Password Managers Address the Cybersecurity Problem
10 June, 2015
category: Corporate, Digital ID
Cloud versus PC
LastPass helped pioneer cloud-based password management, says Gott. It helps users remember any information they want to store digitally, backup or encrypt – everything from passwords to credit card numbers to membership information for airline mile cards. It facilitates automatic form filling while securing notes and other digital information. “It really helps you manage your online life,” she says.
LastPass syncs through the cloud, but the master password never leaves the user’s device.
A recent feature automatically changes passwords on behalf of the user at the more than 70 supported websites.
For instance, if a user wanted to change their online login information for Home Depot’s website following a data breach, LastPass would go to homedepot.com, go to the account settings page, create a new password and save all the changes. “We want to make the chore of changing passwords as easy as possible,” Gott says.
Whereas many of the newer password managers default to the cloud for storage, password manager RoboForm stores information on a user’s PC with the option of storing it in the cloud. RoboForm has been around since 1999, making it one of the older password management systems.
“There was no cloud when we first started,” says Bill Carey, vice president of marketing for Siber Systems Inc., the software company that offers the RoboForm platform.
A user can run RoboForm in “desktop mode” just on a computer, or in “everywhere mode,” which puts a copy of the information in the cloud so that you can sync with other devices. “We like giving people the option of where to put their data. We think that’s important,” Carey says.
RoboForm creates a browser file that’s similar to a bookmark that keeps track of all of the websites you log into regularly. If you were to click on “Facebook” in that list of logins, RoboForm would take you to the Facebook website, enter your username and password and then click the submit button for you. “It’s kind of like having bookmarks on steroids,” Carey says.
Many password managers offer both free and premium versions for personal and commercial use, with paid versions typically running from $20 to $30 per year, per user.
“I think it’s very important for password managers to have a free option so users can touch and feel and see how they work. Because once you have a password manager, you won’t go back to the old way of doing things,” Carey says.
While newer password managers are taking passwords to the cloud and securing a host of other personal information, one of the innovators in the space prefers to maintain a minimalist approach.
Technologist Bruce Schneier created PasswordSafe more than a decade ago as a simple and free way for users to store and track their passwords. Since then, he intentionally hasn’t added any features to the solution, even as other systems are doing just the opposite. “The more complicated ones have security issues,” says Schneier, who is now chief technology officer of Co3 systems, which does instant response coordination software.
Take a risk-based approach with password managers … adding more steps to the user’s normal workflow means they likely won’t use it. Adding one or two extra steps tends to be one or two too many.
The concept of PasswordSafe is simple: A user puts all of the passwords in a database and encrypts it with a single, master password. There is only one version of PasswordSafe for both consumers and companies, and it is free. “It stores passwords. It creates passwords. That’s it,” he says.
Schneier says adding more features such as auto fill of address pages or the ability to move passwords between devices, could introduce a host of security risks. “There are lots of options I could have added and decided not to, very deliberately,” he says.
Is password management enough?
When it comes to choosing a password management system, some enterprises might be willing to trade convenience for better security, or vice versa.
Gosney recommends taking a risk-based approach, cautioning that adding more steps to the user’s normal workflow means they likely won’t use it. “You don’t want a password manager to be an extra step or a burden. One or two extra steps tends to be one or two too many,” Gosney says.
Carey believes a password management system can solve the same problems for enterprises that large, integrated single sign-on solutions can, but for a fraction of the cost. That’s because password management systems are designed to sit on top of a company’s existing software, he says.
In addition, a company would have to tweak its entire infrastructure in order to work with a complex, single sign-on engine, whereas a password management system can be installed, and in the same day, be fully functioning.
“You can be up and running with a password management system in days, as opposed to months with a single sign-on solution,” Carey says.
Gott adds that organizations using single a sign-on system can still benefit by pairing it with password management. The secondary system can help to fill in any gaps – sites or services – not covered via single sign-on.
And while two-factor authentication might be ideal, Gott contends that changing the way people authenticate on a massive scale will take a long time. The password, she stresses, isn’t going anywhere anytime soon.
“If companies want to protect their assets and profits, they need to invest in a password manager because the reality is that passwords are still the primary form of authentication,” she says.
