This article provides an overview of how password managers work, how they protect me, and what types are available.
I currently have 182 user credentials that I use for work purposes, but I only know one password.
Well actually, that is a fib. I also need to remember by bitlocker pin and my laptop login password, but you get the point. I only have to remember one password, not because I reuse the same password everywhere (see my previous cartoon), but because I follow National Cyber Security Centre (NCSC) advice and use a password manager to keep my passwords safe.
The user credentials I have are for a mix of internal system, applications and cloud based systems. As a large number of these passwords are used on third party services such as cloud applications and forums, I have very little control over how these passwords are stored or protected. At some point in 2019 I fully expect one or more of these services to be compromised in some way and for at least one of my credentials to be lost.
What is a password manager?
In its simplest form, a password manager is a piece of software that allows you to generate and securely store unique passwords for every account that you set up. This can be for internal system, servers, applications and cloud services, in fact it can be for any type of credential you need to set up Each password generated by the password manager is long, random and unique.
They are so long and random that a human could not possibly remember them, and they are very difficult to be guessed or cracked by criminals or miscreants. The password manager itself is protected by a single strong master password that I do have to remember (I also recommend using two factor authentication to protect the password manager if possible), and the stored passwords are encrypted to prevent unauthorised access.
I think it is important at this stage to differentiate between a password manager (that might use a browser plug in to make your life easy) and using your favourite browser to store passwords that you manually set when you sign up for a new online account. I do not recommend using your browser to save passwords, and it is definitely not the same as using a password manager.
I think it is important at this stage to differentiate between a password manager (that might use a browser plug in to make your life easy) and using your favourite browser to store pass
words that you manually set when you sign up for a new online account. I do not recommend using your browser to save passwords, and it is definitely not the same as using a password manager.
Why does a password manager help?
I think there are three key security enhancements from using a password manager:
- If one of the cloud services that I use is compromised and my password is stolen, I know with total confidence that the password cannot be used to access any other of my accounts on other systems, as each password is definitely unique and not reused. To protect myself following a breach of a third party service all I need to do is change one password, or delete my account.
- I don’t have to give genuine answers to password reset security questions; I can make up random answers and store them alongside the password in my password manager in case I ever need them. Why should my accounting software provider know the name of my first pet, or even my date of birth? The real answer could be guessed or found out by a persistent criminal and used to compromise my account anyway, much better to provide a false random answer.
- Criminals are not going to be able to guess the random password generated by the password manager for a given online service by using:
- social engineering – using things they know or can find out about me
- brute force – trying lots of different common passwords until they get in.
- credential stuffing – trying a compromised password from another online service against lots of other systems, looking for password reuse.
Types of password manager
Let me start with the conclusion:
any password manager is better than no password manager.
Offline password manager – A piece of software that you install on your work or home system to generate and store random passwords in an encrypted file on your local hard disk. With this type of system you often have to cut and paste usernames and passwords from the password manager in to logon windows, it can take some getting used to but is fine once you get into the swing of it. In my view this is the most secure solution, as a criminal would need access to your system in order to steal the encrypted password file and also know your master password to access them. On the negative side, the encrypted password file needs to be regularly backed up, because if you lose the password file (corrupt, lost laptop etc) you lose your passwords. In addition, this solution doesn’t easily allow you to access your passwords from another system (for example a mobile device when travelling). I use the open source keepass tool as an offline password manager (without any of the plugins), but there are lots of other alternatives available with different features.
Cloud based password manager – There are lots of cloud based password managers most of which have browser plugins to autofill passwords when you try to sign up or log in to a site. With a cloud based solution the encrypted passwords are stored in the cloud by the vendor, and therefore available to any of the devices that you use, which is super useful. In one of my previous roles the company I was working with asked staff to use LastPass to store passwords, and I was impressed with how easy it was to use. However, there are potential drawbacks with cloud based systems, if they get hacked then potentially all of your passwords are compromised. There are several examples of cloud password managers being compromised and hashed versions of master passwords being accessed by criminals (I won’t name them here, it would not be fair). A cloud based password manager is better than no password manager, but my preference would be for an offline version but acknowledge this isn’t an option for everyone as there are significant limitations when compared to a cloud or corporate system.
Corporate password manager – A corporate password manager is software installed on a central server that internal users can access to generate, store and retrieve strong passwords. These are very similar to the cloud based system, but are hosted and managed by a company’s internal IT department rather than being in the cloud. They have the benefit of allowing access from multiple device, and even allow sharing of passwords between teams, for example a break glass administrator account or a company social media password that needs to be accessed by multiple people. Corporate password managers sometimes have add on modules that will automatically change a password after it has been used, will audit and record when passwords are used, or even implement an approval workflow (to support a change process) before a password is release. I have used several of these types of system over the years including open source Passbolt, Thycotic secret server and CyberArk which have ranged in price and functionality, but all have done a solid job.
How much do password managers cost?
So the great news is that you can choose how much you want to pay for a password manager. Some are open source and therefore free to use (but have to rely on community support). Some are a monthly subscription based on number of users, and some are capex based enterprise software that help solve a whole gamut of compliance problems. I guess the key takeaway here is that there is no reason not to use a password manager, as cost should not be an issue. There are solutions available for all budgets and use cases, and while Threat Status do not currently resell password managers, our partners do.