Skip to content

How Safe Are Password Managers?

How-Safe-Are-Password-Managers-in-2023

Passwords have been the gatekeepers to our digital lives for the last couple of decades, serving as barriers between cyber criminals and our sensitive data; however, as the number of applications we use has increased, so has the number of passwords, making it increasingly cumbersome to remember and manage them. To deal with this problem, many people are turning to password managers, a type of tool that provides a secure way to store and manage multiple passwords. With a password manager, users no longer need to remember a growing list of credentials; instead, they only need to remember how to access their password manager, which requires one master password.

Password managers have indeed surged in popularity over the last few years, with their market expected to be around $7.09 Billion by 2028. However,  are password managers as secure as they seem to be? This article will look at these tools and the associated security concerns. We will also cover the risks surrounding password managers and whether they offer a secure alternative to managing access to our digital lives.

What are Password Managers?

Password managers are solutions that strike that delicate balance between security and usability by offering a secure and easy way to store and retrieve passwords for multiple applications. They consist of a password vault where each credential is securely stored and can only be accessed by a master password. The vault is hardened and protected with industry-grade encryption, making attacks on the vault highly difficult. Users can store their passwords within the vault, and they only need to remember the master password, removing the logistical hassle of handling multiple credentials. Also, password managers can work transparently in the background and offer to store passwords of new applications as you visit them. The password is then automatically entered in subsequent visits, with the functionality called “auto-fill”.
 
For added protection, password managers often come with a suite of security features, such as the following:
 
  • Secure Storage of Passwords: Password managers use strong encryption to make passwords inaccessible to anyone without the master password. Even when syncing to the cloud, the password manager makes sure that the data is encrypted end-to-end and that the decryption key (i.e., the master password) is not stored by the password manager at any point in time.

  • Multi-Factor Authentication (MFA): MFA is built in to some password managers, which adds a layer of security over the master password. This prevents unauthorized access by requiring an additional factor such as a biometric, a token, or an authenticator app.

  • Secure Password Generation: Password managers can also generate random, secure passwords to ensure that users do not repeat similar patterns across applications, which would make them susceptible to brute-force attacks.

  • Threat Intelligence: Password managers can provide security alerts that inform users if their password is being sold on the dark web, giving users proactive threat intelligence in the event of a compromise.

Password managers come in a variety of types, but at a high level, they can be categorized as either standalone or browser-based:

Standalone

As the name implies, these are dedicated applications that allow users to store and retrieve their credentials securely. They also allow users to sync the password across multiple devices and share it with trusted individuals like family members without revealing the password. Additionally, they provide functionalities like password generators and master passwords not present in their browser-based counterparts.

Browser-based

This type of password manager integrates with popular web browsers like Firefox and Chrome, giving them real-time access to users’ browsing activities. For instance, they can detect when a user is visiting a login page and can offer to save their login information for subsequent visits. They offer more convenience than standalone password managers due to their real-time abilities, like auto-filling passwords; however, they act as extensions of browsers and can inherit their weaknesses as a result.

Standalone vs. Browser-based

While the high-level functionality remains the same, some essential differences between standalone and browser-based password managers should be considered, especially from a security perspective.

  • Browser-based password managers, while offering more ease of use, can also fall vulnerable to malicious websites that trick them into auto-filling in credentials and handing over user passwords. For example, attackers can potentially hide fields on malicious websites and trick the password manager into entering credentials.

  • Browser-based password managers might not have the robust security protocols that standalone password managers employ due to their lightweight nature. They depend on the browser, and if the underlying software is compromised, then the security of the password manager might be as well.

  • Standalone password managers offer better security of the password vault and more advanced security features like master passwords, password generation, and multi-factor authentication; however, the sheer amount of data they hold can make them a bigger target of cyberattacks.

  • It is also important to note that if the master password of the standalone version is compromised, then the entire password vault is potentially at risk.

  • Standalone password managers can also contain vulnerabilities that may be exploited. Compared to browser-based password managers, standalone ones generally provide more security due to their specialized nature and more focused security features; however, the convenience offered by browser-based password managers makes them easier to use and adopt by a wider variety of users.

  • Browser-based password managers, while offering more ease of use, can also fall vulnerable to malicious websites that trick them into auto-filling in credentials and handing over user passwords. For Instance, attackers can potentially hide fields on malicious websites and trick the password manager into entering credentials.

  • Browser-based password managers might not have the robust security protocols that standalone password managers employ due to their lightweight nature. They depend on the browser, and if the underlying software is compromised, then the security of the password manager might be as well.

Deciding which software to go with depends on the requirements of the user. A standalone password manager has robust security features, making it the preferred choice for someone who prioritizes protection. For those who prefer a seamless experience, it might make more sense to go with a browser-based password manager. Both are good choices and provide excellent security controls for managing and controlling your digital credentials.

How Secure Are Password Managers?

Having looked at some information regarding password managers, it’s time to consider the big question: how secure are password managers? After all, people are hesitant to hand over their passwords to a tool without knowing how secure it is against cyberattacks, so it’s important to understand how safe password managers are.

Earlier, we looked at the various security features offered by many password managers, such as MFA and encryption; however, it is essential to understand that password managers, like any tool, can contain vulnerabilities. In this section, we look at a few of the key risks that can affect password managers:

  1. Compromise of the Master Password: The master password is the entry point to the entire vault of credentials stored within the password manager. Thus, it can effectively become a single point of failure as well. Cybercriminals know this, and often target the master password to gain access to this data via phishing attacks designed to impersonate master password login pages. Numerous such incidents have been reported with popular password managers like LastPass and Norton LifeLock. Attackers have even leveraged Google Ads to increase the scope of their phishing attacks and target more users.

  2. Underlying Vulnerabilities: Password managers can contain various types of vulnerabilities that cybercriminals can exploit. To illustrate, a vulnerability in KeyPass allowed attackers to obtain an unencrypted version of the master key. A successful compromise can allow the attacker to bypass the protection mechanisms and gain access to the password vault.

  3. Offline Storage Risks: Password managers often utilize cloud storage to sync the password vault across multiple devices. This storage can become a point of vulnerability, with attackers gaining access to this data via compromise of the cloud platform. In 2022, LastPass revealed that attackers could access cloud-based storage information to steal source code and technical information, which could be leveraged for further attacks.

  4. Exploiting the Auto-fill Functionality: The auto-fill feature can be exploited or tricked into entering the credentials on fake websites designed to impersonate the login. Bitwarden, a popular password manager, revealed a vulnerability in its auto-fill feature, which attackers could use to passively steal login information by embedding hidden login forms on malicious websites.

  5. Malware Attacks: Numerous malware attacks have been explicitly designed to target password managers. The growing popularity of password managers has made them a prime target for cybercriminals, with malware targeting both standalone and browser-based versions. Malware like Luca Stealer Trojan specifically targets browser-based password managers to steal the data stored within them.

Despite the fact that password managers can fall victim to risks such as these, password managers are certainly not useless or dangerous. It is essential to understand that no software is 100% secure, and password managers still offer built-in security controls and tremendous benefits. To enjoy these benefits while reducing risks, it’s important to practice sound security hygiene and follow the guidelines provided by the password manager’s vendor. In the next section, we’ll explore this topic.

How to Secure Password Managers

Password managers provide a convenient solution to password-related woes, making them a powerful tool, but it’s important to be aware of potential risks and take steps to mitigate them. As with any tool, the effectiveness of a password manager hinges on its proper use. Here are some best practices to maximize the security benefits of password managers:

  1. Awareness: Password security begins and ends with user awareness. Users need to be aware of the threats that target password managers and how to protect against them. Companies should hold awareness sessions to educate employees on the phishing attacks that target the master password and how to identify them.

  2. Vulnerability Management: Password managers, like any other software, will inevitably contain vulnerabilities that must be addressed promptly. Companies must have a process to stay updated about password manager vulnerabilities and how to apply vendor patches to fix them. This will significantly shorten the window of vulnerability for any weakness being exploited. 

  3. Multi-Factor Authentication (MFA): MFA should be enforced as a standard to resist potential phishing attacks. It is not enough to rely solely on the master password for protection, as it can be a single point of failure. Additional layers of security must be enforced in the form of biometrics, tokens, or authentication apps. 

  4. Threat Intelligence: Companies must stay aware of any new attacks targeting password managers, or else they may end up falling victim to those very attacks. Cybersecurity teams can subscribe to threat intelligence feeds provided by third-party security companies or vendors of password manager tools. Adopting this proactive approach will enable timely alerts and companies can take preventative measures against emerging threats. 

  5. Back Up the Password Vault: A good security practice is to take regular backups of the password vault to ensure the company is protected against deliberate or accidental corruption. This can be accomplished via the password manager tool and should be tested regularly to ensure these backups work correctly.

  6. Audit the Password Vault: The password vault should be regularly reviewed, and unused credentials should be removed. This housekeeping keeps the password vault lean and efficient and fosters an overall culture of security around it.

The Way Forward

As people are required to use an increasing number of passwords, and cyber threats continue to grow in sophistication, the importance of robust password management cannot be overstated. Organizations continually grapple with ensuring employees maintain strong, unique passwords for each application and platform, and password managers offer a solution to this predicament, centralizing the password management process. Additionally, password managers’ security features and ease of use make them an excellent control to mitigate the risks of password compromise. While they are vulnerable to specific risks, those risks can be mitigated by following the right steps, allowing you to reap the benefits. Password managers, like any tool, will adapt and evolve as the threat landscape changes, and companies should make them a focal point of their cybersecurity strategies going forward.

Thank you for trusting us to help with your technology needs. Contact us any time – we’re always happy to help.

Mike

Meet the Author
Mike Dillon is Quest's Chief Technology Officer.
Contact Quest Today  ˄
close slider