I just recently read an article advocating the use of password managers, and while I understand why someone might think using these programs might be a good idea, it's my understanding that these types of programs can be a weakness to cyber security. I know that password managers generally store your password to an encrypted file, either locally or on a server somewhere online, but those files storing your password can be a target for an attacker, so you've essentially given him one target to get all your passwords. Am I correct in my understanding in this, and is there a secure way to use programs like this?
2 Answers
I would call it a security trade-off rather than a security weakness.
Password managers help solve the problem of duplicate passwords (mine scolds me if I use the same password twice, so I fix it.) and of easy passwords (mine makes it easy to generate 20 characters of gibberish and "remember" it) so I don't have to write them down or use variations of my dog's name for each one.
The possible duplicate that @BadSkillz linked to above provides a good answer to your question that details the trade-offs.
you've essentially given him one target to get all your passwords
If I was a pentester, I would identify as many password managers as possible for the organization I was targeting and then start guessing passwords, hoping that somebody used an easy one.
is there a secure way to use programs like this?
Risk can be mitigated by two-factor authentication as offered by Yubikey or SMS messaging. This makes it less convenient, of course.
I've found that in an effort to compete, these password managers are adding convenience "features" (such as credit checks, autofill, syncing with other devices) that introduce complexity and therefore insecurity. These "features" need to be evaluated seperately for security. In this case, risk can be mitigated by turning off the extra features.
- 6,844
- 2
- 26
- 46
The short answer is that it is unlikely that you individually will be targeted for your passwords. If your password becomes compromised it is more likely it will be as a result of a breach in a service you use - e.g. a website. A password manager is useful for someone who either has a lot of passwords to remember or isn't very good at remembering them.
It is worth remembering that nothing will stop a determined attacker. At best you can hold them off or persuade them to move on to someone easier to attack.
Here is some good advice on using Keepass Why use Keepass, etc. if all your passwords are in one place?
- 201
- 2
- 5
-
5*"A password manager is useful for someone who either has a lot of passwords to remember or isn't very good at remembering them."* i.e. everyone who regularly uses the internet. – Philipp Jul 27 '15 at 14:24