Custom Search

Cyber Security:

Password Managers

It is possible to create your own strong passwords, but it can sometimes be difficult to remember each one, especially if you use a number of online services. The Rolodex was the information system of the 80s. Nowadays filing sensitive information in a place that is portable, secure and easy and quick to access is done via a password manager. A password manager stores the password and the site it applies to.

A password manager is an application (program) that runs on your computer, phone or tablet - storing passwords for you in a virtual portable filing cabinet on your device. Using a password manager makes your life much simpler because, rather than having to remember a multitude of passwords, you only need to remember a single password and the computer does the rest.

Very simple password managers allow stored passwords to be copied and pasted into login boxes.

More sophisticated managers let users launch and log in to an application or website by clicking on their entry in the manager itself

Some password managers include browser 'plug-ins' so that you can complete a login on a web page simply by pressing a button.

Password Generation Facilities

The majority of password managers also offer password generation facilities. They have no problems creating passwords that are highly resistant to both brute force and dictionary attacks.

Computers can generate and then file away arbitrarily long pieces of nonsense text, such as:

MHpKQCvpYoouTAaPiiWuFKjpNe7qnsbwkrvq3s3cX

Safety when using a Password Manager

Since a password manager contains a great deal of extremely valuable information it represents an attractive target for an attacker.

Before choosing a manager you should check that:

The password manager itself requires a password to use it. This prevents an attacker simply starting the password manager and accessing your passwords.

The password manager should lock itself after a period of inactivity. This stops an attacker accessing the passwords if you have previously used the password manager and then left your machine unattended.

The passwords themselves should be encrypted on your computer. This prevents an attacker reading your passwords without needing to open the password manager.

Web-Browser storage of passwords

Most modern web browsers offer to remember passwords when you enter them into web forms, providing password management for websites you visit using the browser. This can be very convenient for frequently visited sites where you regularly have to enter details.

The security of this password storage is strong, and your data will not be visible to casual inspection, but you should be extremely careful using them on any computer that you do not own or have sole control of, since your data will be stored on the machine and could be misused by another user or an administrator.

You should only consider using a browser's password storage on a machine that you are the sole user of, or one where you entirely trust the other users.

Under no circumstances should you store passwords in the browsers

of public machines in places such as cafes, libraries and workplaces.

Alternatives to a browser's password management are dedicated password management applications.

Additionally, make sure you select a very strong password for controlling access to the password store.

This will minimise the risk of attackers having access to your passwords, even if they do manage to steal the encrypted password store, either from your machine or from online storage provided by the password manager software.

Choosing a product to manage your passwords

You need to carefully check that the software meets your requirements.

You need to get the answers to a few questions before purchasing a system:

Is the software available for your computer?

Does it manage passwords on one machine or more than one computer?

Can it synchronise passwords between multiple machines?

Does it have a good reputation? Don't depend on anecdotal evidence. You should check that the password manager's security functionality has been evaluated by a reputable independent organisation that has the ability to understand and test how such software works. It is easy for dodgy systems to fill the internet or facebook with recommendations for itself! It needs to have been properly assessed.

For example:

Balance of Risk

When you evaluate using a password manager consider the balance of risk.

A password manager only requires you to memorise a single secure password.

All the other passwords it looks after can be long, unique strings of random characters, for example:

Dyet%eb5YT%^ahyrp)(nd.

This is much more secure than using a paper notebook – thieves breaking into a house or office look for password notebooks. Notebooks also get dropped or left on the train!

Some examples of password manager applications are:

LastPass is available for a range of operating systems, including mobile devices. It can generate and store passwords, and manage them across multiple devices.

1Password is available for Windows and Mac computers as well as mobile devices running iOS, Android and Windows Phone. As well as generating and storing passwords, 1Password can be used to hold other confidential documents. It offers password synchronisation through the free Dropbox cloud service where encrypted copies of all 1Password data are shared between your machines.

KeePass is available for Windows, Mac and Linux operating systems. It is an open source password manager, which makes it easier for security experts to check its program code and identify potential security problems.

Your Master Password

The protection offered by a password manager is only as good as the password you select to control access to it – the 'master password'. Therefore, make sure to select a long, hard to guess password – ideally a phrase or combination of random words. This will prevent attackers from getting access to all of your passwords, even if they steal the password store from your machine or an online password system.

Password managers are a prime target for hackers, and occasionally hackers have managed to find ways of attacking them. It is therefore very important that you have a very strong password and that such software is always kept up to date.

For example, in June 2015 attackers were able to steal a large number of password stores from LastPass, putting those users with very weak master passwords at risk of having all their passwords used by hackers. In September 2019, another vulnerability was discovered in LastPass by a Google Project Zero researcher. This was fixed almost immediately by LastPass in an update.

Problems with Password Management

Forgetting the master password - is a real problem - all of a sudden all of your passwords are unavailable. Whether you just forget - or because of illness, age and stress your memory has a lapse you would lose access to vital online facilities.

If your password manager's data file falls into the hands of criminals you need to hope your password is strong, otherwise all of your passwords are accessible to hackers.

Click here to see alternatives to password management.