Password Managers: To Use or Not to Use

A series of recent incidents has led to debate concerning the value of password managers.

  • PayPal sent out breach notifications to thousands of users that had their accounts accessed through credential stuffing attacks that exposed some personal data. Some linked the attack to password reuse across systems. As many people use the same password on multiple accounts, they run the risk of their accounts being breached by bad actors who compromise one account and use that same password to enter other systems used by the user.
  • Credential stuffing attacks are becoming more common. Attackers use bots to attempt thousands of logins a second.
  • The popular password manager LastPass has been hacked multiple times over the past year or two. This has people wondering whether they should use such a tool or not.

So, should you use a password manager or not? The short answer is yes, they need to be used. Why? According to KnowBe4, the average user accesses more than 170 different sites and services. Each one needs a password. This number may seem excessive. But take a moment to add it all up. Every bank account, all the work-related sites, social media, Amazon and other cloud services, travel sites, hotel sites, and on and on. (I added mine up and came up with over 200 logins). That’s part of the problem. What do users typically do to cope with this ridiculous number of passwords? They reuse passwords over and over and that opens the door to more widespread breaches.

When security policies are implemented forcefully concerning passwords, users are forced to change them every quarter, and in recent times have had to move from 6 characters to eight to ten or more. They have also been required to add capitals, numbers, and symbols. What is the user response? The average person without a password manager has less than 10 passwords (or password patterns) that they use across all the sites they deal with.

To make matters worse, many of these passwords are relatively weak. They can be broken quickly using brute force techniques. The consequence? If a hacker breaks one password, they can try it in many other places. Perhaps they only compromise Facebook at first. From there, however, they can try bank account logins using the person’s email and preferred password. They often strike gold. Crypto accounts, Amazon, and work accounts are also exposed to attack.

Password Manager Failings

Password managers, then, should be used. They provide strong, random passwords that are different for every site or service. Unlike eight-character passwords that can be cracked via brute force in short order, these passwords are unguessable by any known technology. But as the LastPass hacks made clear, password managers are not infallible. Those that store your passwords in the cloud are especially susceptible to attack. Those that store them locally are better such as on a device where you use your password manager. Yet there remains a single point of failure on that local machine. If the bad guys gain access to it, they can get inside the password manager if the user leaves it unlocked. That allows them to see stored passwords and export them. Users are advised to configure password managers to automatically lock after a very short time.

Keyloggers can also be employed to steal the master password used to access any password manager. A good way around it is to require multi-factor authentication to unlock the password manager, such as receiving a text to your phone.

And like any software or system, password managers contain software vulnerabilities. They can be used by attackers to access or exploit password managers, sometimes even when they are locked. Vendors issue patches to fix these exploitable bugs.

Lack of encryption can be another weakness. Choose password managers that use strong encryption of stored passwords, logon names, URLs, and other sensitive data.

There are many other ways that hacking can occur. But like any other online system, the basics still apply:

1. Use a reputable password manager that applies the safeguards noted above.

2. Include multifactor authentication as part of the login process.

3. Update all password managers with the latest fixes and patches to keep them secure.

4. Include password managers in vulnerability scans to ensure no weaknesses are left undiscovered.

5. Keep systems in general fully patched and up to date. Password managers employ browser extensions and interface with other systems. Those other systems and extensions need to be patched, too.

Syxsense automates the process of installing patches, performing vulnerability scans, and remediating any issues found.

For more information, visit: www.Syxsense.com