Password Managers: The Good and the Bad

January 7, 2019 / GuidesFor Team

Techopedia defines a password manager as a software application that is used to store and manage passwords so users with various online accounts and security features will have no trouble forgetting their log in information. Typically, these store the passwords in an encrypted format and provide the access to all of the information with the help of a master password. Passwords are very sensitive information as they also open up a whole new world of different information that other parties could use to their advantage according to Techspective. It is important to create strong and unique passwords for different websites to keep online security and privacy to a maximum. Through password managers, users can create strong passwords every time they create new online accounts. This is secured by a master password. In recent years, with the increase of work-from-home and other set-ups that require communication of sensitive information through online accounts, the popularity of password managers also increased. There are different good and bad aspects to them but they become undeniably necessary in today’s office ‘without walls’ setting. –Crischellyn Abayon

 

Many cybersecurity experts agree that the use of reputable password managers can help prevent some of the issues associated with identity and access management.

With insider threat incidents on the rise, password managers can help teams reduce the risk of credential theft as a result of weak or reused passwords. However, password managers are not flawless, and have their own drawbacks.

Here are some of the top benefits and risks of password managers, so your team can make the right choices when evaluating and implementing these solutions.


RiskAutofilling Passwords

If your employees are choosing to use browser-based password generators (found in most browsers, including Safari and Chrome), or dedicated password managers with an autofill option,  they may be opening themselves up to unnecessary risk.

According to a recent study from Princeton’s Center for Information Technology Policy, third-party scripts used by online advertising and web tracking firms can create invisible forms that capture autofilled passwords, exploiting these solutions. These scripts were found on more than 1,000 of Alexa’s top million websites.

For these reasons, some top password management solutions have refused to add autofilled passwords as a feature, despite frequent requests from users. Look for a solution that allows you to turn autofilling off, or doesn’t leverage this feature at all.


RiskBugs in Password Management Software

Like any third-party software (no matter how trusted), password management solutions have their bugs. PC World recently reported that Google’s security team had outed several of the top password managers by finding bugs and exploits in their software. While these software providers quickly resolved these issues, cybersecurity professionals should still be wary of recent incidents involving password managers.

The same PCWorld article advises conducting a web or Twitter search of the password management vendor’s name plus the word “hacked” to uncover whether the solution has been recently exploited, as well as what measures their team has taken to resolve the incident.

In addition, checking sites such as “Have I Been Pwned” can help determine whether users’ accounts have been breached. Paying attention to what trusted researchers and news outlets have to say about these solutions could save a lot of agony in the evaluation process.


BenefitA Rotating Vault of Unique Passwords

Some password managers (such as 1Password, and local storage vault alternatives such as KeePass, EnPass, and LastPass) require the user to fill in a unique, “unhackable” master password that unlocks a password vault. The vault generates a unique password every time the user logs into a service (rather than autofilling the same password each time). These tools also use strong encryption standards such as AES-256 and SHA-256 to encrypt password databases.

The practice of rotating credentials has long been used in the cybersecurity community for privileged access management. A password manager is a more user-friendly approach to ensuring that every employee adheres to a similar best practice across the organization.

Some employees may attempt to circumvent a password vault because it adds an extra step to their workflows, or they prefer the ease of a browser’s autofill solution. For these users, it’s important to educate them about the risks (see the Princeton study above) and help them understand that these measures are intended to protect them from credential theft—not just introduce unnecessary inconvenience.


BenefitReduced Margin for User Error

One of the biggest benefits of using a password management solution is reducing the margin for user error.

Password-related errors can take many forms, including weak (“passw0rd1234” folks, we’re looking at you!) and reused credentials. According to a recent Virginia Tech study, 52% of people reuse their passwords across multiple services. What’s more alarming, 16 million passwords can be cracked within just 10 guesses (including all of the reused passwords analyzed by the study!)

Reducing this type of behavior is one of the primary reasons to use a password manager. Insider threat statistics from the Ponemon Institute show that two out of three insider threat incidents happen because of employee mistakes. If these password management solutions cut down on the number of user errors, the cost of insider threats could potentially be significantly reduced. This is particularly useful if your organization can standardize the password manager used by all parties in the organization.


Conclusion: Enforce the Use of a Quality Password Manager

The benefits of using a password manager far outweigh the risks. However, password vaulting solutions can be significantly more difficult for users than the browser-based autofill password managers that many may be used to. It’s critical to not only adopt the use of a password manager, but also ensure that users understand how to use the solution properly every time they log into a service.

If employees are aware of some of the staggering research behind password compromises, they’ll be far more likely to adhere to the use of a password management solution.

Read the source article at ObserveIT

Posted In:

0 Comments