Are Password Managers Safe to Use?
You already know the importance of using strong passwords and the threats you face if you do not. In order to enforce strong passwords, many of us use password managers. They are supposed to keep our data safe, but at times may be all have is a false sense of security. Moreover, not all passwords managers offer the same level of security. This might lead hackers to use brute force attacks and steal your identity.
Password Managers And Why They Are Used
Password managers are apps, browser extensions or tools that are used to store all your passwords securely. These include the numerous passwords you create on many sites like Amazon, Netflix, or YouTube when you sign up. Likewise, you might have created strong passwords that are hard to remember for your email, ISP, your phone company, and others.
You can save all these passwords in the app and lock it by creating a different password. Basically, in order to access all of your login credentials, you only need the one. That is the password you have for the password manager. Open the app, choose the password of the service you wish to use, copy and paste it. Some password managers offer additional security with options like two-factor authentication. Some offer ease of access with auto-fill forms where it automatically enters the login fields of a service or website.
Issues With Password Managers
While it is true that password management apps prove to give you more convenience in accessing the net, you cannot ignore the threats they pose. Especially when you are using a browser extension available with your password manager app, the threats are huge. Visiting a website that can infect your device with malware makes your data vulnerable to a number of attacks like XSS (Cross-Site Scripting) or CSRF (Cross-Site Request Forgery).
Case in point is one previous LastPass security exploit, where the vulnerable website was likely to be injected with a spying script. This could check your browser for the said extension if you enable it while visiting the site. A notification identical to that of LastPass would be displayed on the page telling you that your session has expired and you need to log in again. If you click on the displayed link, it would take you to a phishing site that looks similar to the login page of LastPass.
When you log in, the malicious site checks with the LastPass API and confirms your credentials. If they are correct, the site would request you to enter the two-factor authentication token. Checking with the LastPass API once again, the site sends your details to the hacker’s server immediately. But if the login details are found out to be wrong, the script on the site would load an error message, requesting you to try again.
Other past security issues of LastPass are handing over the hackers complete access to its internal privileged RPC commands and execute code. Hacker could also override legitimate messages and create similar phishing attacks.
The Insecure Internet
The above example is not the only issue of browser-based password managers that came into light. As per Network World, Keeper, 1Password, and Dashlane also have experienced security issues.
One past Keeper security vulnerability was that the extension injected its trusted UI onto an untrusted site. This left it open to attacks such as CSRF, XSS, and others. A universal XSS security vulnerability was experienced by Dashlane, which would let the sites attack one another with XSS exploits and compromise cookies, login credentials and other user data. Past 1Password security problems led to disabling the local security model, virtualization, and sandboxing among other features.
These Issues Are Just Tips Of The Iceberg
With each day, hackers are finding smarter ways to attack and the phishing sites are getting better at being undetectable. We have seen that several password managers have their auto-fill feature enabled. According to Wired, populating the login form on a web page with your saved credentials is the biggest security vulnerability. As per the Center for Information Technology Policy at Princeton, hackers exploiting these long-standing vulnerabilities in web browser extensions on password managers is just the beginning.
Hackers’ advanced scripts can track this auto-fill feature and steal your login credentials. While the numbers show that such attacks happened on only one thousand sites so far, we can be sure that they are only gearing up. When you detect a security breach, you could change your password. However, with these vulnerabilities, your user details will be stolen without your knowledge. Password managers will not be able to save you once this happens.
Protecting Your Passwords
So, won’t the websites notify you if they have been hacked? If this question is on your mind, you must know that there have been many instances where websites did nothing to keep their users informed. Even when major companies such as Yahoo! and Uber had a data breach, the users were not notified. Hence, even if you trust a secure password manager, understand that your data cannot be safe from websites or companies who don’t have proper security on their sites.
People’s Opinion On Password Managers
There are many people who do not agree that password managers are secure. For instance, let us see the opinion of Dave, who is a programmer at a software firm, believes that “Using a local password manager is better as a cloud-based service can be hacked easily. Also, it makes sense to use a password management client if you need to save hundreds of login credentials, like I do, for business purposes.”
However, this is also not a secure way, according to Matt, who is an accountant. He says that he likes to depend on his own memory, instead of trusting some device to save his valuable passwords. According to him, all devices are vulnerable and the data could be stolen by someone who has physical access to your devices.
A similar view is expressed by Rosie, a student, who believes, “I have a habit of saving my passwords on a protected worksheet on MS Excel. I use a passphrase of over 20 characters, which I am sure is pretty difficult to crack. I do not trust either cloud-based or local device storage more than my own memory to secure my most sensitive information.”
Should You Use a Password Manager?
Now that you know about all the possible security vulnerabilities of password managers, should you stop using one? The fact is that if you have more number of accounts, it is better to use one since you get an extra layer of security. It is far better than having none at all; not saving them poses much bigger risks than having one. But make sure, you use a secure password manager and that it frequently updates its security against brute force attacks.
Either way, never use browser extensions or built-in browser apps for password management, like the one you get with Chrome. Instead of that, use any desktop-based option as they offer the most security and turn of the auto-fill feature. As a backup, you can also save your passwords on an encrypted device or file.