Is it time to use Password Managers?
The endless list of usernames and passwords we have to remember certainly isn’t getting any smaller and I often impress myself with the amount of random usernames and passwords I can remember, however there’s always that ‘What if’, what if I forget them. Granted most products and services which require secure credentials offer a password recovery service, but there is still the inconvenience of having to then remember the answer to that secret question you gave an answer to using an answer other the correct/obvious one in order to avoid social engineering tactics.
Given the amount of usernames and passwords we need to remember ranging from personal and internet banking credentials, various work usernames, passwords and access codes (for organisations which don’t use single sign on!) and all of the social networking, shopping, media and entertainment sites we use in our own personal day to day lives are password managers the answer?
Instead of having to remember those usernames and passwords many people often use the same usernames and passwords across multiple sites. If not the same, they use very similar passwords or closely associated items such as family and pets names/dates of birth, vehicle registration numbers and telephones numbers for example. All of which can be quite easily socially engineered.
There are two sides to the coin when it comes to password managers as far as I can see. On the up side, they offer the ability to have a single place to store all of your credentials whilst being securely encrypted usually up to the AES256bit standard. In addition, many password managers offer a random password generator. All of this enables the user to have completely unique individual passwords for each and every account a user has. With the added ability to copy and paste the username and password from within the application to the input box to save typing in the credentials. .
Many password managers also offer mobile apps for the various mobile platforms such as Android, iPhone and Windows Mobile as well as the original applications for the likes of WindowsXP/7, Mac OSx and Linux which will allow import/export to and from the static and mobile devices as well as database synchronisation.
In addition, password managers worth their salt often offer two factor authentication. In addition to the MASTER password to allow access to the password list, a key file can be used creating part two of this two factor authentication (Similar to a smart card and password in an enterprise environment) which could either be a file, document, image etc which has been created by the user or a specifically generated key file generated by the user using the password manager application. This requires not only the master password but also the exact key file used to secure the database with the checksum and value.
On the down side, a password manager enables access to all of your passwords via one single ‘Master’ password (if a key file is not used…). Providing that this password is secure enough, I.E complicated and long enough including alphanumeric characters and punctuation etc, it shouldn’t be vulnerable. But there is still that thought of one password allowing access to ALL of your passwords or at least the credentials protected by that one MASTER password.
You could always treat your password like your toothbrush and change it regularly for your own piece of mind yet keeping it just as complicated, but given that many password managers work on a database file system, if a copy of the database file is obtained and the original left intact, the owner may not even know a copy has been taken and the file and the ‘target’ (victim) could be left open to a brute force attack in the attackers own time providing the attacker knows the application used to create a database file.
Another option could be to have multiple password managers for different categories of account, such as Social, Personal, Business, Internet, Shopping, Finance and so on. But does that defeat the purpose of a password manager by having multiple password managers with multiple MASTER passwords to save having multiple passwords in the first place………?
Maybe I have answered my own question whilst writing this article, two factor authentication does make me feel more comfortable than just a MASTER password and I do agree unique singular passwords protected by one MASTER STRONG password combined with a key file enabling two factor authentication is more secure than a bunch of the same if not similar weak passwords.
Is it time to use password managers…? Let us know your thoughts.