Password Managers (1)

Password Managers

November 28th, 2021 Posted in Information Security

Introduction

Passwords are part of our everyday life. Nearly every website visited, service or application accessed will insist on creating an account and prompt the user to think of a password. With remote working being the “new normal”, the number of passwords users must remember has significantly increased, as most typical intranet and remote working applications now require additional authentication before being accessed. A survey by NordPass in 2020 estimates an average person has 70-80 different accounts. 

The National Cyber Security Centre’s (“NCSC”) latest guidance on passwords recommends that users avoid predictable or common passwords and not repeat them across multiple accounts. Users should create a unique password for each service they access, using at least 12 characters. The NCSC recommends that users use a “passphrase” rather than a password. A good example of a strong passphrase would be Yellow Coffee Mountain, which becomes YellowCoffeeMountain as a 20-character password.   

It’s easy to see why the NCSC encourages unique passwords. If a password is used on a single service and this account is compromised, the loss is restricted to that account only. This means threat actors will be unable to extend their attack using the compromised password on different accounts. However, in practical terms, this means 70 to 80 randomly generated passphrases for us to remember before we can access things we use in our everyday lives, such as checking our emails, accessing social media, or banking information. 

The human brain cannot cope with memorising so many passwords. To avoid being locked out of their accounts, people usually resort to insecure workarounds such as using common passwords, repeating the same ‘easy-to-remember password across multiple services, re-using a password with an updated suffix, or storing the password on a sticky note on a monitor. Such methods leave these users – and their organisations – vulnerable to threat actors, who are always lurking for their next victim, to steal information, leverage it for ransom pay-outs, or simply sell it on the dark web. 

Enter password managers: a solution designed to deter users from using insecure methods of creating and passwords by taking away this burden. Password managers offer an alternate, more secure way of coping with password overload. They help users create and store credentials they use to access services. Such credentials are stored in a vault, which is encrypted and accessed through a master key. 

Types of password managers

Enforcing the use of a password manager can help organisations to reduce the risk of credentials compromise and brute-force attacks. Password managers come in three different types: 

On-device managers

These store data securely on a single device. The data will only be compromised if the threat actor accesses the device beforehand. This type of password narrows the attack vector to the device itself, as the passwords can only be used on the device, they are stored in. However, if the device itself is compromised, there is no guarantee the passwords will be safe, for instance, if the hard disk becomes corrupt and the vault has not been backed-up; the stored passwords will be lost. Additionally, users who access the same service on multiple devices (e.g., laptops, phones or tablets), will not benefit from this option. 

Cloud-sync managers

The data are transferred to a remote server and accessed across multiple devices. This allows the passwords to be synced across different platforms, and in enterprise environments, allows administrators to centrally monitor and manage the passwords for the organisation. However, threat actors will have a single point of compromise for all passwords stored, should an account be inadvertently accessed. 

Browser-based password managers

These password managers are an extension to a user’s preferred internet browser and store the passwords within the browser itself. They offer the convenience of having passwords auto filled when browsing the internet with that specific browser. Though, no matter how secure passwords are, they risk being stolen when accessing malicious websites. Browser-based managers are susceptible to attacks conducted through JavaScript malware, such as drive-by-download attacks, where malware is unintentionally downloaded, and credentials are sourced on the victim’s computer. 

Benefits of password managers

Passwords are important when it comes to online security and protecting corporate secrets. When properly used, they can offer a strong defence mechanism. Having a software tool that stores and remembers all passwords eases the burden of having to remember unique complex passwords and subsequently makes it harder for threat actors to guess passwords, ultimately increasing the quality of passwords being used. By enforcing password managers, organisations will help staff reduce their reliance on insecure workarounds (such as a post-it note on a monitor), giving greater control and visibility over the usage of passwords across the organisation. 

Risks of password managers

Like any other software, password managers have vulnerabilities. Threat actors will often target password managers – as compromising an application that single-handily controls access to sensitive information proves to be an attractive target – especially in corporate environments. 

Moreover, devices that are already compromised will hinder the password manager’s ability to secure the data. For instance, if a device contains malware, it could potentially record the master password and allow a threat actor access to the password manager. 

Users can also forget their master password and if using a password manager that does not have a recovery feature, suffer the taunting task of resetting each individual login. What is more, password managers may be a completely new concept to some users, who may be reluctant to adhere to their use and revert to insecure ways of storing their passwords. 

What should your organisation choose?

There is a wide variety of password managers to choose from, each with its own set of unique features tailored to specific needs. Before committing to a specific product, organisations must consider the usability requirements of the product towards their needs, along with the level of protection of the stored credentials. There are even cases where organisations discard the use of password managers altogether and instead opt for an effective single sign-on process, where users authenticate once and access multiple services. 

There is no silver-bullet solution when it comes to choosing a password manager, as each type of password manager comes with its own benefits and drawbacks, as seen below: 

On-device 

Security: Highest 

+ safest option, 

+ does not require an internet connection 

- difficult to share 

 backups are manual 

 cannot be accessed from another device 

Examples:KeePass, Bitwarden, 1Password 

Cloud-sync 

Security:High 

+ Sync across multiple devices and platforms 

+ Cloud Backup 

+ Easy management for organisations 

- Data stored in third-party server 

- No control over security of the vault itself 

Examples: Zoho Vault, LastPass, NordPass, Dashlane 

Browser-based 

Security: Medium 

+ Free 

+ Easy to use 

  No cross-browser compatibility 

  Some cannot generate passwords 

  No password strength meter on some of them 

Examples:built-in browser managers (chrome, safari), Browser extension of existing products (Dashlane, LastPass) 

What to look for in a password manager

Regardless of the type of password manager, these features should be taken into consideration before committing to the product: 

Strong Encryption

Credentials at rest should be encrypted to deter threat actors from reading your sensitive information. When choosing a product, companies must analyse which encryption algorithm they use to encrypt data at rest and ensure that such algorithm is recommended by the NCSC, NSA or any other equivalent government entity. Advanced Encryption Standard with 256-bit keys (AES 256) is the current industry standard algorithm of choice to secure data at rest because of its exceptional strength. 

Data in transit must also be encrypted by the cloud-sync password manager to protect the password information as it is transferred over insecure and untrusted networks between the cloud application and the client. The transmitted data should be securely protected until added into the vault to hinder the threat actor’s efforts in intercepting and read/modify data. 

Access to credentials & master password recovery

Organisations must ensure the password manager does not allow unauthorised access to passwords without the decryption key. In addition, ensure the password manager implements the zero-knowledge architecture. This means that before passwords leave a device and are stored, they are encrypted, so the provider does not have any means to decipher sensitive data. Although some providers offer means to recover an account (such as team members, system administrator or a service provider), such methods can be exploited to access credentials. Thus, organisations should carefully consider if the risks associated outweigh the cost of losing access to the data in the vault. 

Multi-factor authentication & biometrics

Some password managers support multi-factor authentication (MFA), and amongst these additional methods, they offer biometric authentication. Companies ought to aim for a product that supports multi-factor authentication this feature and take full advantage of it. If a threat actor compromises an account, this additional layer of security will prevent them from accessing it without being in possession of the additional authentication mechanism.   

Policies

Enterprise password managers should allow for high privilege accounts to exist, giving these administrators the ability to recover accounts and control shared passwords. Administrators should also be able to enforce sets of policies that dictate how password managers are used within the organisation. They should also have visibility of accounts in a user’s vaults (including shared passwords) to aid them in the moving/leaving process. Auditing and logging, as well as mandating MFA should be options available to administrators, along with an audited password score, to allow them to improve the password quality within the organisation.  

Logging and monitoring 

Password managers should capture log data to enable administrators to oversee activities related to passwords. Some activities include who and when was a password accessed, or who can access a shared password. Control over device enrolment should also be considered an important feature, along with the ability to reset master passwords and monitor failed login attempts.   

Sharing

Although highly discouraged, in specific scenarios, users must share passwords between them. When evaluating this functionality, organisations should ensure users are able to see the difference between shared and individual passwords in the application. In addition, administrators should be able to control who can access shared passwords, and such access should be logged. In the case the shared password is changed, it should be synced between users who can access it.  

Conclusion

With so many services which require unique credentials, password managers are an essential tool to ensuring data and organisational secrets are protected. When choosing a password manager, companies should ensure data will remain protected at rest and in transit, and the master password will be accompanied by another layer of authentication. Organisations should also carefully consider tailored features which would conveniently assist in accessing services without additional overheads. 

Password managers will only go so far in the journey of improving online safety and overall security posture. To enhance it further, this method should be coupled with other security measures, such as using a reliable anti-malware solution. As an organisation, centralising and monitoring all sensitive information is a cornerstone to ensuring a good security posture. Password managers should be made available and strongly encouraged to users, so their credentials and other sensitive data are stored securely. 

Nelson Head Shot 250x250

Written by Nelson Santos

Nelson consults on information and cyber security, specialising in cloud and application security including threat modelling, SSDLC and Azure security. He has a First Class degree in Computer and Information Security, holds the Microsoft AZ-900 (Azure Fundamentals) and AZ-104 (Azure Administrator) certifications and is working towards a PhD in Applied Computing (specialising in data security in cloud environments using machine learning). Nelson has worked in IT support, information security and as a software developer before coming to work for Evalian™.