little real security?
The answer, of course, is that as well as being easy to guess, they’re also easy to remember. The lack of security is a trade-off for the convenience of never forgetting a password and having to reset it – and the same goes for using one password for everything.
Password managers – all your eggs in one basket?
To fight against this, many companies have policies to ban workers from using obvious passwords and other measures, such as requirements to periodically change passwords. That’s certainly better than doing nothing about it, but it’s far from foolproof.
For a start, if not rigorously enforced, some will ignore these. On the other hand, if they are enforced, employees often find workarounds to prevent them forgetting their password, such as writing it on a Post-it note at their terminal. Needless to say, that’s not without security issues, either.
All of which explains the popularity of password managers. These tools, often run as a cloud-based service nowadays, not only do the job of remembering your passwords across different services and accounts, but even generating them (randomly and securely) and filling them in on the sites where they’re used when required. They can even work across platforms, handling passwords for mobiles and tablets and well as PCs and laptops. There is a wide variety of options available, both free and commercial offerings, and they’re seeing increasing uptake. It’s a market that’s expected to be worth $2.05 billion by 2025.
There is, though, an obvious concern: What happens if your password manager gets hacked? Instead of having to tackle half a dozen or more passwords to get to your key accounts, hackers only have to crack one. Password managers certainly make things more convenient, but potentially not just for those using them.
As one writer puts it, “The most convenient feature of a password manager is also one of the weakest links in its security.”
Do password managers get hacked?
This is not a foolish concern. In the past, hackers have gained access to the databases of the password managers themselves, for instance, giving them access to email addresses and password reminders, for example.
Most reputable companies providing password management software or services will use “zero-knowledge” security that encrypts users’ master passwords with a key stored only on users’ devices. In this way the service provider themselves won’t even know what the password is. That limits the risk, but it still leaves you open to someone infiltrating your network to discover the master password, perhaps using a keystroke logger, for instance.
Moreover, despite their growth, password managers are still not used by the majority of people. Just one in ten American Internet users rely on one, according to Pew research. (By contrast, almost half write theirs on a piece of paper.) As use of them grows, they’ll increasingly be targets for hackers and malware developers – as security experts have long been warning.
The threats to password managers are only likely to grow, therefore.
More security with two factor authentication
That’s no reason to dismiss them, however, and, in fact, there are a number of good reasons to still consider investing in password management.
First, while in theory a password manager leaves hackers with far fewer passwords to crack, in practice, as we’ve seen, the reality is that many users have a single password, or perhaps a couple, that they use across their accounts.
Second, the risks that remain to security with a password manager are no worse than those facing traditional methods. A keystroke logger could record the master password for the password manager, true; but if a logger is installed, it can also record passwords for all the users’ accounts anyway. Meanwhile, many other risks – such as insecure passwords, passwords used across accounts or passwords jotted down on Post-its – are eliminated.
Finally, by simplifying to a single password, users can also increase security more easily: First, by ensuring that the master password is more robust and complex (since they only have to remember one); and, second, by employing two-step (or “multi-factor”) authentication, requiring, for example, both the password plus a six-digit code sent to your mobile each time you log in. That means even if a hacker gets hold of your password, they can’t get access if they don’t have your phone.
In theory, of course, multi-factor authentication could be used for all accounts. In practice, users would still then have to remember a whole range of passwords, and some sites don’t offer this function anyway. A password manager therefore provides a convenient way to strengthen security across your accounts.
A good organisational tool – if used correctly
For personal use, password managers are a convenient and useful tool. In an organisational setting, the benefits are magnified, however.
If you have an enterprise password manager, the organisation can centrally administer it, enforcing standards (such as password creation rules) across the business. Groups within the organisation, meanwhile, such as the finance or marketing departments, can share passwords. No one needs to know any passwords (apart from the master password, administered centrally), or worry that one of their colleagues has changed a password. They’re all filled in automatically. If you forget the master password, meanwhile, the company administrator can contact the software or service provider to reset it.
Yes, all your eggs are, to an extent, in one basket. But just as you keep your money together in a bank, because that’s where it’s safest, a password manager should give you better control and security for all your passwords.
Nevertheless, because everything else depends on its security, it is important that you get it right when choosing and setting up a password manager:
- First, make sure the software or service does have two factor authentication, and look for other security features that will make sure you are able to keep the master password safe. Also, make sure your master password is a good one, fulfilling the requirements of a strong password. That means a mix of uppercase and lower case letters, numbers and symbols and at least eight characters long. Don’t use sequential numbers or any other in that top 100 list above. Don’t use personal details either, which will make you susceptible to phishing.
- Second, make sure the password manager service or software provider is reputable. There are plenty of free options, but for an enterprise solution, it is worth investing some money to ensure not just the features that will make it easy to administer across the organisation, but the resources within the provider for it to invest in its own security.
- Finally, make sure you still stick to robust security practices, such as periodically changing the master password and making sure only those who need it have it. And remember to pay attention to your other security issues, such as virus updates and firewalls, because you’ll still be vulnerable if hackers can get onto the network.
Provided you keep to these rules, though, organisations can benefit significantly from the convenience a password manager can bring. And while convenience and security aren’t always the same thing, if you do it correctly, they don’t have to be mutually exclusive.