Password Managers Address the Cybersecurity Problem
10 June, 2015
category: Corporate, Digital ID
Individuals and companies rely on a virtual alphabet soup of usernames and passwords to protect their assets and personal information online. But it can be difficult to keep track of login information for a multitude of sites and networks, especially when security standards dictate that users maintain a different complex password for every site and reset passwords regularly.
Enter the password management system – a software application or service that helps users keep track of all of their logins, usually by securing them under a single master password. Some password managers can generate unique, strong passwords for the user, and others even log into websites automatically, eliminating the need to remember or enter the passwords in the future.
“There’s always a tradeoff between security and convenience, but password managers are one of those rare tools that makes you more secure and makes life easier,” says password security expert Jeremi Gosney, CEO of Sagitta HPC, a firm offering password-cracking services. Gosney is also a co-founder of the hacker conference PasswordsCon.
Though there’s been talk about the death of passwords, password management companies maintain that the age-old method continues to be the principal form of authentication for both individuals and enterprises, even as multi-factor authentication gains acceptance.
“The reality is that it will take decades to see the end of passwords. Companies need to be proactive now,” says Joe Siegrist, CEO and co-founder of LastPass, a password management tool.
Despite their drawbacks, passwords remain because they are simple for an enterprise to set up and easy to maintain
Despite their drawbacks, passwords remain because they are simple for an enterprise to set up as an authenticator, and they’re easy to maintain as well. Not every institution has the resources to incorporate biometric authentication or a two-factor system. “Passwords are still the most cost-effective security solution on the market,” says Amber Gott, marketing manager for LastPass.
Data storage methods vary
There are a number of companies offering password management systems, and for the most part there’s very little to separate them. Typically these companies employ one of three different approaches to how they store data.
Security expert: Complexity negates password strength
Anyone who’s ever had to create or change a password probably learned at some point that a strong password includes a hard-to-remember combination of numbers, symbols and letters of different cases.
But according to password expert Jeremi Gosney, it doesn’t have to be that way. In fact, it probably shouldn’t be that way. “The more complex a password is, the weaker it is,” says Gosney CEO of Sagitta HPC, a firm offering password cracking, and co-founder of the hacker conference PasswordsCon.
Hackers can apply algorithms to figure out pretty much any password with numbers and symbols. If this is the case, why then he asks would you choose one that could never be remembered. A much better idea, he says, is to come up with a long password that combines three or four unrelated words. This can be arguably as strong as a true random series of characters, yet still possible to recall.
He suggests that the best way to choose this passphrase is through a method known as diceware, an application that essentially rolls virtual dice to pick words at random for you.
“If you go try to generate your own complex password, you’re going to come up with a password that’s hard to remember, but still really easy for us to crack,” Gosney says.
The key is randomness. As long as those three or four words are chosen completely at random, the password is more difficult for a hacker to crack, Gosney says.
And beyond that, it’s a lot easier to remember four words than 15 numbers and symbols.
The systems can be cloud-based, PC-based or built into a Web browser with an encrypted database on a PC. Most password management systems offer a free version and a paid version, as well as a distinct system for consumers and another for enterprises.
Cloud-based password managers have become more prevalent in recent years, with the notable advantage being the added convenience that the cloud offers. “You don’t have to do anything to sync devices,” Gosney says. A user could log in to a cloud-based system from any location using the device of choice, and all of the password information would be right there.
“Say your computer crashes. You don’t have to worry about it because everything is stored in the cloud, so it’s automatically backed up for you,” Gosney says.
The advantage of local, or PC-based password managers is that the security of that database is completely in the user’s control. Some are hesitant to allow this treasure trove of login data to leave their possession. That control, however, could be a disadvantage for someone who isn’t very security conscious, says Gosney.
Local solutions tend to be less feature-rich than cloud alternatives. “It’s the bare-bones functionality that you would expect from password management. And some people like that,” Gosney says.
Another drawback of PC-based systems is that they don’t readily sync with other devices. Although some platforms offer a plugin that does enable syncing, modern users that access services from multiple devices and locations are likely to find this added step burdensome.
With the browser-based password manager, the advantage is that there is no software to install. A pop-up appears asking whether the user wants to save the password. The downside, Gosney says, is that if the operating system is running, the password database is open for anyone at that computer to see. “It’s very convenient, but it’s not secure,” he says.
Many password managers come equipped with a number of features such as two-factor authentication, the ability to fill out online ordering forms with personal data, and a security checkup option that can see if any accounts have been compromised or if duplicate or weak passwords are being used.
