The Risks and Rewards of Password Managers

The Risks and Rewards of Password Managers

July 15

Password managers have been around for a while, but are becoming more popular as each of us create more online profiles. It’s not uncommon for a person to have dozens of logins that enable access to financial institutions, online stores, and social media sites like Facebook, where even more of our personal information is stored.

Password managers promise to help manage the plethora of data by keeping it in one place as well as generating strong passwords to accompany each login. All you have to do is remember the master password, and the password manager will do the rest.

But what happens if the password manager suffers a security breach?

That’s exactly what happened last month to LastPass, a popular, cross-platform password manager. It’s bad enough when one of your accounts is compromised, so you can imagine the collective concern when LastPass announced they had suffered a data breach that exposed users’ email addresses, encrypted passwords, and cleartext reminder hints.

This week I want to look at what precautions you can take to protect your users who are utilizing password managers.

Single Point of Failure

The weakest link to using a password manager is that it sets up a single point of failure. You know the feeling if you’ve lost a wallet or purse full of valuables. What makes a wallet or purse convenient also makes it a target of thieves because it’s a one-stop-shop to your identity. The same holds true of password managers which are only as secure as the master password. Once they have that, it’s like you’ve turned over your digital wallet to them.

When I worked at Microsoft, we were required to change our passwords every 90 days, and strong passwords were strictly enforced. Of course, I couldn’t reuse any of the last 10 passwords, so I did what a lot of employees did and wrote my password on a Post-It note and attached it to my monitor. Over the next week or so I’d memorize my new password, but I’m sure this isn’t the level of security Microsoft IT had in mind when they implemented the 90-day password change policy.

I knew what I was doing was unsafe and against the rules. But it sure beat having to deal with IT to have them reset my password so I took the risk.

If you manage a group of users, you hope they apply the following to password management:

1. Use strong, complex passwords.
2. Memorize passwords rather than write them down.
3. Use a unique password on every site and service.

Let’s Be Realistic

These are the ideal, but totally unrealistic expectations many IT managers have. The above three rules might work when keeping track of a handful of website profiles, but not when you’re managing dozens. So what do many users do? They choose a less secure password and then use that same password for as many logins as they can. If you make your users create complex passwords, you can bet many will write it down near their computer.

Password managers promise to bring a little common sense to this whole process by generating random passwords for each website, save and encrypt the login and password, and autofill forms for the user. Advanced features found in some of the paid products include mobile versions that sync logins and passwords across all your devices as well as storing credit cards, shipping addresses and notes.

This convenience comes with some trade-offs. For example, when your password manager is running on your local computer, malware could access the data on your computer, including the saved passwords. Even when the user has taken all precautions a key-logger could capture the username and password used to access your bank account. But that’s true whether you have a password manager running or not. Keeping your machine secure still remains your best defense against malware that would do you harm.

But are Password Managers Safe?

Probably so, if used correctly. They are definitely safer than many of the crafty solutions users come up when faced with having to manage so many logins and passwords.

I’ve used 1Password across a number of computers and mobile devices, and will tell you it’s been a huge in helping me keep my passwords secure. It’s also a massive time saver, but that’s secondary to the discussion. Given my experience with 1Password, this is what I’d tell someone considering any password manager:

1. Make sure you’re operating a virus and malware-free computer.
2. Use a fingerprint reader to secure your mobile device or PIN if that’s not available.
3. Memorize a strong master password for the password manager.
4. Configure your password manager to log out after some time on each device.

Understand that users will make mistakes and occasional security breaches will happen. Password managers are one tool that can help maintain a secure environment when used properly.

What have been your experiences with password managers? Do you prefer one over another?