Browser-Based vs. OS-Based vs. Standalone Password Managers: Which Is More Secure?
Last week, I published my best guess at the security of various authentication solutions and ranked them: https://www.dhirubhai.net/pulse/how-does-your-favorite-authentication-solution-rank-roger-grimes/. A summary of my ranking is in the figure above.
No matter what great, secure, authentication solution you want to use, you will still be using a lot of passwords. Passwords will be with us for a decade or longer (https://www.dhirubhai.net/pulse/passwords-still-us-decades-roger-grimes). But since you still need passwords, if you want them to be truly secure (i.e., unguessable and uncrackable), then they need to be 12 characters or longer and fully random or 20 characters or longer if made up out of your head. That is just the way it works. I explain it more here: https://www.dhirubhai.net/pulse/hackers-really-cracking-20-character-passwords-roger-grimes.
No one wants to create and use fully random passwords or create long passphrases. Instead, I recommend that everyone use a password manager to create and use fully random passwords. Here’s a summary of my overall authentication recommendation (shown below):
A password manager should be part of your life. A frequent question I get is why I prefer standalone password managers over browser-based or OS-based password managers (as shown by the opening figure that started this article).
Why I Prefer Standalone Password Managers
It is for a few reasons, including these:
Attacked Less
The key reason I prefer standalone password managers is simply because they are, so far, attacked far less than the other types. Much of today’s automated malware looks for passwords and most of that password-stealing malware will always look to see what passwords you have stored in your browser or what is stored by your operating system. It is just a matter of numbers and risk. There are tens to hundreds of millions of malware programs lurking all over the Internet just waiting to steal the passwords stored within your browser.
The same applies, to a lesser extent, to OS-based password managers. There are many programs that have been around a dozen or more years (e.g., Mimikatz, Wince, Passdump, etc.) that are commonly used by attackers. They are often included and used by automated malware, and even if not automated, their code or functionality is included in well-known exploit tools (e.g., Metasploit, Empire PowerShell Toolkit, etc.).
Without a doubt, there are far more attacks on password managers in browsers and OS. It is just the facts.
领英推荐
Ironically, malware could easily target standalone password managers, if they wanted to. It is often no harder to exploit a standalone password manager on a compromised device than other types of password managers. Maybe a little bit harder. In order for most exploits to work against standalone password managers, they have to be in their “unlocked” state. When locked by the user, most are much harder to exploit. OS-based and browser-based password managers normally do not have “locked” states to stop hackers and malware.
If a standalone password manager is locked, then it can be harder, without a new zero-day exploit to use, to steal the passwords it contains. I have seen a few ingenious hacks of different standalone password managers that did not require a brand-new exploit to compromise in their locked state, but they just are not known or used by a lot of attackers. And this is key.
There are a lot of hacker and malware attacks that are possible. The ones we need to worry about the most are the ones that are actively being used in the wild…a lot. And attacks against standalone password managers just are not that common “in-the-wild” and they are against the other types of password managers. That fact alone makes me recommend stand-alone password managers over the other types.
One day, when more people are using standalone password managers, they are likely to be successfully attacked more often. And if they get as successfully attacked as OS-based and browser-based password managers, I might change my opinion on this “protection”. But for now, standalone password managers are attacked far less than the other two types and that means real risk reduction.
More Features
The typical standalone password manager has more features than the other two types. That makes sense, a company focusing on a single product or at least as a major product stream, is likely going to produce a standalone product with more features than a vendor that offers password management as just one of the many things they concentrate on. If I was a password manager developer, I would much rather be coding on a standalone product focused on by the entire company or division than just as a sub-team of a sub-team of a larger company.
More Support
Another one of the biggest things I like about standalone password managers, which has very little to do with security, is that they usually support more platforms. OS-based password managers just work on the OS they are attached to. Browser-based password managers only work with the browser they are within. Most/many standalone password managers work across multiple OSs, multiple browsers and multiple device types. This means that the user will be able to use the password manager more frequently, more consistently and keep those contained passwords more secure.
And of course, all of my advice only applies if all other things are equal. All authentication solutions have dozens of dependencies (e.g., namespace, network, DNS, IP addresses, etc.) and all of those must be sufficiently secured or the whole authentication system can come tumbling down. But all other things considered equal, I prefer standalone password managers over browser-based and OS-based password managers.
The second most common question I get asked around password managers is if I still recommend them since they themselves can be hacked and become a single point of failure. Yes, and I answered that question more fully here: https://blog.knowbe4.com/what-about-password-manager-risks.
So, in summary, the reason I like standalone password managers more than other types is mostly that they are currently attacked far less, have more features and usually work across a wider range of OSs, browsers and devices.
Histology Laboratory Operations Manager at AbbVie
2 年I want to start using a password manager. How to I find a stand alone one? Is there one you recommend?
VP and Head of Sales and Partnerships – Transformational Leader -Winning Opportunities
2 年Again thank you for sharing Roger Grimes, why not remove the password altogether and a have passwordless secure browser.. here is the answer https://www.idenprotect.com/idenprotect-go/ ??
The Cybersecurity Warrior of NYC ?? We Find Cybersecurity Vulnerabilities Before Cybercriminals ?? Ethically Hacking ???? Bug Bounty ?? AI Security ???
2 年Excellent read! Truth on that standalone password managers have more features: I love using my Tubikey as the authentication too. The chances of an attacker gaining access to your master password + the actual physical key in your pocket is very very low. Thanks for sharing ??
Cybersecurity Leader | Protector of People | Defender of the Business | Technology Enthusiast | Facilitator and Uniter | Proud Veteran | Husband and Father
2 年I kept all identities on KeePass Portable via USB. The USB was full disk encrypted at rest with LibCrypt2 and required a YubiKey. Then the KeePass database was symmetric encrypted - passphrase. The reason was for investigations. It required the highest level of control. Great write up as always! Thanks Roger.
IT Professional
2 年All kidding aside, password managers are a must and also using unique passwords for different sites. If one gets compromised it can't be used on another site.