Content

DeMISTIfying Infosec: Password Manager

By Katherine Teitler

Password Manager

Passwords are a major component of and the primary method by which most users authenticate to websites, networks, and other closed systems. Despite security teams' best efforts, many users' passwords remain unchanged from default settings and, even when they are changed, the new password is weak, used across multiple sites, or even shared with other users. Even with their downfalls, today it's impossible to not use passwords to access online resources.

Passwords managers can help users generate stronger, unique passwords for each login and eliminate some of the flaws associated with current password practices. Password managers are software or browser plugins that download to a user's machine or are cloud-based services to which a user logs or is logged in every time he or she boots up. The password manager stores passwords for all sites used, and many will also save accompanying user IDs, track multiple account login options, or detect password changes.

Upon first use of a password manager, the user must first create the master password. The master password is the key to a good password manager; a weak master password could compromised the user's account. Therefore, the longer and more complex the master password, the stronger the entire system will be. Once created, the master password is the only password the user needs to remember. One downside is that if the user loses his/her master password, some password managers become inaccessible.

After the master password is chosen, the user generates individual passwords for each site. Many current tools will flag weak or duplicate passwords and some will automate password changes for sites used or even automatically assign a new, strong password. The new passwords are encrypted before being stored in a database, which helps guard against a breach of individual passwords even if the technology provider itself is breached or the master password is compromised.
In addition to site logins, some password managers will handle application logins, flag transactions on insecure browsers, sync passwords across a user's devices, or supply automated login scripts that compare URLs – current to stored – to guard against spoofing or malicious re-directs. Most vendors offer free and paid versions of their tool; the paid version typically includes these enhanced features and options.

Web browsers offer to store passwords but the functionality is very different than a dedicated password manager. On most browsers, the passwords are stored unencrypted (Chrome, Firefox, IE). Firefox has a master password feature, but it doesn't help with password generation or cross-platform sync.
Most security professionals agree that password managers are great tools for managing multiple, unique, and strong passwords, although some argue that a password manager creates one single point of failure rather than many different points of failure.

 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.