Password managers: should you use them?
What’s the point of password managers anyway? Let’s take a look at a scenario that we’re all familiar with…
We all have this dilemma: you create an account using your email address and a password. The password has to meet specific requirements. Sometimes those requirements are different depending on the site. Sometimes, you can make the password something easy to remember and add some letters and special characters as needed.
First problem: Best Practice says there’s no way that’s safe. If a hacker gets hold of one password, they’ll be able to apply the pattern to other accounts they can access from the same user.
Second Problem: Human memory is a tricky thing. There’s no way the average person will remember every single password to every single account they’ve ever made. Especially since, for safety’s sake, those passwords all have to be different and meet different requirements depending on the site the account is for.
Enter: password managers
A password manager is a website or application that stores and manages your passwords for you. Since using a password manager is literally putting all of your eggs in one basket, you have to choose the basket carefully.
There are two kinds of password managers: offline and online.
In an offline password manager, the passwords are stored locally on your machine after encryption by the password manager. They can be unlocked with your master password for the password manager. Thus, if you remember your one master password for the password manager, you can literally stop worrying about remembering all your other passwords.
Online password managers follow a similar concept, but your passwords are stored remotely on third-party servers instead of locally on your machine.
Let’s talk about both of these options in a bit more detail.
Online password managers
Online password managers encrypt your passwords locally first and then transmit them to their remote servers where the encrypted passwords are again encrypted and stored.
This means that even if the servers get hacked, no one will be able to use your encrypted passwords because they would have to first crack those passwords, and as long as the password manager properly stores the passwords, that should be infeasible to do.
The only way that someone should be able to access your passwords (regardless of whether they are malicious actors or representatives of the password manager) would be to have access to your master password. Thus, your password manager’s master password must be extremely strong, properly stored, and properly processed.
To achieve that, most reputable password managers store your master password by hashing it and salting it. That way, any time you log in to your password manager in order to access your other passwords, you are only sending a hashed version of your master password over the network. Even if a malicious actor were to intercept this communication, they wouldn’t be able to do anything with the hashed value.
Salting helps protect against various types of brute force attacks, so that even if someone were able to access the servers where your master password is stored, it would take far too long to crack it even with the most powerful supercomputers in the world.
All that to say: if implemented properly, password managers provide high levels of security that protect your collection of passwords from anyone trying to steal them.
Offline password managers
Offline password managers are strictly local. Passwords stored this way can only be accessed on the device (phone, tablet, laptop, etc) they were originally made on. If the passwords are exported, that’s a different matter altogether.
An example of offline password management would be like using an Excel spreadsheet to store all of your passwords and locking that with a password of its own. This method is ill-advised because the average writing and editing application does not have the full means to protect a document that a password manager would. Some have encryption capabilities, though, and sensitive documents often require a password to open them. However, if this software’s password gets used against you, there is no backup plan. A password manager made by a company has several redundancies in place, while the editing software has other things to focus on. Without the cloud, which Microsoft didn’t have until recently, there would be no accessing the spreadsheet or storage space unless you had access to the device and the password you used to protect the spreadsheet.
Flash drives could also be used and encrypted for this matter.
As another important issue to consider, if your device or its storage were to fail, then you would lose access to all of your passwords and there may be no way to recover them. Whereas if you are storing those passwords remotely and in a way that ensures data redundancy, you can make sure that you would never lose your passwords.
Password managers vs. DIY
A lot of us in IT and in information security specifically are reluctant to trust third-party providers with any of our data, let alone with our actual passwords. With that said, using third-party password managers is almost always the way to go as opposed to creating your own solution.
Why? Well, let’s take a look at a few reasons…
The alternatives aren’t great…
It’s certainly better than writing your passwords down in your diary or saving them on an unprotected file on your computer.
For one, a journal poses the risk of loss or theft. If you’re in an office environment, anyone could walk by and steal the journal or look over your shoulder. If you travel with it, someone could come by and snatch your backpack or you could set it down and forget it somewhere.
Second, strong passwords should be longer than just a few characters…good luck writing them down by hand, having to find them when you need them, and then having to type them out every single time.
It’s just not convenient and prone to issues.
Manually storing passwords in an unprotected file is also prone to issues. If someone else gains access to your computer and the file is not password protected, the passwords to every account you keep are out in the open for them to use. There is also the risk of data loss if the computer fails, for whatever reason. This risk is run with offline password managers as well, but those are usually services created by companies that have several redundancies in place to prevent or mitigate them. Storing your own passwords is not the most ideal solution.
Even if you did encrypt the file(s) and password-protected it, you may make a mistake and leave it vulnerable unless you really know what you’re doing. Reputable password management companies hire dedicated experts that live and breathe encryption.
Reputable password managers make passwords much easier to work with. They’ll typically have a web portal that you can access from anywhere that you have Internet access, and they’ll also usually offer a mobile app and browser extensions.
Those apps/extensions do a pretty good job of recognizing whenever there’s a login form or registration form on a page or app that you’re using, and it will either suggest a saved password for it, or it will give you an interface to automatically generate a password using options like length, complexity, etc… You click a few buttons and you have a super-strong password that automatically gets stored in your password vault so that you never have to worry about it again.
Then, when you need to login, it will auto-suggest that stored password and let you automatically fill in the username/password fields.
Another great feature that can be useful for personal and work environments is the ability to share passwords. Whether you need to share with a parent or sibling, or whether a co-worker needs to get access to a shared work account, there aren’t many great solutions for sharing passwords. You definitely don’t want to email it in plaintext (despite many people still doing this…), write it down on a sticky note, or have to worry about typing it in every time they need access. Most password managers provide the ability to share passwords in a format that either shows them what the password is, or not! So they could get access to the credentials, but they can’t actually see what the password is. Super helpful.
Even if you developed a rock-solid password storage solution of your own, you’d still have to develop that additional functionality. That would require a lot of time that most people don’t have…
You should be using MFA anyway
The last reason we’ll mention as to why you should use a password manager over creating your own is that you should be using MFA for your accounts anyway.
Passwords by themselves are just not good security. If you have an important account such as a bank account, for example, you should not just be relying on just passwords to authenticate. You should also be using at least one additional factor.
There are three factors: something you know, something you have, and something you are. Something you know would be a password or pin. Something you have would be a token or card, for example. Something you are would be a fingerprint or other biometric identification.
That way, even if someone were able to access all of your passwords by breaching the password management company, they still wouldn’t be able to access your accounts without also having access to that second or third factor.
We’re not advocating that you should make your passwords super easy to access or share them freely the point is that you should aim to make password leaks have less impact.
So what should you use?
When it comes to picking a password manager, there are a number of options.
Online managers, like LastPass, KeePass, Dashlane, or BitWarden, allow for constant connection as long as you remember your master password and have access to the Internet (although some services offer access even if you lose Internet access).
They also streamline the process of adding a password to the manager. For example, online managers typically include things like: a password generator, browser extensions, mobile apps, etc…This makes generating strong and unique passwords much easier, all without ever having to remember them the next time you have to log into your social media or email account.
Offline managers, like Passwork, are confined to one device or account that can be accessed without the Internet. This usually comes in the form of devices like USB sticks or chips or cards that would be inserted into a computer.
Some online managers have an offline option. Bitwarden and KeePass, for example, allow for self-hosting options that do not require connection, but rather allow for on-premises storage. This means that a user would be confined to their network and use a token (USB stick, chip, etc) or an IP address that leads to the password vault, and this may be a preferred option for some specific use cases.
In the end, your choice of password manager depends on a few factors:
- Convenience (How convenient do you want the method to be?)
- Security and safety (How much trust you are willing to put in the service?)
- Ease of use (Would it be more beneficial to carry a password device, or log into a locked vault online?)
- Payment options (What, if anything, are you willing to pay?)
- Information capacity (The amount of information you need to store)
While there is no silver bullet in cybersecurity (unfortunately), as of right now, the pros of password managers outweigh the cons. If you’re still re-using passwords, memorizing a bunch of them, or creating weak variations for different platforms, then it’s time for you to evaluate a password management solution to not only make your life easier but also increase security.
What are your thoughts on password managers? Share below!
This article was originally published on TheCyberCops.com by Agnidhra, and re-published on Cybr with permission. Edited by Sorrel and Christophe.
What is the communities consensus on using MFA inside of BitWarden Premium? I kind of use it because it’s super helpful, but I also realize it’s kind of a single point of security failure… I would appreciate others thoughts.
As in using BitWarden’s MFA auth app? If you’re worried about having all of your eggs in one basket, you could use Google’s authenticator or something like Authy. They’re all free so it’s not like it would cost you anything extra