In recent columns I’ve advocated for the general use of password managers as a mechanism to improve your password hygiene. Password managers generate strong passwords on a per-site basis and store them, eliminating the need for you to remember dozens of passwords for the different websites that you regularly visit. It also should eliminate the more common and very unsafe practice of reusing the same password on different websites. Naturally the question has come up: How safe are password managers? Aren’t they the digital equivalent of putting all our eggs in one basket?
While it’s true that all your "eggs" (your passwords) are in one basket (the password manager), there are strong security mechanisms present in all the leading password managers that prevent unauthorized access.
Most online password managers, like LastPass and 1Password, store your passwords in encrypted form but don’t retain any ability to decrypt those passwords. That ability stays with you, the user. This means that even if their sites were breached and a hacker stole encrypted data, it would take them literally years to decrypt it with current technology. We call this "computationally infeasible."
What if a hacker learned your master password? Wouldn’t they be able to log in and grab all of your passwords? Generally speaking, the answer is no. But you do need to make sure you have a strong master password — one that is long, unique and contains a mix of letters and numbers — and keep it secure. Online password managers have controls in place to prevent someone from using your master password on a machine that the system doesn’t recognize. Additionally, you can configure these systems to require two-factor authentication, such as Google’s free Authenticator, hardware tokens such as the inexpensive Yubikey, or even biometrics like fingerprint scanners, which are installed on some laptops now.
Additionally, most leading password managers restrict login locations from select countries. For instance, you can set your security settings in LastPass to allow logins only from computers in the U.S., or to deny logins from China and Russia. You can also disable access from popular location-hiding sites like TOR. These features aren’t foolproof, but incrementally raise the bar for someone trying to access your vault.
Security features aside, a significant benefit of online password managers is ease of use. With browser integration features, these password managers can auto-fill user credentials for sites it recognizes, completely eliminating the need to remember passwords or even usernames. They will generate strong, complex passwords for you when you create an account on a website or want to change your existing password. When you don’t have to remember passwords, they can be much more complex and harder to crack.
If you’re still uncomfortable with storing your passwords online, there are offline password managers you can install on your local computer. These don’t send your passwords to the Internet. One of the most popular — and free — is PasswordSafe, originally developed by security icon Bruce Schneier.
He wanted to develop a password vault he could hand to his worst enemy and feel confident that his passwords were safe. The downside of offline password managers is you lose the convenience of browser integration, so it cannot fill in passwords on the sites you are visiting, which is a big ease-of-use benefit of the online vaults.
Also, it’s harder to access your passwords when using a friend’s computer or device that doesn’t have your password vault stored on it. Some people get around this by syncing their PasswordSafe with DropBox or other cloud storage systems, but I think at that point you might as well use an online solution and leverage their usability benefits. There are hybrid solutions, like KeePass and 1Password, that allow you to choose where your passwords get stored.
For more information about password managers, you can Google the popular ones: LastPass, 1Password and KeePass. For information about PasswordSafe, go to www. schneier.com/passsafe.html. In my opinion, the benefits of using a password manager greatly outweigh the risks.
The protections they offer provide more than adequate safeguards against any currently known attacks.
Hawaiian Telcom Information Security Director Beau Monday is a local cybersecurity expert. Reach him at Beau.Monday@hawaiiantel.com.