Manipal Information Security Team
CyberManipal

CyberManipal

The Efficacy of Password Managers

The Efficacy of Password Managers

Manipal Information Security Team's photo
Manipal Information Security Team
·Nov 13, 2021·

3 min read

Introduction

A password manager is a software that helps you generate long and unique passwords with high entropy, stores these passwords, and manages them. A total of 11.6 billion records have been collected by Have I been pwned, which is more than the entire population of the Earth.

The 2019 Google online security survey put forth their finding that 52 percent of respondents use the same password for multiple accounts. This signals a strong requirement of a password manager to assist users with their passwords.

How do they function?

Password Managers act as a digital vault for your passwords. Based on how this vault is managed, they are broadly classified into three types.

  • Offline PMs: Locally installed password managers store the data in your device in an encrypted file. If you have a strong master password then breaching your data will need strenuous efforts since brute-forcing military-grade encryption can be chronophagous. Getting hold of the device might be the only option. Using password managers on multiple devices can be risky since you will have to sync them by making your password manager online, which in turn means your data can be accessible to third-parties.

  • Cloud based PMs: Here the vault is generally uploaded on a cloud platform where your passwords are secured in an encrypted form by the service provider’s network. These passwords are auto-filled by the means of browser extensions or any smartphone applications, which can quickly be accessed from anywhere without any hurdle. Many leading password managers use a model which has zero knowledge security. This means that the password manager you use knows your passwords but the company providing the software doesn’t.

  • Token-based PMs: In this scenario a local hardware (usually a flash drive) contains a key to unlock a particular account. These are also known as stateless password managers since there is no password database. Here the password manager creates the tokens every single time a login happens and hence these need not be synchronised. You can lose access to your passwords if you lose your device.

Why use Password Managers?

  • Vulnerabilities like phishing, brute force attacks, malware attacks, social engineering attacks can be avoided using a password managers

  • Passwords are stored in an encrypted manner making them less susceptible to attacks

  • Features such as the local storage option, cloud storage option, 2FA, the fail-safe function can ameliorate your experience

  • The auto-fill feature can help reduce password chaos and also increases productivity. It also prevents one from using the same password multiple times.

  • Enables easy and secure password sharing, as many people share credentials with family and friends

Why to stay away from them?

  • Lack of clarity in service and its implementation, types of guarantees, privacy policies, and third party interferences lend irregularity to the concept of password managers
  • If you lose the master password, then recovery of the other passwords is a tedious process
  • If a hacker uses a keystroke logger (records keystrokes of the keyboard), then the master key can be found, hence endangering other passwords

An expectant future

Researchers still advocate using password managers because after scrutinising hundreds of security breaches it has been proved that poor password hygiene is the root cause of password compromise. Moving towards password managers takes a little time and patience, but once you do so there will be no going back. Taking some time to research your options to migrate towards password managers will soon be key to a secure digital life.

And, more importantly, you would not have to worry yourself sick the next time a company declares a database breach.

Written by S.Krishnan

 
Share this