You can’t do without passwords! A login screen on the PC, the account for online banking, the web order page, the login for the social media network, everywhere you are asked for a password. This password should be as complicated as possible, contain special characters, and not already be used elsewhere.
A requirement that is more like a challenge and poses problems for quite a few users. But the solution is close at hand. There are password managers that present themselves as universal utilities and solve all problems.
Password Manager – No Thanks?
There are some points that speak very much for the use of password management tools. We remember three or sometimes ten passwords, but the more complex they become, and the shorter the change frequency, the greater the error rate. So we use a tool that stores all the passwords for us. Whether ten or fifty, the tool remembers everything and often offers great features that simplify IT use.
Features such as the generation of long and complex passwords are offered, as is the automatic entry of data into the relevant form fields when logging in via the browser. The tools also offer service functions such as a thematic grouping or a reminder every n days that it is advisable to change the password.
If the password base is also hosted in the cloud or at another online resource, it can even be accessed across the board. So passwords can be used elegantly even on a tablet or smartphone. And instead of having to remember a multitude of passwords, one master password is all that is needed to access these convenience features.
It’s a great thing, and a variety of experts also advise password managers, as they greatly improve the use and handling of passwords, contributing to improved IT security!
What’s wrong with password managers?
But where there is light, there is also shadow and there are voices that are skeptical about the use of a password manager. The concerns that other experts have against password managers are not without merit and are worthy of detailed consideration.
Forgetfulness: What happens if you forget a password? In the worst case, you can no longer use a service. However, if you forget the master password of your password manager, access to all your services is in question. In the end, you usually have no choice but to re-enter your data!
It’s good if you still have them stored in an alternative location because otherwise, you’ll have even worse cards to play. You may also be able to avoid the worst case scenario if you have other authentication methods (Touch ID). Here, the product 1Password should be mentioned as an example, which deals with the problem in great detail.
Jackpot for hackers
The password is the key to your own online identity. Anyone who acquires it can easily carry out identity theft and take over the victim’s online identity – with all authorizations. One may assume that the manufacturers of password managers have thought about secure storage and that something like one-way hash functions (“One-Way Hash Function” or OWHF) is a basic standard. But in these days of rentable computing power, perhaps a brute force attack is quite feasible in a manageable amount of time.
This consideration is not new, but once the master password is cracked, the way is open for the hacker. Not just to a password, but to all passwords, access codes, ID numbers, and other data stored in the password manager.
The proof-of-concept attack on KeePass by Hazzy (The Grumpy System Administrator) from January 2017 shows how this can be done even with Powershell. But Otto Normaluser is unlikely to be confronted with this problem as a rule, but increasingly company boards of directors, senior state officials, and other people whose data is important to third parties.
Stored in the cloud
There is no doubt that central storage of a password based in the cloud has some advantages. Global access, from any location with any authorized device is foremost among them. But how do you access the data if the hoster is currently unavailable? How do you find out the PIN for your business credit card if you can’t connect to the WWW? How secure is the data connection? Is a VPN established and can one be sure that the local access point for Internet access is secure?
In times when digital warfare is constantly being developed and hacking systems has almost become a kind of national sport, these are questions that need to be asked! Because without an available and secure infrastructure, a central password base can quickly become an own goal.
Due to a suspicion of espionage, the U.S. government wants to ban the products of the Russian manufacturer Kaspersky Lab from the offices of federal agencies. Kaspersky rejected the accusations as unfounded and countered with a rebuttal.
The most important criterion for manufacturers of security software is the trust of the customer. They trust that everything is secure, works as well as possible and that no backdoors have been implemented. As a rule, verification is out of the question because the source code is not published – open source is the notable exception here.
So you use the software and trust that no cheeky programmer has built-in a backdoor and that no one but you can access the stored data in the password base. You also trust that the company that produces the password manager will not be asked by a third party to “support” you. But also in IT, the presumption of innocence applies as long as nothing happens, one will trust the manufacturer.
At the beginning of last year, the Fraunhofer Institute reported on the results of a working group that analyzed the security of password managers under Android. The result was surprising because everything from implementation errors to the storage of passwords in plain text was represented.
In the meantime, these errors have been fixed by the manufacturers, but Android users are not the only ones wondering how something like this could happen!
But what about the applications for PCs running Linux, OS X, and Windows – was more care taken with the programming there and was the Android effect an unfortunate circumstance?
Usually, a password manager comes with an anti-malware tool for good measure – or you download it from the WWW. Unfortunately, it is not yet the norm for companies to provide verified tools for their employees. The integrity of the password manager also depends on the integrity of the base!
Using a password manager when a keylogger is undetected and active in the background makes little sense if the password manager does not use techniques to circumvent keyloggers. But who checks the integrity of the systems with additional tools and checks whether a dongle is not placed between the keyboard and the system unit before the password manager is installed?
Who makes sure that everything is working properly? If the password base is stored locally, who checks the “health indicator” of the hard disk or SSD storage? Because a destroyed/busy password base has identical consequences as a forgotten master password – all entered data is lost.
Conclusion: Not only advantages!
As you can see, on closer inspection, a password manager not only has advantages to offer but can also become a problem itself. In general, however, the use of a password manager is absolute to be advocated and the security functions it provides outweigh the negative side effects! However, to ensure that passwords are permanently stored securely and are within authorized access, the following ten basic rules should be followed! Ideally, the guidelines should be set and monitored by the CISO.
- Do not use just any password manager, but a tool that is supplied by a company that also offers further development, troubleshooting and support.
- When using the tool in the company, make sure that it is used consistently and that internal quality guidelines are applied. Check if the tool has certificates or if you can get access to the source code, e.g. in case of open software. Ensure a periodic backup of your password database and a timely synchronization to other devices.
- Print out your current data once every quarter and keep the printout in a place where it is protected from access (destroy old printouts).
- Before using a password manager, ensure a solid security check of the device on which the tool is installed.
- Follow the trade press to see if there are any security incidents reported for the tool and how the manufacturer reacts to them.
- Check if there are user groups (board of directors) in the company for which a password manager is not suitable and provide alternatives.
- Provide basic training for the tool and, depending on the tool, advanced training to reduce the risk of user misuse. Ideally, the tool should also be available in the respective country-specific native language.
- If the password base is stored in the cloud, test and document alternatives for how you can still obtain your credentials if access is not available (if necessary, via a temporarily stored local copy).
- Define a process for what to do if the user loses their master password.