Password Manager Risks

It would be hard to argue against the case for password managers.  Instead of needing to remember numerous passwords or even worse using the same password for multiple engines: Move to a single securely-stored password for everything.  An added incentive is that a password manager allows account passwords to be safely shared within a family or business team.

Unfortunately the world of digital security is often secure in name alone.  If the password manager engine itself is compromised so too will all the data within it.  In August 2022 the password manager LastPass announced a data breach.  The passwords within the LastPass system were encrypted but many personal details of the account holders were not.  These clear text details included names, emails and billing addresses; all of which could be used as part of a phishing attack to reveal the linked passwords.  It has been estimated that the encrypted details themselves could be cracked by a dedicated server network within 71 days.  Other recent password manager account breaches include Norton LifeLock (December 2022) and Passwordstate (April 2021).

None of this means that password managers should be ignored; only that care should be taken when choosing one and in the way that it is used.

Probably the most accessible systems are browser based such as that within Firefox.  Firefox will save passwords and generate new ‘hard to guess’ passwords.  The related vault is accessible on any machine that the browser is logged into.  If that log in is set as automatic then all passwords and account names on the browser vault are visible to anyone on that computer account.  The fix would be not to automatically log in to a browser or indeed any account on a shared machine.  Unfortunately this does defeat almost all the benefits of saving details on a browser.

Dedicated cloud based password manager systems should be encrypting password data as it leaves the host and before it is stored. Access to the vault can be further restricted by Two-Factor Authentication as well as biometric data such as fingerprints together with other account credentials.  This will restrict where a user can access their passwords from.  Access to the vault will be more secure but less convenient even for the genuine owner:  Convenience being one of the key tenets of a good password manager (after security).  Systems such as these are no guarantee of security.  In the LastPass model the vault was directly compromised through an administrator account not through breaking a user’s access credentials.

The most secure solution is to store on a vault local to a single desktop.  There will be no threat from an outside source as long as the computer itself is suitably secured.

As with any secured computer system, lose the password or account reset details (perhaps through an email account that is also lost) and access to the entire vault will be lost.  At least with passwords there is some hope of getting all or most back by resetting or recreating all the stored accounts individually.

To wrap up; do not leave with the impression that Kindus says do not use password managers.  They are a useful tool that you should be using but with care:

  • Balance ease of use vs security – web<cloud<desktop.
  • Keep up to date with password manager security bulletins.
  • Avoid storing home and work passwords on the same system.

More from Security

06/01/2025

Scam Promotions on Facebook

Web adverts promoting questionable offers and schemes are old hat.  Facebook is no exception but unlike wholly dubious hosts or otherwise reliable sites depending …

Read post

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories