What you should consider when choosing a password manager

Password managers offer many convenient options, but some come at the expense of security

Many security experts feel that passwords are no longer sufficient to keep online accounts safe from hackers, but we're still a long way from widespread adoption of biometrics and alternative methods of authentication.

Most of us are stuck with using passwords as the primary keys to our online lives, so we should at least strive to follow best security practices when it comes to managing them. This includes using long and complex passwords or phrases that can withstand brute-force attacks, using separate passwords for every online account and changing those passwords periodically.

The thought of doing all that can be intimidating, but fortunately there's an entire class of programs called password managers that can automate most of the process. Password management implementations vary, from the rudimentary password-storing features in most browsers to specialized products that synchronize the saved passwords across different devices and automatically fill log-in forms as needed.

Many password management services provide add-ons for different browsers, stand-alone applications for desktop and mobile platforms and even give users the ability to access their password vaults online. They're highly convenient, but if used incorrectly they can lead to a single point of failure, since almost all of them rely on one master password to unlock all other saved passwords.

What you need to know

Users should carefully consider the security models of the password management applications they intend to use. For cloud-based implementations that provide online access and synchronization, it is important to understand how the service provider stores users' data on its servers and whether it ever has access to the user's master password.

Some providers use a zero-knowledge model, where they only store an encrypted copy of the password vault on their servers. Then, contents of the vault get synchronized with the client applications or are sent in encrypted form to the user's browser during online access. The decryption process is always done locally, based on the user's master password, which is never shared with the service provider or sent over the Internet.

In this case, the company's servers are only used for storing encrypted copies of the password vaults and in the case of a server compromise attackers would not get keys to access the passwords stored inside. LastPass, Dashlane, 1Password and Mitro, the last of which recently went open-source after being acquired by Twitter, are some of the providers that claim to use such implementations.

Double down

However, this model does not protect against client-side attacks. For example, attackers could still obtain users' master passwords if they infect their computers with keylogging malware. That's why it is also important to choose a password manager application that offers two-factor authentication.

This form of authentication combines something you know -- the master password -- with something you have, like a mobile phone or a hardware token. The most common implementation of second authentication factors are one-time-use codes that are received via text messages or generated using special mobile applications like Google Authenticator. Fortunately, most of the popular cloud-based password management services currently offer some form of multi-factor authentication, but it's best to double-check before choosing one.

Two-factor authentication prevents attackers from accessing a user's password vault from a different computer or device by using a stolen master password. However, they could still use an existing malware infection to piggyback on a user's active password manager session and access their online accounts via the local browser, especially if the auto-login option is turned on. Auto-login features may be convenient, but can also be fraught with peril. Users should think carefully about whether they want to activate them.

It's also best to use password management applications that can automatically log off the user after some time of inactivity, especially if the browser is kept open for long periods of time or if someone else might have access to the computer while the user is away. This might not always protect against active malware on the computer, but it does add another layer of security.

Users may also be tempted to flag a device as trusted. Many password management applications offer an option of skipping the second authentication step in the future on a given device once they've completed a two-factor authentication with it. While convenient, this method assumes an attacker will never gain control over that device, which is not always the case, so users should carefully consider whether they can live with inputting the second factor every time.

Don't rely just on a password manager

One of the primary benefits of using a password management application is that it allows the use of different complex passwords for every account without having to remember them all. However, it's equally important for the user's master password to be strong so that it can resist brute-force attacks.

Users who find it hard to remember complex passwords that include digits, lower-case and upper-case letters and even special characters, should try using long pass phrases as their master passwords instead. These are sequences of random real words that make up hard-to-guess phrases and provide the same or even better level of protection against brute-force attacks as a strong password, but are easier to remember. Pass phrases can also be used for critical accounts that need to be accessible even if when the password management application or server is unavailable for some reason.

Finally, many of the largest online services, such as Facebook and Gmail, are now offering two-factor authentication themselves, so even if you're using a password manager and follow best security practices in general, turn on two-factor authentication whenever it's available. It can make a really big difference, especially if your password manager does get compromised.

Join the CSO newsletter!

Error: Please check your email address.

Tags MitroLastPassonline safetysecurityAccess control and authenticationdata protectionDashlaneFacebook

More about FacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts