Password Managers: Improving Security and Usability

At some point in the past, we found it necessary to prove our identity to computer systems. It was probably because it was expedient; an identifier (usually a username) and a secret was the solution. Generally, it seemed to work, and so whenever the need for authentication arose, we defaulted to this solution.

Over time, we have come to identify some serious problems associated with using passwords to authenticate humans.

Humans struggle with two things that make using passwords problematic.

First, humans struggle to think of strong passwords. Strong passwords are hard to guess. Humans are (sometimes) lazy and creatures to habit. We frequently do only what is required (this makes guessing a password much easier). Additionally, we are creatures of habit, and these habits mean that the passwords we create are usually predictable.

Second, humans struggle to remember things. Because of this, we prefer simplicity and reusing those things we do have to remember. Both of these preferences result in generally bad practices with passwords.

There are several approaches adversaries use to attack passwords:

In addition to these approaches, adversaries can (and will) develop other ways to attack weak password practices. These are just the most prominent attacks used today.

Brute force attackers are when adversaries use computer systems to try a large number of possible passwords against a service/system to search for the right one. While there are some ways that systems/services can protect themselves from these attacks, there is always the possibility that a system may be vulnerable.

Short passwords are particularly vulnerable to these kinds of attacks. Of all the types of weaknesses, short passwords are the easiest to attack.

Whenever data breaches occur, there is an opportunity for adversaries to study the data to enable additional attacks. Frequently they build lists of common passwords that they can then use against other systems/services. These lists of common passwords usually meet with significant success.

Sometimes, an adversary can acquire a copy of the database that stores the hashes used to verify if a password is correct. In this context, a hash is the result of a one-way processing of a password. While it shouldn’t be possible to process the hash and retrieve the original password, it may be possible to use previously cracked hashes (Rainbow Tables). When they work, they are a quick way to get passwords.

Using previously used passwords will make your passwords vulnerable to this kind of attack.

An increasingly common attack against password reuse is 'Credential Stuffing.' Once an adversary has obtained some usernames and passwords, they will attempt to use them against other systems/services. Credential stuffing is frequently effective and enables an adversary to take over (at least a large) part of the victim’s online life.

Now that we are familiar with how human weaknesses in creating and using passwords make us vulnerable, we are ready to discuss a solution (Password Managers).

While Password Managers' functionality varies, they all help generate strong passwords and facilitate using unique passwords for each system/service.

Strong Passwords (or even better, passphrases) have specific characteristics:

Usually, significant care, understanding, and thought have been put into enabling password managers to generate strong passwords. A password generated by a password manager will fare better than a password a human can generate.

In addition to generating strong passwords, password managers will enable you to store a different password for each of your accounts. You will need to remember the password that gets you on your local computer and access the password manager, but after that, you won’t need to remember any of the passwords for your online accounts.

Password managers make it a lot easier to use unique passwords for your accounts (significantly improving your digital security).

If you work for an organization, they have likely selected a password manager for you to use. If this is the case, you should familiarize yourself with it (so that you use it securely and obtain the most significant benefit from it).

If you want to use a password manager for your own needs, you should investigate the available options. Yes, you want security, but you also want it to be as useful (and usable) as possible (a solution you don’t use is not a solution). After reading about the various options, We recommend that you try a few of them out.

In the end, you want to find a solution that will work for you in the long run.

Wikipedia has a list of password managers.

Once you decide to use a password manager, it will become one of your online life’s essential parts.

Whatever solution you select, it is vital that you safeguard your password manager. In some cases, it will mean selecting a particularly strong password to prevent unauthorized access to your password manager. In other cases, it will also include making sure you have a safe backup of your password manager data file.

Password Managers can significantly improve your security online, but it is still highly recommended that you use multi-factor authentication whenever (and wherever) possible.

Multi-factor authentication involves using something besides just a password to gain access to an account. Some examples are physical tokens, biometrics, and location.

Combining multi-factor authentication and strong passwords will give you a high-level of confidence in the control of your online accounts.