Gone are the days, when we needed to store the most valuable thing in a locker(physical safe). Now, most of the valuable assets we have now are protected digitally with a password string, not with a physical safe. So anyone located anywhere in the world can access it given the password is known, or can be inferred.
The “password(s)” have now become so crucial that it may impact you gravely if handed over to some malicious person. So the password security should be kept in mind.
It is much more than just choosing the password according to the policy set up by the service(Facebook, Google, etc. ) such as usage of capital letters, digits, etc. The policy just saves you from Brute Force Attack or Dictionary Attack, the rest is in your hands. One of the common mistakes people do that they use the same passwords across websites. It may seem that’s not an issue but once one website data is leaked, and without you knowing all the other accounts you had with the same password is exposed.
A relatively new example of this type of hack was done on Zomato. Their data was stolen just because one of the developers had an account on 000webhost whose data got leaked which exposed the password and it was the same credentials which he was using for the development work in Zomato detailed here on their official blog.
How would a password manager help?
The reasons we generally use the same password is to avoid remembering different passwords for each service we use, and that’s logical. A password manager can help you with using the same password, you can store the password for each service and it’s safe(why? described below). It can also help you generate passwords which are strong enough to crack using brute force attacks or dictionary ones.
Passwords in a password manager is safe.
Why is password manager safe?
To understand why it is safe, let’s dive into how do they generally work.
Password managers work by asking the user to choose a strong master password. This password is the key to a single locker. Security of your other passwords is equivalent to the security of this password.
Let’s divide the flow into phases, mainly:
- Adding Password of a service/website
Following are the things happens when you signup:
- You choose a master password.
- The master password is hashed(hashing is a one-way function) in the app.
- The hash of the password is sent to servers.
Adding Password of a service/website
Whenever you add a password of some service say Facebook, following things happen:
- You enter the password of the service.
- It is encrypted using the master password, not its hash.
- The encrypted password is sent to the server.
Whenever you try to login or sign in the app, you provide the master password and following things happen:
- The master password is hashed on the device itself and then sent to servers for the authentication.
- It is then matched, and if matched, the encrypted passwords are then sent back to the device.
- The encrypted passwords which are sent back to the device are now decrypted using the master password(not the hash) you provided.
Notice that the other passwords are not directly gets stored in the servers of password manager. They are encrypted using the master password and then sent to the servers. So the server never has your plain text passwords.
The server only has your hashed master password, and encrypted passwords(encrypted using a master password). Even if their server gets hacked some time, the hacker would never know what’s the password of other services, since master password stored on the server is also hashed and not directly stored therefore the encrypted passwords using master password is of practically no use to the hacker.
Tip: You can use some sort of service which tells you if your account got leaked. So that you know the passwords of these accounts have been leaked and you can change the passwords of accounts which have the same password. One of them I know is haveibeenpawned.
Authored By - Akashdeep Saluja
LinkedIn URL - https://www.linkedin.com/in/akashdeep-saluja-79700628/