Password manager
Encyclopedia
A password manager is software that helps a user organize password
s and PIN
codes. The software typically has a local database or a file that holds the encrypted
password
data for secure logon onto computers, networks, web sites and application data files. Many password managers also work as a form filler
, thus they fill the user and password data automatically into forms. These are implemented using a browser extension
, smart card
application or USB stick application that communicates to the browser.
The great advantage of passwords is that they are readily incorporated in most software, require no extensive computer/server modifications and users are very familiar with them. While passwords are secure, the weakness is how users choose and manage them:
The added problem is that most users do more than one of these mistakes. This makes it very easy for hackers, crackers, malware
and cyber thieves to break into individual accounts, SMB's, multi-international corporations, government agencies, institutions, etc. It is protecting against these vulnerabilities that makes password managers so important.
Password managers come in five basic flavors:
Password managers can also be used as a defense against phishing
and pharming
. Unlike human beings, a password manager program can also incorporate an automated login script that first compares the current site's URL to the stored site's URL. If the two don't match then the password manager does not automatically fill in the logon fields to safeguard against visual imitations and look-alike websites. With this built-in advantage, the use of a password manager is beneficial even if the user only has a few passwords to remember. While not all password managers can automatically handle the more complex login procedures imposed by many banking websites, many of the newer password managers handle complex passwords, multi-page fill-ins, and multi-factor authentication prior to usage.
Password managers can protect against keyloggers or keystroke logging
walware. When using a multi-factor authentication password manager that automatically fills in logon fields, the user does not have to type any user names or passwords for the keylogger to pick up. While a keylogger may pick up the PIN to authenticate into the smart card token, for example, without the smart card itself (something you have) the PIN does the user no good. Add a biometric finger scan with the smart card and then the risk from malware is practically none.
to form the key
used to encrypt the protected passwords. The single passphrase is referred to as "single factor authentication" and is one of the weakest ways to authenticate the user. This master password must be strong
enough to resist attack (eg, brute force, dictionary attack
s, etc.), but complexity drives poor user management.
A compromised master password renders all of the protected passwords vulnerable. This demonstrates the inverse relation between usability and security: a single password may be more convenient (usable), but if compromised would render all of the held passwords insecure.
As with any system which involves the user entering a password, the master password may also be attacked and discovered using key logging or acoustic cryptanalysis
. Some password managers attempt to use virtual keyboard
s to reduce this risk - though this again is vulnerable to key loggers which take screenshots as data is entered.
Some password managers include a password generator. Generated passwords may be guessable if the password manager uses a weak random number generator instead of a cryptographically secure one.
A strong password manager will include a limited number of false authentication entries allowed before the password manager is locked down and requires IT services to re-activate. This is the best way to protect against the brute-force attack.
Password managers that do not prevent swapping their memory to hard drive make it possible to extract unencrypted passwords from the computer’s hard drive. Turning off swap, or installing more memory can prevent this risk.
The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a web browser
and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC - also the same risk is present for the server that is used to store the users passwords on. In both cases this risk can be prevented by ensuring secure backup
s are taken.
The major disadvantages of online password managers are the requirements that you trust the hosting site and a keylogger is not on the computer you’re using. With servers and the cloud being a focus of cyber attacks, how one authenticates into the online service and that the passwords stored there are encrypted with a user defined key are just as important. Again, users tend to circumvent security for convenience.
The use of a web-based password manager is an alternative to single sign-on
techniques, such as OpenID
or Microsoft's Windows Live ID
scheme (formerly Passport), or may serve as a stop-gap measure pending adoption of a better method.
, stand-alone client based or tied into active directory. These tokens can be combined with RF ID badges for building access and use other security protocols like Single sign-on
(SSO), One-time password
s (OTP) and Public Key Infrastructure
(PKI) instead of passwords to establish the trust. These tokens can be thought of as the key to secure the virtual front door.
The disadvantages include the different costs of ownership. Some implementations require back end server modifications, extensive training, server-to-token synchronization, outside certificate authorities and expensive tokens. Others may be less expensive to implement and have a lower cost of ownership, but many not support Authentication
, Authorization
, Data integrity
and Non-Repudiation
. It's not that one token solution is better than another, but rather which is right for your environment, risk and budget.
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
s and PIN
Personal identification number
A personal identification number is a secret numeric password shared between a user and a system that can be used to authenticate the user to the system. Typically, the user is required to provide a non-confidential user identifier or token and a confidential PIN to gain access to the system...
codes. The software typically has a local database or a file that holds the encrypted
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....
data for secure logon onto computers, networks, web sites and application data files. Many password managers also work as a form filler
Form filler
A form filler is a software program that automatically fills forms in a UI. Form fillers can be part of a larger program, like a password manager or a enterprise single sign-on solution....
, thus they fill the user and password data automatically into forms. These are implemented using a browser extension
Browser extension
A browser extension is a computer program that extends the functionality of a web browser in some way. Depending on the browser and the version, the term may be distinct from similar terms such as plug-in or add-on. Mozilla Firefox was designed with the idea of being a small and simple web browser,...
, smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
application or USB stick application that communicates to the browser.
The great advantage of passwords is that they are readily incorporated in most software, require no extensive computer/server modifications and users are very familiar with them. While passwords are secure, the weakness is how users choose and manage them:
- Simple passwords - short in length, uses words found in dictionaries, don't mix in different characters (numbers, punctuation, upper/lower case), etc.
- Write passwords down - sticky notes on monitor, notepads by the computer, document in computer, whiteboard reminders, smart device storage in clear text, etc.
- Same password - using the same password for multiple sites, never changing account passwords, etc.
- Sharing password - telling others the logon passwords, sending unencrypted emails with password information, contractors using same password for all their accounts, etc.
The added problem is that most users do more than one of these mistakes. This makes it very easy for hackers, crackers, malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
and cyber thieves to break into individual accounts, SMB's, multi-international corporations, government agencies, institutions, etc. It is protecting against these vulnerabilities that makes password managers so important.
Password managers come in five basic flavors:
- Desktop - desktop software storing passwords on a computer hard drive.
- Portable - portable software storing passwords and program on a mobile device, such as a PDAPDAA PDA is most commonly a Personal digital assistant, also known as a Personal data assistant, a mobile electronic device.PDA may also refer to:In science, medicine and technology:...
, smart phone as a portable applicationPortable applicationA portable application , sometimes also called standalone, is a computer software program designed to run independently from an operating system...
. - Token - a security tokenSecurity tokenA security token may be a physical device that an authorized user of computer services is given to ease authentication...
with multi-factor authenticationMulti-factor authenticationMulti-factor authentication, sometimes called strong authentication, is an extension of two-factor authentication. This is the Defense in depth approach of "Security In Layers" applied to authentication. While two-factor authentication only involves exactly two factors, multi-factor...
combines "something you have" (smart cardSmart cardA smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
or USB stick), "something you know" (PIN or password) and "something you are" (biometricsBiometricsBiometrics As Jain & Ross point out, "the term biometric authentication is perhaps more appropriate than biometrics since the latter has been historically used in the field of statistics to refer to the analysis of biological data [36]" . consists of methods...
). - Web based - Online password manager where passwords are stored on a provider's website.
- Stateless - Passwords are generated on the fly from a master passphrase and a tag using a key derivation functionKey derivation functionIn cryptography, a key derivation function derives one or more secret keys from a secret value such as a master key or other known information such as a password or passphrase using a pseudo-random function...
.
Password managers can also be used as a defense against phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
and pharming
Pharming
Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving...
. Unlike human beings, a password manager program can also incorporate an automated login script that first compares the current site's URL to the stored site's URL. If the two don't match then the password manager does not automatically fill in the logon fields to safeguard against visual imitations and look-alike websites. With this built-in advantage, the use of a password manager is beneficial even if the user only has a few passwords to remember. While not all password managers can automatically handle the more complex login procedures imposed by many banking websites, many of the newer password managers handle complex passwords, multi-page fill-ins, and multi-factor authentication prior to usage.
Password managers can protect against keyloggers or keystroke logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
walware. When using a multi-factor authentication password manager that automatically fills in logon fields, the user does not have to type any user names or passwords for the keylogger to pick up. While a keylogger may pick up the PIN to authenticate into the smart card token, for example, without the smart card itself (something you have) the PIN does the user no good. Add a biometric finger scan with the smart card and then the risk from malware is practically none.
Vulnerabilities
Desktop password managers and browser based password managers are convenient but are considered the weakest means to protect your accounts. That's because most of these applications rely on no authentication or a single factor of authentication. If the computer is on, it is possible for another individual to simply click where they want to go and they are in. Some password managers typically use a single user-selected master password or passphrasePassphrase
A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security. Passphrases are often used to control both access to, and operation of, cryptographic programs...
to form the key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
used to encrypt the protected passwords. The single passphrase is referred to as "single factor authentication" and is one of the weakest ways to authenticate the user. This master password must be strong
Password strength
Password strength is a measure of the effectiveness of a password in resisting guessing and brute-force attacks. In its usual form, it estimates how many trials an attacker who does not have direct access to the password would need, on average, to guess it correctly...
enough to resist attack (eg, brute force, dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s, etc.), but complexity drives poor user management.
A compromised master password renders all of the protected passwords vulnerable. This demonstrates the inverse relation between usability and security: a single password may be more convenient (usable), but if compromised would render all of the held passwords insecure.
As with any system which involves the user entering a password, the master password may also be attacked and discovered using key logging or acoustic cryptanalysis
Acoustic cryptanalysis
Acoustic cryptanalysis is a side channel attack which exploits sounds emitted by computers or machines. Modern acoustic cryptanalysis mostly focuses on sounds emitted by computer keyboards and internal computer components, but historically it has also been applied to impact printers and...
. Some password managers attempt to use virtual keyboard
Virtual keyboard
A virtual keyboard is a software component that allows a user to enter characters. A virtual keyboard can usually be operated with multiple input devices, which may include a touchscreen, an actual keyboard and a computer mouse.- Types :...
s to reduce this risk - though this again is vulnerable to key loggers which take screenshots as data is entered.
Some password managers include a password generator. Generated passwords may be guessable if the password manager uses a weak random number generator instead of a cryptographically secure one.
A strong password manager will include a limited number of false authentication entries allowed before the password manager is locked down and requires IT services to re-activate. This is the best way to protect against the brute-force attack.
Password managers that do not prevent swapping their memory to hard drive make it possible to extract unencrypted passwords from the computer’s hard drive. Turning off swap, or installing more memory can prevent this risk.
Online password manager
An online password manager is a website that securely stores login details. They are a web-based version of more conventional desktop-based password manager.The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC - also the same risk is present for the server that is used to store the users passwords on. In both cases this risk can be prevented by ensuring secure backup
Backup
In information technology, a backup or the process of backing up is making copies of data which may be used to restore the original after a data loss event. The verb form is back up in two words, whereas the noun is backup....
s are taken.
The major disadvantages of online password managers are the requirements that you trust the hosting site and a keylogger is not on the computer you’re using. With servers and the cloud being a focus of cyber attacks, how one authenticates into the online service and that the passwords stored there are encrypted with a user defined key are just as important. Again, users tend to circumvent security for convenience.
The use of a web-based password manager is an alternative to single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
techniques, such as OpenID
OpenID
OpenID is an open standard that describes how users can be authenticated in a decentralized manner, eliminating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities...
or Microsoft's Windows Live ID
Windows Live ID
Windows Live ID is a single sign-on web service developed and provided by Microsoft that allows users to log in to many websites using one account...
scheme (formerly Passport), or may serve as a stop-gap measure pending adoption of a better method.
Security token password managers
Security tokens like smart cards or secure USB flash devices are seen by security experts as the best way to authenticate users, since many require multi-factor authentication. The data stored in the token is usually encrypted to prevent probing and unauthorized reading of the data. Some token systems still require software loaded on the PC along with hardware (smart card reader) and drivers to properly read and decode the data. Some of the other advantages include: tokens can also be either contact or contactless smart cardContactless smart card
A contactless smart card is any pocket-sized card with embedded integrated circuits that can process and store data, and communicate with a terminal via radio waves. There are two broad categories of contactless smart cards. Memory cards contain non-volatile memory storage components, and perhaps...
, stand-alone client based or tied into active directory. These tokens can be combined with RF ID badges for building access and use other security protocols like Single sign-on
Single sign-on
Single sign-on is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them...
(SSO), One-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
s (OTP) and Public Key Infrastructure
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
(PKI) instead of passwords to establish the trust. These tokens can be thought of as the key to secure the virtual front door.
The disadvantages include the different costs of ownership. Some implementations require back end server modifications, extensive training, server-to-token synchronization, outside certificate authorities and expensive tokens. Others may be less expensive to implement and have a lower cost of ownership, but many not support Authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
, Authorization
Authorization
Authorization is the function of specifying access rights to resources, which is related to information security and computer security in general and to access control in particular. More formally, "to authorize" is to define access policy...
, Data integrity
Data integrity
Data Integrity in its broadest meaning refers to the trustworthiness of system resources over their entire life cycle. In more analytic terms, it is "the representational faithfulness of information to the true state of the object that the information represents, where representational faithfulness...
and Non-Repudiation
Non-repudiation
Non-repudiation refers to a state of affairs where the purported maker of a statement will not be able to successfully challenge the validity of the statement or contract. The term is often seen in a legal setting wherein the authenticity of a signature is being challenged...
. It's not that one token solution is better than another, but rather which is right for your environment, risk and budget.
External links
- Security Technology Comparison — a cross-reference of OTP, SSO, PKI and password manager