High time we start using a Password Manager
How many passwords do you own?
Just start counting and you will be surprised at the number of passwords you own. Each and every service you want to have access to needs a username and a password. As the number of services increase so is the number of passwords you own. And with so many cyber criminals around, it makes real sense to have strong uncrackable passwords. A strong password can be defined as something which has a mix of characters (Numbers, Symbols, Capital Letters, and Lower-Case Letters). We must make sure that we strictly stay away from dictionary words. You just have to make sure that it is not easily guessable. But the real problem here is our memory. So many of us don't just recall something cryptic. Our minds are used to recalling things which are associated/related with something. To overcome this difficulty we always tend to use easy passwords. Many times we use the same passwords for many services. We try using the same password by appending/prepending 123 or xyz or whatever is easy for us to remember. Once a hacker gets hold of one of your passwords then it will be very easy for him to guess all your other passwords. "Always use a strong Password". This is the universal message we see whenever we try to create an account with a service.
The good news is we have password managers which can create strong passwords and store them for us.
There are a lot of password managers available in the market. Lastpass, 1Password, Dashlane, F-Secure, Keepass, Avast are a few very popular password managers. Most of the above mentioned password managers are subscription based. You have them both online and offline. Keepass is an opensource password manager very popular with the geeks.
Setting up a password manager is very easy.
To access the password manager you must have a master password. Your master password is hashed thousands of times for a strong encryption. Even the people Once you are in it, you can start storing all your login ids and associated passwords. You can also store other details like the urls associated and other important stuff (Hint question etc).
Almost all the password managers puts your master password through PBKDF2 hashing and stores it encrypted. Even the service providers will have zero knowledge about your master password.
All the passwords you store in the password manager are encrypted.
The idea of entrusting the key to your online life to someone is very hard to digest as for as I’m concerned.
A few days back Blur, a popular password manager, suffered a data breach and leaked information of millions of users. According to Abine which owns Blur, a misconfigured S3 bucket is the root cause of the data breach. Lastpass too suffered a data breach and millions were exposed in 2015.
In 2017, a group of security researchers called TeamSIK from the Fraunhofer Institute for Secure Information Technology (SIT) in Darmstadt, Germany, published its security assessment of nine of nine popular password management applications on Android devices and found them all vulnerable.
The password managers they tested are
- My Passwords
- Informaticore Password Manager
- LastPass
- Keeper
- F-Secure KEY
- Dashlane
- Hide Pictures Keep Safe Vault
- Avast Passwords
- 1Password
According to them "we performed a security analysis on the most popular Android password manager applications from the Google Play Store based on download count. The overall results were extremely worrying and revealed that password manager applications, despite their claims, do not provide enough protection mechanisms for the stored passwords and credentials. Instead, they abuse the users` confidence and expose them to high risks. We found several implementation flaws resulting in serious security vulnerabilities. Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code. Consequently, attackers can easily circumvent the crypto algorithm altogether and thereby gain access to all of the user’s data. In other cases, we could simply access all “securely protected passwords/credentials” with the help of an additional app."
According to TeamSIK all the vulnerabilities have been fixed by the respective vendors.
All the popular software managers are quick enough to resolve the issues. They keep patching up the vulnerabilities as early as possible.
We also have something called Keepass which is an opensource password manager. It is very easy to use. You can create a master password and then store all your login details and associated passwords in it. It does all the functions which an online password manager can do. With the help of required plugins you can get all the advanced features like autologin (i don't recommend), autofill etc. This password manager stores your records locally. You can store it on a harddisk, pendrive, etc. You can even keep it on google drive.
Choosing a password manager is totally up to you. After evaluating the pros and cons you have to choose a password manager which suits you best. You can go for the subscription based managers and still have the option of storing your vault locally. But you will not be able to sync it with all the devices if it is not stored on their server.
I'm a strong believer in keeping my critical data isolated from everyone. So as for as I'm concerned I use keepass and store my database on my laptop and on my pendrive. I donot use the autologin or autofill plugins too. I feel it’s a good trade off.
“Rather be safe than sorry”. -- Jacque Jones
Basheer Ahmed Khan
Marcom and Product Research
Systech Services Limited