There has been a prevalent misconception that password managers aren't secure, leading many organizations to hesitate to adopt such systems. Historically, password managers were primarily designed for efficient management without an extensive security focus. However, the landscape has evolved with the growing prevalence of malware and other cyber threats. Many password managers have responded to the demand for more robust and resilient systems by incorporating enhanced security measures. Consequently, it is crucial to recognize that numerous password managers are indeed safe.
In this blog post, we aim to delve into the complexities surrounding different types of password managers. We will thoroughly explore the essential security features that your password manager should possess, examine the vulnerabilities they may face, and ultimately establish the overall safety of password managers. We will finish by discussing how the level of security provided depends on the specific password manager you choose and the implementation of layered security measures.
Early Password Management:
In the early days of computing, password management primarily relied on manual methods, such as writing down passwords on paper or using basic memory techniques. However, these practices became inadequate and insecure as the number of accounts and passwords increased, along with more cyber threats. [Source: CNET] Many of us still have sticky notes on our desktops with our passwords.
Then the 1990s, Single Sign-On (SSO) systems emerged as a solution to simplify authentication across multiple platforms. These systems allowed users to log in once and access various services without repeatedly entering their credentials. SSO systems primarily targeted enterprise environments and detailed protocols like Kerberos and Security Assertion Markup Language (SAML) [Source: TechTarget]. Then, In the late 1990s and early 2000s, standalone password manager software gained popularity. Applications like Password Safe, developed by Bruce Schneier, and KeePass were installed on users' computers. They stored passwords in encrypted databases, requiring users to remember only a single master password to access their stored credentials [Source: Schneier on Security].
With the rise of cloud computing and the need for password management across multiple devices, cloud-based password managers emerged. These password managers store encrypted password databases in the cloud, enabling users to synchronize their passwords across various devices. Then, as smartphones gained popularity, password managers expanded their support to mobile platforms. This allowed users to access their passwords on the go and autofill login credentials in mobile apps. Password managers like 1Password and Dashlane gained prominence in the mobile space [Source: 1Password, Dashlane]. We then saw modern web browsers integrate more robust password management features, providing the ability to remember and autofill website passwords. While convenient, built-in browser-based password managers often have limitations compared to dedicated password manager applications [Source: Wired].
In addition to consumer-focused password managers, specialized solutions for businesses and enterprises emerged. Enterprise password managers offer features like centralized management, role-based access control, and integration with other security systems, addressing the unique requirements of organizations [Source: Keeper Security].
Security Features Your Password Manager Should Have:
While password managers have evolved, hundreds of options popped up, ranging from browser extensions, free and paid managers, and everything in between with all different settings. But yes, password managers can be safe and secure, but you must do your due diligence and ensure your management system has the following.
Strong passwords
A crucial aspect of an effective management system is its ability to guide users in creating strong passwords. Typically, these systems offer the convenience of automatically generating passwords for users. These generated passwords should incorporate a combination of upper and lower-case letters, numbers, and symbols, arranged in a randomized order.
Strong Master Password
One massive security plus is if the password manager requires a master key/password to access the manager. This is huge because if your computer or browser gets compromised, it adds another layer of protection. In addition, if the password manager requires the key/password to consist of upper and lower-case letters, numbers, and symbols in a randomized order, that is another security bonus.
Zero-knowledge architecture
After registering with a secure password manager, they will send you an encrypted key that only you can access; they will literally not have any way of knowing or accessing the key. If you're part of an enterprise account, extra security measures are implemented to help you access your locked-out account. However, on an individual account, it requires contacting them for support. Another crucial part of zero-knowledge is that the password manager company doesn't know nor can access any of your passwords. This ensures
MFA/2FA
A strong password manager will allow for multi-factor authentication (MFA). MFA is important for adding another layer of security to your accounts, but more about that later.
Patches/Updates
Another paramount part of a password manager is if they continually update and patch their system; if they do, it's equally important that you apply those updates. Keeping your system up-to-date allows code to be tweaked to stay one step ahead of cyber threats.
Encryption
A critical aspect of password managers is their encryption process. Here are a few main ways password managers should encrypt your passwords.
AES-GCM-256 Authenticated Encryption:
AES-GCM (Advanced Encryption Standard - Galois/Counter Mode) is a widely adopted encryption algorithm that provides both confidentiality and integrity of data. It uses a 256-bit key, which means there are 2^256 possible combinations, making it extremely difficult to break through with brute-force attacks. GCM mode also provides authentication, ensuring the encrypted data remains unchanged and uncorrupted during transmission or storage.
Cryptographically Secure Pseudorandom Number Generators (CSPRNGs):
Encryption systems require random values for keys, initialization vectors (IVs), and nonces. Cryptographically secure pseudorandom number generators generate these random values to ensure they are unpredictable and resistant to cryptographic attacks. CSPRNGs are designed to produce high-quality random numbers suitable for cryptographic operations.
PBKDF2-HMAC-SHA256:
PBKDF2 (Password-Based Key Derivation Function 2) is a key-strengthening algorithm used to derive encryption keys from passwords. It applies a cryptographic hash function, in this case, HMAC-SHA256 (Hash-based Message Authentication Code with the SHA-256 hash algorithm), to iteratively hash the password along with a salt. This process increases the computational effort required to guess or crack the password, making it significantly harder for attackers to perform brute-force or dictionary attacks.
By utilizing AES-GCM-256 authenticated encryption, cryptographically secure pseudorandom number generators, and PBKDF2-HMAC-SHA256 for key strengthening, password managers ensure robust data security. Combining these encryption methods makes it highly unlikely that an attacker could decrypt your data without knowing your master password, providing you with high protection for your sensitive information.
Threats to Password Managers
Let's say your password manager is 1Password and meets all those requirements. Then, why do you still read articles about the vulnerabilities of password managers? Cyber hackers are constantly evolving their techniques to obtain private information. We will dive into the main vulnerabilities password managers face and finish with what you can do to prevent threats.
The first threat is when you're researching a new or even your current password manager, you might see a Google ad, link on a search engine or receive an email about the company. The threat is that hackers create Google ads, links, and emails to look like the legitimate company. Back in January, there were phishy Google ads mimicking Bitwarden and 1Password, but if you looked closely at the ad, you could see the URL was different than their existing domain. Since then, Google ads have implemented additional features to authenticate any ad before it's shown to the public.
Another significant threat arises when installing browser extensions, particularly in cases where the password manager solely exists as a browser extension. This scenario introduces the risk of inadvertently downloading a fraudulent or malicious extension. Attackers may create deceptive extensions that masquerade as legitimate password managers but, in reality, are designed to compromise user security. Users who unknowingly install such fake extensions may unwittingly expose their sensitive information and passwords to malicious actors. Therefore, it is crucial to exercise caution and verify the authenticity of any browser extension before installation to mitigate this potential threat.
There are a few known viruses that target password managers. The biggest one is the ViperSoftX. ViperSoftX is a JavaScript-based RAT (remote access trojan) initially designed to hack cryptocurrency but has evolved to target password managers. Below we will detail how the virus attacks.
Arrival Routine: ViperSoftX commonly enters systems disguised as a software crack, activator, patcher, or key generator. To conceal the main malware, the attackers encrypt it within the overlay of genuine non-malicious software files.
Infection Routine: Upon infiltration, ViperSoftX performs checks to identify virtualization strings, monitoring tools, and antivirus products, aiming to determine if the system operates in a virtual machine or is being monitored. If these checks pass, the malware proceeds to decrypt the embedded PowerShell code and initiate the download of the primary ViperSoftX routine.
Unique Encryption: ViperSoftX employs byte remapping as an encryption technique. Rendering decryption without the correct byte map is a time-consuming and challenging task. The encrypted shellcode and its components remain inaccessible without the accurate byte map.
Password Theft: While renowned as a cryptocurrency stealer, ViperSoftX can also target password managers. It scours local directories and browser extensions in search of cryptocurrency wallets and password managers, attempting to pilfer relevant information.
However, many other viruses, malware, and other cyber attacks can have a ripple effect on your password manager if your device is compromised. The most significant way to stay protected is to implement a layered security solution on your personal devices and within your organization.
Layered Security is a Must For Any Organization
Implementing a layered security approach is crucial to effectively protect your organization's sensitive information.
One essential component of this approach is antivirus software and hardware, which helps detect and eliminate various types of malware, including viruses, worms, and trojans. The hardware/software will automatically scan and block suspicious files, traffic, and links across your network, minimizing the risk of infection and unauthorized access to your systems before you even have time to click "Yes, I want to win $500!"
Another important element is a virtual private network (VPN). A VPN creates a secure, encrypted connection between your endpoint device and the web, ensuring that data transmitted over public networks remains confidential. Using a VPN, you can safeguard sensitive information and protect against eavesdropping or unauthorized interception of data.
Web and email filtering/scanning is another significant component of a layered security approach. By implementing these measures, you can identify and block malicious content, such as phishing emails or websites, reducing the risk of malware infections and data breaches. Web filtering can restrict access to potentially harmful websites, while email scanning filters out suspicious attachments and links.
Addressing the security of the clipboard is also crucial. Sensitive information, including passwords and confidential data, often gets copied to the browser clipboard. Implementing policies to encrypt clipboard contents or clear them after a certain period or when switching between applications can minimize the risk of unauthorized access to this information. In addition, enabling Multi-Factor Authentication (MFA) for your accounts adds an extra layer of security. MFA requires users to provide multiple forms of identification, such as a password and a unique verification code sent to their mobile device, further reducing the risk of unauthorized access to sensitive information.
However, one of the most important things you can do is invest in regular phishing and security training awareness programs. Educating employees about potential threats, such as phishing attacks and social engineering techniques, empowers them to recognize and respond appropriately to suspicious activities. Fostering a security-conscious culture can significantly enhance your organization's defense against evolving cyber threats.
And finally, strong passwords!
The time it takes to hack a password dramatically varies depending on its strength and security measures. Secure passwords are significantly more challenging to crack compared to non-secure ones. The duration of a successful hacking attempt is influenced by factors such as the complexity and length of the password, the strength of encryption algorithms employed, and the computational resources available to the attacker.
Non-secure passwords, which include simple dictionary words, commonly used phrases, or easily guessable combinations, are vulnerable to swift attacks. Techniques like brute-force attacks or dictionary attacks, which systematically try all possible combinations or known words, can quickly crack these passwords. In such cases, an attacker may take anywhere from a few seconds to a few hours to successfully compromise the account. These attacks exploit the lack of complexity and predictability in non-secure passwords.
In contrast, secure passwords that are long, complex, and combine uppercase and lower-case letters, numbers, and special characters pose a significant challenge for hackers [ConnectedGeek]. Including such elements exponentially increases the number of possible combinations, making it impractical to crack the password within a reasonable timeframe. With secure passwords, it can take years or even centuries for an attacker to successfully break through the encryption, depending on the computational resources at their disposal. Check out this fun password strength meter to see for yourself, Password Strength Meter
However, memorizing 100, 10, or even 3 secure passwords is not feasible. That's why using a secure password manager is beneficial. In conclusion, password managers are a much safer alternative to memorizing passwords; if you do your due diligence, your password manager could have additional security features to help protect your organization's data to a greater extent. But like anything, with cybersecurity, a layered security approach is the only way to stay safe from cyber threats.
- CNET: https://www.cnet.com/news/password-killers-scrambling-for-answers/
- TechTarget: https://searchsecurity.techtarget.com/definition/single-sign-on
- Schneier on Security: https://www.schneier.com/cryptography/passwords/archives/1999/11/password-manager-recommendations/
- LastPass: https://lastpass.com/
- 1Password: https://1password.com/
- Dashlane: https://www.dashlane.com/
- Wired: https://www.wired.com/story/browser-password-manager-security/
- PCMag: https://www.pcmag.com/how-to/how-to-secure-your-online-accounts-with-a-password-manager
- Keeper Security: https://www.keepersecurity.com
- Tech Co: https://tech.co/password-managers/how-many-passwords-average-person
- Connected Geek: https://connectedgeek.net/password-security/