Password Managers 101

Introduction

To help you develop a good password management strategy we have created a three-part series of articles.  Password Hygiene 101 was the introduction to the good and bad password setting habits and choices people make and touched on some of the ways passwords can be compromised.  Our second article Setting Strong Passwords highlighted the principles to follow when creating a strong password and how to test it. 

Fundamentally these two articles rely on your ability to remember each password – a difficulty compounded by how many online accounts we’re expected to have these days.  Password Managers are a solution to the issue of not being able to recall dozens of unique passwords based on the principles we outlined in the second article.  This article introduces Password Managers, how they work, their advantages and potential pitfalls, to help you decide if they’re a tool that benefits you.

What is a Password Manager?

A Password Manager is a piece of software (or hardware device) that helps you create strong passwords for today’s standards.  It also acts like a vault (which is encrypted) to store those passwords securely and so you don’t have to remember them all .  All you need to remember is one master password to access all of the stored passwords within the vault.  As you go to log in to an account online you are prompted by your Password Manager to enter your master password and the password manager will fill in the login screen with the correct password for that particular account.  Of course, this makes the strength of the master password critical and it must not be reused anywhere else – including within the Password Manager for other accounts. 

What are the advantages of a Password Manager?

• Solution to the issue of not remembering numerous passwords
• Solution to ensuring you have a truly unique password for each account to eliminate the risk of if one was to be compromised the bad actor having access to multiple accounts which you’ve used the same password for
• Good at protecting you against phishing scams as the Password Manager won’t allow a password to be entered into website impersonating another.  We say good as some impostor websites linked to via a phishing scam are starting to require manual entry of passwords.  However, Password Managers are far better at spotting fake websites than humans.
• Useful in preventing malicious keystroke logging malware recording your password (this is counterbalanced further below). You will need to use a biometric login options rather than a typed master password though
• Thanks to the encryption involved even if a Password Manager is hacked, that doesn’t necessarily mean the bad actor has access to all passwords as they are stored in encrypted form. 
• It can be used on all devices (desktop, laptop, tablet, mobile) thanks to encrypted sync
• Some have a function you can activate to help you track which accounts you no longer use and suggest you close them to reduce your online exposure.
• Convenience and time saving when logging in to accounts thanks to prefill

Are there any potential disadvantages?

The obvious pitfall is that all of your passwords are in the one place and that in itself means if your master password is compromised the whole system folds, likewise if the software itself is compromised.  Given bad actors are very interested in Password Managers (and some have been hacked in the past) they naturally have a growing target on them.  Other potential issues to consider:

• If you lose or forget your master password, you lose access to all of your passwords.  This tends to happen as the selling point of a Password Manager is that you no longer have to remember all passwords, so naturally people don’t remember those stored within their Password Manager. Many now provide contingency plans to address this issue though such as providing you with recovery codes – check this when assessing providers
• As mentioned in the opening paragraph Password Managers are a somewhat new, attractive target considered a pot of gold for bad actors.  If your computer is infected with malware, the malware may be able to read every password kept in your Password Manager when it’s unlocked.  Don’t forget keylogging malware already exists for passwords you type in anyway, so these risks essentially counterbalance themselves out.  However, you may not use all passwords for the time you’re infected with such malware so the Password Manager is objectively slightly riskier as it exposes all stored passwords.
• If you use your Password Manager on a work computer or other employer provided device, members of your IT team with administrative access may be able to compromise your passwords when you unlock your Password Manager (or leave it unlocked).  We would simply recommend not putting work passwords into a personal Password Manager and vice versa.  Keep the two worlds separate. 
• If your device, such as mobile phone, is stolen and the thief is able to unlock it they may be able to access your Password Manager if you didn’t configure it to require unlock with every use.
• Some services don’t support Password Managers, this is traditionally banks and financial institutions.  Furthermore, even if your bank supports Password Manager login, they may not give you your money back if you are the victim of Password Manager compromise or other similar attack.  This is because Password Manager use constitutes ‘writing a password down’.  Ensure you check the policies of any high-value accounts in relation to this. 

Should you use one?

This is very dependent on your personal circumstances most obviously your use of the internet.  If you’re retired for example you may have a minimal amount of online accounts.  Your internet use may be minimal and so the number of passwords you have to manage / remember may be quite modest.  On the other hand, if you’re of working age or run a internet based business relying on many passwords (we can relate) you’ll likely have well over 50 accounts to secure.  Whilst Password Managers are generally easy to use people who aren’t computer savvy may find using such a tool daunting. 

Like every piece of software Password Managers cannot be guaranteed to be perfect or safe from compromise in the future.  They are currently a highly recommended tool because they’re significantly better and more secure than the current password setting habits most people have.  The tool isn’t perfect or hack proof but still far better and more secure compared to how the majority of the population manages their passwords.  If you are still undecided one way or another, consider starting to use a Password Manager as a trail with low risk accounts – those that will cause you no / limited negative impact if you lost access to them.  This will then go one of three ways:

1. You will decide it’s a perfect tool and use it for all of your accounts
2. You will decide it’s not for you
3. You will find not having to remember low-risk passwords will make remembering high-risk ones easier and continue with a mixed password management strategy.  Any password that could lead to you losing money, ruining your life or being doxed stays in your head. 

To eliminate some of the issues in storing all passwords in the one place we recommend the strategy below. 

Double-Blind Password Manager Strategy

As you’ve read some of the potential pitfalls of a Password Manager involve holes or vulnerabilities in the Password Manager software or malicious keystroke logging software finding its way to your device.  These two have the potential to identify or extract your full password from your Password Manager.  However, what if the Password Manager didn’t know your full password? Let’s say your Password Manager only knew 90% of it – the 90% that’s difficult to remember and you remembered the other 10%.  This is known as the Double-Blind Strategy as neither you (you can’t remember), nor the Password Manager know the full password. 

Let’s say your Password Manager recommends the following password for your email account: ‘LzdhYike7$!8Dh3V’ this is a strong password – we just tested it at Passfault for a result of 140 centuries to crack.  However, it’s impossible to remember amongst 50 other similar passwords, but that’s the job of your Password Manager. 

Your job is to remember ‘84$@’ because the password you will set for your email account will be: ‘LzdhYike7$!8Dh3V84$@’ however you won’t save those last four characters in your Password Manager. 

Using this example with Passfault the password with the extra four characters at the end extended the time to crack to 264,301,791 centuries.  If your Password Manager is compromised the bad actor still doesn’t have your full password (as it’s missing the last four characters which you know) and neither do keystroke loggers (as the Password Manager inputs the first part of the password not you on the keyboard).  You can reuse this four-digit code on all passwords so as to only remember the one because the first 90% of the password is unique. 

Here is a helpful video from the good folks at All Things Secured to demonstrate the strategy in action and we’ve also included their text guide to setting this up in the Further Reading section at the end of this article.  This strategy we believe is as good as it’s gets in terms of a password management strategy and your obligation is limited to:

1. The cost of purchasing / subscribing to a Password Manager
2. Remembering one master password
3. Remembering one four-digit code to add to the end of Password Manager generated passwords when logging in. 

Ensure you deselect the option for your Password Manager to detect and save new passwords for this to work obviously.  Please check this functionality is available as it may not be with all Password Managers, the guide by All Things Secured covers this at the end, it’s linked above and under Further Reading below. 

Which one should you use?

As we said in VPN 101 there are many options out there for these tools, including free ones, but as always in life – you get what you pay for.  Best in class software from a reputable company which conducts regular checks and updates of their software comes at cost, usually in the form of a subscription to fund the constant strengthening and improvement of the software.  This is not to dismiss the possibility of some free options being equally (or more) secure to the paid ones however it’s less likely on balance.  When choosing a potential provider, look into them using these criteria:

• Offers a password-protected vault that cannot be accessed / seen by the Password Manager company themselves (uses zero-knowledge architecture). This is very important as it significantly reduces your exposure if the provider is breached.
• Choose a standalone password manager (being its own program or app) over a browser based one
• Offers end-to-end encryption using AES-256 standard
• Offers a random password generator
• Provider has a history of outside source audit and ongoing development
• Offers website and password breach alerts
• Sync across multiple devices and operating systems
• Works with your preferred browser
• Offers a range of facial recognition, fingerprint recognition, and / or security questions
• Features not found with competitors which may be of benefit to you such as family plans, storing shipping and payment information, dark web monitoring, credit monitoring, travel mode, the ability to transfer your passwords to a trusted person if you become incapacitated or pass away, or OS support (Linux users take note). 

The purpose of this article isn’t to provide company recommendations but rather help you understand the tool and decide if it’s for you.  However, some examples of reputable Password Managers are listed below as a starting point.  We do not have any affiliation or receive any benefit from listing them, they are listed as they constantly score highly in objective tests:

• Dashlane
• LastPass
• 1Password
• Keeper
• Bitwarden

Support your Manager

Help your Password Manager work to its fullest potential with the following supporting activities:

• Lock after each use and never keep it running in the background, close the program after each use
• Use a reputable antimalware software provider to ensure your devices are clean from new/future malware threats written to target Password Managers. Our strong advice is to ensure your devices are clean and secure before starting with a Password Manager
• Avoid PIN use to unlock on mobile
• Always update your device software
• Enable 2FA on all able accounts
• Use a VPN on your devices
• Ensuring your device is encrypted

Conclusion

No security solution available on the market can promise to be 100% vulnerability free now let alone in the future and indeed Password Managers have been compromised in the past.  However, they constantly improve to keep bad actors at bay and are widely considered a much superior solution when compared to most people’s password creation and storage habits (which we outlined in our other password articles linked in the opening paragraph).

The majority of cybersecurity experts agree that a Password Manager is worth having and the advantages outweigh the disadvantages or potential risks many times over. Consider a Password Manager like a seatbelt or helmet – they may not protect you from every single type of incident but significantly improve your chances.

The one piece of advice we’d most like to bring home as we wrap up this article is to customise your digital safety strategy.  You don’t have to use a Password Manager, or any similar tool, as intended.  Options we’ve suggested for Password Managers include not storing all passwords (just the low value ones) and not storing the entire password (Double-Blind Strategy) for example.  You don’t have to use every tool or enact every precaution we write about if it’s not relevant to you and your use of the internet. 

Further Reading

Setting up the Double-Blind password strategy: https://www.allthingssecured.com/tips/password-security/double-blind-password-strategy/

UK National Cyber Security Centre recommendation on Password Managers: https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers

Troy Hunt of Have I Been Pwned fame wrote a piece on Password Managers: https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/

ISE report on extracting passwords from Password Managers: https://www.ise.io/casestudies/password-manager-hacking/

This article is written in line with our Terms & Conditions and Disclaimer. As such all content is of a general nature only and is not intended as legal, financial, social or professional advice of any sort. Actions, decisions, investments or changes to device settings or personal behaviour as a result of this content is at the users own risk. Privacy Rightfully makes no guarantees of the accuracy, results or outcomes of the content and does not represent the content to be a full and complete solution to any issue discussed. Privacy Rightfully will not be held liable for any actions taken by a user/s as a result of this content. Please consider your own circumstances, conduct further research, assess all risks and engage professional advice where possible.