Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

What you should consider when choosing a password manager

Lucian Constantin | Oct. 14, 2014
Many security experts feel that passwords are no longer sufficient to keep online accounts safe from hackers, but we're still a long way from widespread adoption of biometrics and alternative methods of authentication.

Many security experts feel that passwords are no longer sufficient to keep online accounts safe from hackers, but we're still a long way from widespread adoption of biometrics and alternative methods of authentication.

Most of us are stuck with using passwords as the primary keys to our online lives, so we should at least strive to follow best security practices when it comes to managing them. This includes using long and complex passwords or phrases that can withstand brute-force attacks, using separate passwords for every online account and changing those passwords periodically.

The thought of doing all that can be intimidating, but fortunately there's an entire class of programs called password managers that can automate most of the process. Password management implementations vary, from the rudimentary password-storing features in most browsers to specialized products that synchronize the saved passwords across different devices and automatically fill log-in forms as needed.

Many password management services provide add-ons for different browsers, stand-alone applications for desktop and mobile platforms and even give users the ability to access their password vaults online. They're highly convenient, but if used incorrectly they can lead to a single point of failure, since almost all of them rely on one master password to unlock all other saved passwords.

What you need to know

Users should carefully consider the security models of the password management applications they intend to use. For cloud-based implementations that provide online access and synchronization, it is important to understand how the service provider stores users' data on its servers and whether it ever has access to the user's master password.

Some providers use a zero-knowledge model, where they only store an encrypted copy of the password vault on their servers. Then, contents of the vault get synchronized with the client applications or are sent in encrypted form to the user's browser during online access. The decryption process is always done locally, based on the user's master password, which is never shared with the service provider or sent over the Internet.

In this case, the company's servers are only used for storing encrypted copies of the password vaults and in the case of a server compromise attackers would not get keys to access the passwords stored inside. LastPass, Dashlane, 1Password and Mitro, the last of which recently went open-source after being acquired by Twitter, are some of the providers that claim to use such implementations.

Double down

However, this model does not protect against client-side attacks. For example, attackers could still obtain users' master passwords if they infect their computers with keylogging malware. That's why it is also important to choose a password manager application that offers two-factor authentication.

 

1  2  Next Page 

Sign up for Computerworld eNewsletters.