Password Manager Risks
It would be hard to argue against the case for password managers. Instead of needing to remember numerous passwords or even worse using the same password for multiple engines: Move to a single securely-stored password for everything. An added incentive is that a password manager allows account passwords to be safely shared within a family or business team.
Unfortunately the world of digital security is often secure in name alone. If the password manager engine itself is compromised so too will all the data within it. In August 2022 the password manager LastPass announced a data breach. The passwords within the LastPass system were encrypted but many personal details of the account holders were not. These clear text details included names, emails and billing addresses; all of which could be used as part of a phishing attack to reveal the linked passwords. It has been estimated that the encrypted details themselves could be cracked by a dedicated server network within 71 days. Other recent password manager account breaches include Norton LifeLock (December 2022) and Passwordstate (April 2021).
None of this means that password managers should be ignored; only that care should be taken when choosing one and in the way that it is used.
Probably the most accessible systems are browser based such as that within Firefox. Firefox will save passwords and generate new ‘hard to guess’ passwords. The related vault is accessible on any machine that the browser is logged into. If that log in is set as automatic then all passwords and account names on the browser vault are visible to anyone on that computer account. The fix would be not to automatically log in to a browser or indeed any account on a shared machine. Unfortunately this does defeat almost all the benefits of saving details on a browser.
Dedicated cloud based password manager systems should be encrypting password data as it leaves the host and before it is stored. Access to the vault can be further restricted by Two-Factor Authentication as well as biometric data such as fingerprints together with other account credentials. This will restrict where a user can access their passwords from. Access to the vault will be more secure but less convenient even for the genuine owner: Convenience being one of the key tenets of a good password manager (after security). Systems such as these are no guarantee of security. In the LastPass model the vault was directly compromised through an administrator account not through breaking a user’s access credentials.
The most secure solution is to store on a vault local to a single desktop. There will be no threat from an outside source as long as the computer itself is suitably secured.
As with any secured computer system, lose the password or account reset details (perhaps through an email account that is also lost) and access to the entire vault will be lost. At least with passwords there is some hope of getting all or most back by resetting or recreating all the stored accounts individually.
To wrap up; do not leave with the impression that Kindus says do not use password managers. They are a useful tool that you should be using but with care:
- Balance ease of use vs security – web<cloud<desktop.
- Keep up to date with password manager security bulletins.
- Avoid storing home and work passwords on the same system.