Password manager

Last updated

A password manager is a computer program that allows users to store and manage their passwords [1] for local applications or online services such as web applications, online shops or social media. [2] A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.

Contents

Password managers can generate passwords [3] and fill online forms. [2] Password managers may exist as a mix of: computer applications, mobile applications, or as web browser extensions. [4]

A password manager may assist in generating passwords, storing passwords, [1] [5] [6] usually in an encrypted database. [7] [8] Aside from passwords, these applications may also store data such as credit card information, addresses, and frequent flyer information. [3]

The main purpose of password managers is to alleviate a cyber-security phenomenon known as password fatigue, where an end-user can become overwhelmed from remembering multiple passwords for multiple services and which password is used for what service. [3]

Password managers typically require a user to create and remember one "master" password to unlock and access all information stored in the application. [9] Password managers may choose to integrate multi-factor authentication [9] through fingerprints, or through facial recognition software. [10] Although, this is not required to use the application/browser extension.

History

The first password manager software designed to securely store passwords was Password Safe created by Bruce Schneier, which was released as a free utility on September 5, 1997. [11] Designed for Microsoft Windows 95, Password Safe used Schneier's Blowfish algorithm to encrypt passwords and other sensitive data. Although Password Safe was released as a free utility, due to U.S. cryptography export restrictions in place at the time, only U.S. and Canadian citizens and permanent residents were initially allowed to download it. [11] As Google Chrome became the most used browser, the built in Google Password Manager became the most used password manager as of 2023 December.

Types

Password managers come in various forms, each offering distinct advantages and disadvantages. Here's a breakdown of the most common types: [12]

Browser-based password managers
These are built directly into web browsers like Chrome, Safari, Firefox, and Edge. They offer convenient access for basic password management on the device where the browser is used. However, some may lack features like secure syncing across devices or strong encryption.
Local password managers
These are standalone applications installed on a user's device. They offer strong security as passwords are stored locally, but access may be limited to that specific device. Popular open-source options include KeePass and Password Safe.
Cloud-based password managers
These store passwords in encrypted form on remote servers, allowing access from supported internet-connected devices. They typically offer features like automatic syncing, secure sharing, and strong encryption. Examples include 1Password, Bitwarden, and Dashlane.
Enterprise password managers
Designed for businesses, these cater to managing access credentials within an organization. They integrate with existing directory services and access control systems, often offering advanced features like role-based permissions and privileged access management. Leading vendors include CyberArk and Delinea (formerly Thycotic).
Hardware password managers
These physical devices, often USB keys, provide an extra layer of security for password management. Some function as secure tokens for account/database access, such as Yubikey and OnlyKey, while others also offer offline storage for passwords, such as OnlyKey.

Vulnerabilities

Weak vault storage

Some applications store passwords as an unencrypted file, leaving the passwords easily accessible to malware or people attempted to steal personal information.

Master password as single point failure

Some password managers require a user-selected master password or passphrase to form the key used to encrypt passwords stored for the application to read. The security of this approach depends on the strength of the chosen password (which may be guessed through malware), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password may render all of the protected passwords vulnerable, meaning that a single point of entry can compromise the confidentiality of sensitive information. This is known as a single point of failure.

Device security dependency

While password managers offer robust security for credentials, their effectiveness hinges on the user's device security. If a device is compromised by malware like Raccoon, which excels at stealing data, the password manager's protections can be nullified. Malware like keyloggers can steal the master password used to access the password manager, granting full access to all stored credentials. Clipboard sniffers can capture sensitive information copied from the manager, and some malware might even steal the encrypted password vault file itself. In essence, a compromised device with password-stealing malware can bypass the security measures of the password manager, leaving the stored credentials vulnerable. [13]

As with password authentication techniques, key logging or acoustic cryptanalysis may be used to guess or copy the "master password". Some password managers attempt to use virtual keyboards to reduce this risk - though this is still vulnerable to key loggers[ citation needed ] that take the keystrokes and send what key was pressed to the person/people trying to access confidential information.

Cloud-based storage

Cloud-based password managers offer a centralized location for storing login credentials. However, this approach raises security concerns. One potential vulnerability is a data breach at the password manager itself. If such an event were to occur, attackers could potentially gain access to a large number of user credentials. A 2022 security incident involving LastPass exemplifies this risk. [14]

Password generator security

Some password managers may include a password generator. Generated passwords may be guessable if the password manager uses a weak method of randomly generating a "seed" that all passwords generated by this program. There are documented cases, like the one with Kaspersky Password Manager in 2021, where a flaw in the password generation method resulted in predictable passwords. [15] [16]

Others

A 2014 paper by researchers at Carnegie Mellon University found that while browsers refuse to autofill passwords if the login page protocol differs from when the password was saved (HTTP vs. HTTPS), some password managers insecurely filled passwords for the unencrypted (HTTP) version of saved passwords for encrypted (HTTPS) sites. Additionally, most managers lacked protection against iframe and redirection-based attacks, potentially exposing additional passwords when password synchronization was used across multiple devices. [17]

Blocking of password managers

Various high-profile websites have attempted to block password managers, often backing down when publicly challenged. [18] [19] [20] Reasons cited have included protecting against automated attacks, protecting against phishing, blocking malware, or simply denying compatibility. The Trusteer client security software from IBM features explicit options to block password managers. [21] [22]

Such blocking has been criticized by information security professionals as making users less secure. [20] [22] The typical blocking implementation involves setting autocomplete='off' on the relevant password web form. This option is now consequently ignored on encrypted sites, [17] such as Firefox 38, [23] Chrome 34, [24] and Safari from about 7.0.2. [25]

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

<span class="mw-page-title-main">Web browser</span> Software used to navigate the internet

A web browser is an application for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on a range of devices, including desktops, laptops, tablets, and smartphones. In 2020, an estimated 4.9 billion people have used a browser. The most-used browser is Google Chrome, with a 64% global market share on all devices, followed by Safari with 19%.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

<span class="mw-page-title-main">Keychain (software)</span> Password management system in macOS

Keychain is the password management system in macOS, developed by Apple. It was introduced with Mac OS 8.6, and has been included in all subsequent versions of the operating system, now known as macOS. A Keychain can contain various types of data: passwords, private keys, certificates, and secure notes.

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes. Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. It is used to prevent unauthorized access to data storage.

<span class="mw-page-title-main">KWallet</span> Password manager

KDE Wallet Manager (KWallet) is free and open-source password management software written in C++ for UNIX-style operating systems. KDE Wallet Manager runs on a Linux-based OS and Its main feature is storing encrypted passwords in KDE Wallets. The main feature of KDE wallet manager (KWallet) is to collect user's credentials such as passwords or IDs and encrypt them through Blowfish symmetric block cipher algorithm or GNU Privacy Guard encryption.

<span class="mw-page-title-main">VirusTotal</span> Cybersecurity website owned by Chronicle

VirusTotal is a website created by the Spanish security company Hispasec Sistemas. Launched in June 2004, it was acquired by Google in September 2012. The company's ownership switched in January 2018 to Chronicle, a subsidiary of Google.

<span class="mw-page-title-main">Google Chrome</span> Web browser developed by Google

Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, and also for Android, where it is the default browser. The browser is also the main component of ChromeOS, where it serves as the platform for web applications.

LastPass is a password manager application owned by GoTo. The standard version of LastPass comes with a web interface, but also includes plugins for various web browsers and apps for many smartphones. It also includes support for bookmarklets.

<span class="mw-page-title-main">Multi-factor authentication</span> Method of computer access control

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

<span class="mw-page-title-main">KeePass</span> Computer password management utility

KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices, which normally work with the same copied or shared (remote) password database. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by any combination of a master password, a key file, and the current Windows account details. By default, the KeePass database is stored on a local file system.

<span class="mw-page-title-main">Google Authenticator</span> Two-step verification app

Google Authenticator is a software-based authenticator by Google. It implements multi-factor authentication services using the time-based one-time password and HMAC-based one-time password, for authenticating users of software applications.

SpyEye is a malware program that attacks users running Google Chrome, Safari, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering.

Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI).

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager

Bitwarden is a freemium open-source password management service that stores sensitive information, such as website credentials, in an encrypted vault. The platform offers a variety of client applications, including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

Microsoft Autofill is a password manager developed by Microsoft. It supports multiple platforms such as Android, iOS, and Google Chrome browser. It is a part of Microsoft Authenticator app in Android and iOS, and a browser extension on Google Chrome. It stores users' passwords under the user's Microsoft Account. It can import passwords from Chrome and some popular password managers or from a CSV file. In Microsoft Authenticator app, it requires multi-factor authentication to sign in which provides an additional layer of security. The passwords are encrypted both on the device and the cloud.

References

  1. 1 2 Waschke, Marvin (2017). Personal cybersecurity : how to avoid and recover from cybercrime. Bellingham, Washington: Apress. p. 198. doi:10.1007/978-1-4842-2430-4. ISBN   978-1-4842-2430-4. OCLC   968706017.
  2. 1 2 "What is a Password Manager? - Definition from Techopedia". Techopedia.com. Retrieved 2022-12-14.
  3. 1 2 3 "What is a Password Manager? 2022 Explainer Guide". Tech.co. Retrieved 2022-12-14.
  4. "Definition of password manager". PCMAG. Retrieved 2022-12-14.
  5. Seitz, Tobias (2018). Supporting users in password authentication with persuasive design (PDF) (Thesis). Ludwig-Maximilians-Universität München. doi:10.5282/edoc.22619.
  6. University, Carnegie Mellon. "Password Managers - Information Security Office - Computing Services - Carnegie Mellon University". www.cmu.edu. Retrieved 2022-12-14.
  7. Price, Rob (2017-02-22). "Password managers are an essential way to protect yourself from hackers – here's how they work". Business Insider. Archived from the original on 2017-02-27. Retrieved 2017-04-29.
  8. Mohammadinodoushan, Mohammad; Cambou, Bertrand; Philabaum, Christopher Robert; Duan, Nan (2021). "Resilient Password Manager Using Physical Unclonable Functions". IEEE Access. 9: 17060–17070. doi: 10.1109/ACCESS.2021.3053307 . ISSN   2169-3536.
  9. 1 2 "Best Password Managers for Mac - Security". Tech.co. Retrieved 2022-12-14.
  10. "Best Password Manager for iPhone 2022". Tech.co. Retrieved 2022-12-14.
  11. 1 2 "Counterpane Systems Brings the Security of Blowfish to a Password Database". Counterpane Systems. Archived from the original on 1998-01-19. Retrieved June 24, 2023.
  12. Kerner, Sean Michael (2023-05-02). "What is a password manager?". Security. Archived from the original on 2024-02-01. Retrieved 2024-04-01.
  13. "Are Password Managers Safe to Use in 2024?". Cybernews. 2022-07-13. Archived from the original on 2024-03-24. Retrieved 2024-03-31.
  14. "Are Password Managers Safe to Use in 2024?". Cybernews. 2022-07-13. Archived from the original on 2024-03-24. Retrieved 2024-03-31.
  15. Claburn, Thomas (2021-07-06). "Kaspersky Password Manager's random password generator was about as random as your wall clock". The Register. Archived from the original on 2024-03-07. Retrieved 2024-03-31.
  16. Arghire, Ionut (2021-07-07). "Kaspersky Password Manager Generated Passwords That Could Quickly Be Brute-Forced". SecurityWeek. Archived from the original on 2023-06-02. Retrieved 2024-03-31.
  17. 1 2 "Password Managers: Attacks and Defenses" (PDF). Retrieved 26 July 2015.
  18. Mic, Wright (16 July 2015). "British Gas deliberately breaks password managers and security experts are appalled" . Retrieved 26 July 2015.
  19. Reeve, Tom (15 July 2015). "British Gas bows to criticism over blocking password managers" . Retrieved 26 July 2015.
  20. 1 2 Cox, Joseph (26 July 2015). "Websites, Please Stop Blocking Password Managers. It's 2015" . Retrieved 26 July 2015.
  21. "Password Manager" . Retrieved 26 July 2015.
  22. 1 2 Hunt, Troy (15 May 2014). "The "Cobra Effect" that is disabling paste on password fields" . Retrieved 26 July 2015.
  23. "Firefox on windows 8.1 is autofilling a password field when autocomplete is off" . Retrieved 26 July 2015.
  24. Sharwood, Simon (9 April 2014). "Chrome makes new password grab in version 34" . Retrieved 26 July 2015.
  25. "Re: 7.0.2: Autocomplete="off" still busted" . Retrieved 26 July 2015.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.