Password manager

From HandWiki
Short description: Application for storing and managing passwords


A password manager is a computer program that allows users to store and manage their passwords[1] for local applications or online services such as web applications, online shops or social media.[2] A web browser generally has a built in version of a password manager. These have been criticised frequently as many have stored the passwords in plaintext, allowing hacking attempts.

Password managers can generate passwords[3] and fill online forms.[2] Password managers may exist as a mix of: computer applications, mobile applications, or as web browser extensions.[4]

A password manager may assist in generating passwords, storing passwords,[1][5][6] usually in an encrypted database.[7][8] Aside from passwords, these applications may also store data such as credit card information, addresses, and frequent flyer information.[3]

The main purpose of password managers is to alleviate a cyber-security phenomenon known as password fatigue, where an end-user can become overwhelmed from remembering multiple passwords for multiple services and which password is used for what service.[3]

Password managers typically require a user to create and remember one "master" password to unlock and access all information stored in the application.[9] Password managers may choose to integrate multi-factor authentication[9] through fingerprints, or through facial recognition software.[10] Although, this is not required to use the application/browser extension.

Password managers may be installed on a computer or mobile device as an application or as a browser extension.[5]

History

The first password manager software designed to securely store passwords was Password Safe created by Bruce Schneier, which was released as a free utility on September 5, 1997.[11] Designed for Microsoft Windows 95, Password Safe used Schneier's Blowfish algorithm to encrypt passwords and other sensitive data. Although Password Safe was released as a free utility, due to U.S. cryptography export restrictions in place at the time, only U.S. and Canadian citizens and permanent residents were initially allowed to download it.[12] As Google Chrome became the most used browser, the built in Google Password Manager became the most used password manager as of 2023 December.

Criticisms

Vulnerabilities

Some applications store passwords as an unencrypted file, leaving the passwords easily accessible to malware or people attempted to steal personal information.

Some password managers require a user-selected master password or passphrase to form the key used to encrypt passwords stored for the application to read. The security of this approach depends on the strength of the chosen password (which may be guessed through malware), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable, meaning that a single point of entry can compromise the confidentiality of sensitive information.

As with password authentication techniques, key logging or acoustic cryptanalysis may be used to guess or copy the "master password". Some password managers attempt to use virtual keyboards to reduce this risk – though this is still vulnerable to key loggers that take the keystrokes and send what key was pressed to the person/people trying to access confidential information.

Some password managers may include a password generator. Generated passwords may be guessable if the password manager uses a weak method of randomly generating a "seed" that all passwords generated by this program. Or, as in the case of LastPass,[13] the methods used to generate passwords may become compromised, leading to passwords generated by the application being easier to guess.

Furthermore, password managers have the disadvantage that any potential malicious individual or malware would just need to know one password to gain access to all of a user's passwords and that such managers have standardized locations and ways of storing passwords which can be exploited by malware.[14] This is known as a single point of failure.

Blocking of password managers

Various high-profile websites have attempted to block password managers, often backing down when publicly challenged.[15][16][17] Reasons cited have included protecting against automated attacks, protecting against phishing, blocking malware, or simply denying compatibility. The Trusteer client security software from IBM features explicit options to block password managers.[18][19]

Such blocking has been criticized by information security professionals as making users less secure.[17][19] The typical blocking implementation involves setting autocomplete='off' on the relevant password web form. Consequently, this option is now ignored from on encrypted sites,[20] Firefox 38,[21] Chrome 34,[22] and in Safari from about 7.0.2.[23]

A 2014 paper from researcher at the Carnegie Mellon University found that whilst browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the unsecured (HTTP) version of encrypted (HTTPS) site passwords. Most managers did not protect against iframe and redirection based attacks and exposed additional passwords where password synchronization had been used between multiple devices.[20]

See also

References

  1. 1.0 1.1 Waschke, Marvin (2017) (in en). Personal cybersecurity : how to avoid and recover from cybercrime. Bellingham, Washington: Apress. pp. 198. doi:10.1007/978-1-4842-2430-4. ISBN 978-1-4842-2430-4. OCLC 968706017. https://books.google.com/books?id=hJHlDQAAQBAJ&pg=PA198. 
  2. 2.0 2.1 "What is a Password Manager? - Definition from Techopedia" (in en). http://www.techopedia.com/definition/31435/password-manager. 
  3. 3.0 3.1 3.2 "What is a Password Manager? 2022 Explainer Guide" (in en-US). https://tech.co/password-managers/what-is-a-password-manager. 
  4. "Definition of password manager" (in en). https://www.pcmag.com/encyclopedia/term/password-manager. 
  5. 5.0 5.1 Seitz, Tobias (2018). Supporting users in password authentication with persuasive design (PDF) (Thesis). Ludwig-Maximilians-Universität München. doi:10.5282/edoc.22619.
  6. University, Carnegie Mellon. "Password Managers - Information Security Office - Computing Services - Carnegie Mellon University" (in en). http://www.cmu.edu/iso/governance/guidance/password-managers.html. 
  7. Price, Rob (2017-02-22). "Password managers are an essential way to protect yourself from hackers – here's how they work" (in en). Business Insider. http://www.businessinsider.com/how-to-use-password-manager-store-protect-yourself-hackers-lastpass-1password-dashlane-2017-2/#a-password-manager-replaces-all-those-awful-passwords-you-use-with-just-one-you-need-to-remember-2. 
  8. Mohammadinodoushan, Mohammad; Cambou, Bertrand; Philabaum, Christopher Robert; Duan, Nan (2021). "Resilient Password Manager Using Physical Unclonable Functions". IEEE Access 9: 17060–17070. doi:10.1109/ACCESS.2021.3053307. ISSN 2169-3536. 
  9. 9.0 9.1 "Best Password Managers for Mac - Security" (in en-US). https://tech.co/password-managers/best-mac-password-manager. 
  10. "Best Password Manager for iPhone 2022" (in en-US). https://tech.co/password-managers/best-password-manager-iphone. 
  11. { {Cite web |title=Counterpane Systems Brings the Security of Blowfish to a Password Database |
    //www.counterpane.com/passsafe.html |archive-date=1998-01-19 }}
  12. "Counterpane Systems Brings the Security of Blowfish to a Password Database". http://www.counterpane.com/passsafe.html. 
  13. Toubba, Karim (March 1, 2023). "Security Incident Update and Recommended Actions". https://blog.lastpass.com/2023/03/security-incident-update-recommended-actions/. 
  14. "Pros and Cons of Password Managers" (in en-US). 2017-05-13. https://blog.lumen.com/pros-and-cons-of-password-managers/. 
  15. Mic, Wright (16 July 2015). "British Gas deliberately breaks password managers and security experts are appalled". https://thenextweb.com/insider/2015/07/15/no-pass-on-this-one/. 
  16. Reeve, Tom (15 July 2015). "British Gas bows to criticism over blocking password managers". http://www.scmagazineuk.com/british-gas-bows-to-criticism-over-blocking-password-managers/article/426463/. 
  17. 17.0 17.1 Cox, Joseph (26 July 2015). "Websites, Please Stop Blocking Password Managers. It's 2015". https://www.wired.com/2015/07/websites-please-stop-blocking-password-managers-2015/. 
  18. "Password Manager". https://www.trusteer.com/support/norton-password-manager. 
  19. 19.0 19.1 Hunt, Troy (15 May 2014). "The "Cobra Effect" that is disabling paste on password fields". http://www.troyhunt.com/2014/05/the-cobra-effect-that-is-disabling.html. 
  20. 20.0 20.1 "Password Managers: Attacks and Defenses". https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-silver.pdf. 
  21. "Firefox on windows 8.1 is autofilling a password field when autocomplete is off.". https://support.mozilla.org/en-US/questions/1064817. 
  22. Sharwood, Simon (9 April 2014). "Chrome makes new password grab in version 34". https://www.theregister.co.uk/2014/04/09/chrome_makes_new_password_grab_in_version_34/. 
  23. "Re: 7.0.2: Autocomplete="off" still busted". https://discussions.apple.com/message/25080203#25080203. 

External links