Assessing the security of a password manager
There are many different password managers available, and the best one for you will depend on your exact personal circumstances, how you use passwords and what types of devices you use. When it comes to how secure each product is, there are many different factors to consider:
Your password manager must be set up correctly to be secure, so usability is a critical factor. A misconfigured product is worse than not having a password manager as you’ve gone to the effort of collecting all your passwords into one place and left them vulnerable to theft. It’s also essential that the password manager is easy to use. Otherwise, you may well be tempted to use shortcuts or workarounds if the product is too slow or makes logging too frustrating.
Is the tool user-friendly?
The purpose of using a password manager is to allow the user to use long and complex passwords that they don’t need to remember. It then defeats the point if the tool is used to store simple passwords that could be easily guessed or cracked in a few seconds using a dictionary attack. Ideally, the password manager should enforce complexity standards and flag up any passwords that are too simple. The password manager should also be able to automatically generate complex random passwords.
Can the tool automatically create complex passwords?
The stored passwords are only as secure as the encryption used to protect them. There are two factors to consider, the strength of the encryption used to store the passwords at rest and, if different, the password’s protection while in transit between the store and your device whenever you retrieve the password to use it.
The in-transit encryption process is crucial for cloud synchronized multi-device password managers. The product should ensure that only authorized devices can send and receive password information safe from interception and modification. Also, bear in mind that if synchronization is not possible when a change is made, for example, a mobile device is locked or offline. The password information must be securely stored until the time that synchronization can occur.
What encryption is used for data at rest and in transit?
Personal Data Protection
It’s not only passwords that are stored; other authentication data such as usernames are also stored. Such information may also be valuable and needs protection using encryption, but not all password managers implement this.
What information is encrypted?
As the password manager stores all your valuable authentication credentials in one place, it’s essential that access to the tool itself is secure. As a minimum, the product should require a complex password that only allows a few attempts before blocking access to prevent brute force guessing. Ideally, the tool should have multi-factor authentication, so even if the password is guessed or disclosed, this alone will not afford an attacker access.
How secure is the logon?
Password managers are great unless you lose access, forget the password to access the password manager, and you’re effectively locked out of every account that the password manager is storing the credentials for. The password manager should have a recovery option should you forget the master password that is simple enough to use if needed but secure enough that you, and only you, can use it. A common trick for attackers to access systems and services is to use social engineering techniques to exploit account recovery services, especially if this process is remotely managed by a service provider.
How secure is the recovery process?
If you need to export the stored credentials to a text file or in an electronic format to transfer to another device or application, how secure is the export process? Could the exported data be vulnerable to compromise? There’s no point exporting the data to re-use if you immediately need to change all the passwords anyway because you cannot be sure it is secure.
How secure is the export option?
Password managers are, in essence, just another application and so should be treated as such. All applications come with vulnerabilities introduced in their development process and so will require periodic updates and patches. Check how the password manager is updated and if the process of issuing updates is secure. Given the contents’ potential value, organized attackers will invest considerable time and effort into finding ways to compromise a password manager. They may even try and trick users into installing a compromised software update containing malicious code.
How is the product updated, and is it secure?
One of the most common ways users store passwords for easy access is in internet browsers. The save and auto-fill functions offer a quick and easy route to password management for free, and some browsers even let you synchronize stored passwords between different devices. However, this may not be secure. Users can easily see the stored passwords with minimal security controls; any malware that makes it onto your device or websites running malicious code that you visit will have the same simple access. Some password managers can also auto-fill information in internet browsers and other applications. This offers the same convenience but more securely.
Does the product support auto-fill functions?
If you are using a password manager on different devices, you obviously need to ensure that all operating systems are supported. That could be Windows, macOS, or Linux on a laptop, iOS, or Android on a smartphone or tablet. While this may limit the choice of suitable products depending on your individual needs, having a device that isn’t supported may result in the adoption of unsafe workarounds like the export of passwords as plain text.
Does the product support all your platforms and devices?
Are password managers secure?
No software application can be completely secure; there are always flaws and vulnerabilities exposed over time.
Research undertaken on password managers running on a Windows 10 environment identified several exposed password credentials by allowing a decrypted plain text version to temporarily sit in the computer’s memory. It could then be exposed to malware residing on the computer scanning the memory. While the risk is undoubtedly low, the vulnerability exists.