How many passwords you currently use and how you remember all those? We all know as a best practice, it is not at all recommended to use same passwords in multiple websites. As a normal user, most of the people won’t think too much when they create account on different websites, whether encryption is in place or not. I have read about a senior management person, who has 650 accounts in different websites. Keeping an excel sheet and updating that also is risky, even if it is password protected, there are chances that it may get compromised one day.
The option of using a password manager is one way to manage it. There are different vendors who provide password manager solutions and guarantee that they will encrypt and store login details efficiently and it will help us to create tough passwords, will automate login process, auto form filling etc. These password managers will work with almost all web browsers. Always we read or hear from people about creating tough passwords, which would be effective against any brute force attacks, these password managers will generate passwords which no one would be able to guess. No head ache of remembering those passwords also as this will be handled by the tool/software itself.
Normally the browser will force or ask permission to save the login info and it will store your passwords in encrypted databases or registry entries stored locally on your computer. If the browser has a feature to sync your data between your computer and other devices, the information is saved in its encrypted format to an online account. For example, Google, if you are using Chrome or your Firefox Sync account on Mozilla. Some browsers use your computer login password as the cipher for the encrypted data. Because of this, it's easy for your passwords to be revealed with some hacking tools. If these tools can recover the data, then think about a malware running under your user account, it might also be able to access the data.
Here with the use of password manager, it automatically encrypts your password database and gives you the only key—in the form of a master password that only you know. All the encryption and decryption happens locally on your computer. Because these companies don't have the encryption key, even if their servers get hacked, hackers wouldn't be able to decrypt your data.
Also these password manager software’s can also use the identities that are created and stored for auto form filling, which lets you save lot of time when you try to fill in online application. And also we don’t have to worry about Keyloggers since our passwords are inserted into login fields by the software itself.
Yes, the above mentioned features are good and it helps us to efficiently manage our user account details, but it is more important to understand about the risks caused by these tools.
We might need to do research and confirm that the encryption/decryption will happen locally and none of the password database or file is send to any of the vendor database. Most importantly, we need to do a vendor risk assessment to see the vendor’s reputation, their controls. We also need to verify how the data is stored. Also there has to be a mechanism that will enforce to use a good master password that is not used in any of the other accounts.
A single vulnerability – Everything will be gone – In case of vulnerability in the tool, the attacker would be able to steal all passwords of a user in a single swoop.
Authored by Aju Nair