Password manager

A password manager is a software application that helps a user store and organize passwords. Password managers usually store passwords encrypted, requiring the user to create a master password; a single, ideally very strong password which grants the user access to their entire password database. Some password managers store passwords on the user's computer (called offline password managers), whereas others store data in the provider's cloud (often called online password managers). However offline password managers also offers data storage in users's own cloud accounts rather than provider's cloud. While the core functionality of a password manager is to securely store large collections of passwords, many provide additional features such as form filling[1] and password generation.[2]

Advantages

The advantage of password-based access controls is that they are easily incorporated in most software using APIs available in many software products, they require no extensive computer/server modifications, and that users are already familiar with the use of passwords. While passwords can be fairly secure, the weakness is how users choose and manage them, by using:

It is typical to make at least one of these mistakes. This makes it very easy for hackers, crackers, malware and cyber thieves to break into individual accounts, corporations of all sizes, government agencies, institutions, etc. It is protecting against these vulnerabilities that makes password managers so important.

Password managers come in six often-combined flavors:

Password managers can also be used as a defense against phishing and pharming. Unlike human beings, a password manager program can also incorporate an automated login script that first compares the current site's URL to the stored site's URL. If the two don't match then the password manager does not automatically fill in the login fields. This is intended as a safeguard against visual imitations and look-alike websites. With this built-in advantage, the use of a password manager is beneficial even if the user only has a few passwords to remember. While not all password managers can automatically handle the more complex login procedures imposed by many banking websites, many of the newer password managers handle complex passwords, multi-page fill-ins, and multi-factor authentication prior.

Password managers can protect against keyloggers or keystroke logging malware. When using a multi-factor authentication password manager that automatically fills in logon fields, the user does not have to type any user names or passwords for the keylogger to pick up. While a keylogger may pick up the PIN to authenticate into the smart card token, for example, without the smart card itself (something the user has) the PIN does the attacker no good. However, password managers cannot protect against Man-in-the-browser attacks, where malware on the user's device performs operations (e.g. on a banking website) while the user is logged in while hiding the malicious activity from the user.

Vulnerabilities

Desktop password managers and browser based password managers are convenient; however, they often do not provide any protection for stored passwords. If the passwords are stored in an unencrypted fashion, it is still generally possible to obtain the passwords given local access to the machine.

Some password managers use a user-selected master password or passphrase to form the key used to encrypt the protected passwords. The security of this approach depends on the strength of the chosen password (which might be guessed or brute-forced), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable.

As with any system which involves the user entering a password, the master password may also be attacked and discovered using key logging or acoustic cryptanalysis. Some password managers attempt to use virtual keyboards to reduce this risk - though this again is vulnerable to key loggers which take screenshots as data is entered. This risk can be mitigated with the use of a multi-factor verification device.

Some password managers include a password generator. Generated passwords may be guessable if the password manager uses a weak random number generator instead of a cryptographically secure one.

A strong password manager will include a limited number of false authentication entries allowed before the password manager is locked down and requires IT services to re-activate. This is the best way to protect against the brute-force attack.

Password managers that do not prevent swapping their memory to hard drive make it possible to extract unencrypted passwords from the computer’s hard drive. Turning off swap can prevent this risk.

Web-based password managers, which run inside the browser of the user, are particularly fraught with pitfalls. A detailed study using several password managers uncovered the following possible flaws inside web-based password managers:[4]

Online password manager

An online password manager is a website that securely stores login details. They are a web-based version of more conventional desktop-based password manager.

The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a web browser and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC - also the same risk is present for the server that is used to store the users passwords on. In both cases this risk can be prevented by ensuring secure backups are taken.

The major disadvantages of online password managers are the requirements that the user trusts the hosting site and a keylogger is not on the computer they are using. With servers and the cloud being a focus of cyber attacks, how one authenticates into the online service and that the passwords stored there are encrypted with a user defined key are just as important. Again, users tend to circumvent security for convenience. Another important factor is whether one or two way encryption is used.

There are mixed solutions. Some online password management systems distribute their source code. It can be checked and installed separately.

The use of a web-based password manager is an alternative to single sign-on techniques, such as OpenID or Microsoft's Microsoft account (previously Microsoft Wallet, Microsoft Passport, .NET Passport, Microsoft Passport Network, and Windows Live ID) scheme, or may serve as a stop-gap measure pending adoption of a better method.

Security token password managers

Security tokens like smart cards or secure USB flash devices are seen by security experts as the best way to authenticate users, since many require multi-factor authentication. The data stored in the token is usually encrypted to prevent probing and unauthorized reading of the data. Some token systems still require software loaded on the PC along with hardware (smart card reader) and drivers to properly read and decode the data. Some of the other advantages include: tokens can also be either contact or contactless smart card, stand-alone client based or tied into active directory. These tokens can be combined with RF ID badges for building access and use other security protocols like single sign-on (SSO), one-time passwords (OTP) and public-key infrastructure (PKI) instead of passwords to establish the trust. These tokens can be thought of as the key to secure the virtual front door.

The disadvantages include the different costs of ownership. Some implementations require back end server modifications, extensive training, server-to-token synchronization, outside certificate authorities and expensive tokens. Others may be less expensive to implement and have a lower cost of ownership, but may not support authentication, authorization, data integrity and non-repudiation. It is not that one token solution is better than another, but rather which is right for the environment, risk and budget.

Blocking of password managers

Various high profile websites have attempted to block password managers, often backing down when publicly challenged.[6][7][8] Reasons cited have included protecting against automated attacks, protecting against phishing, blocking malware of simply denying compatibility. The Trusteer client security software from IBM features explicit options to block password managers.[9][10]

Such blocking has been criticized by information security professionals as making users less secure and that justifications are bogus.[8][10] The typical blocking implementation involves setting autocomplete='off' on the relevant password web form. Consequently, this option is now ignored from Internet Explorer 11[7] on https sites,[11] Firefox 38,[12] Chrome 34,[13] and in Safari from about 7.0.2.[14]

A 2014 paper from researcher at the Carnegie Mellon University found that whilst browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect against iFrame and redirection based attacks and exposed additional passwords where password synchronization had been used between multiple devices.[11]

See also

References

  1. Rubenking, Neil J. (11 March 2011). "Six Great Password Managers". PC Magazine. Retrieved on 10 August 2014.
  2. Parker, Jason (11 April 2014). "Take control of password chaos with these six password managers". CNET. Updated 7 August 2014. Retrieved 10 Aug 2014.
  3. https://www.entrust.com/solutions/mobile/ Entrust IdentityGuard Mobile Smart Credential
  4. Li, Zhiwei; He, Warren; akhawe, Devdatta; Song, Dawn. "The Emperor's New Password Manager: Security Analysis ofWeb-based Password Managers" (PDF). 2014. Retrieved 25 December 2014.
  5. Adida, Ben; Barth, Adam; Jackson, Collin. "Rootkits for JavaScript Environments Ben" (PDF). 2009. Retrieved 25 December 2014.
  6. Mic, Wright (16 July 2015). "British Gas deliberately breaks password managers and security experts are appalled". Retrieved 26 July 2015.
  7. 1 2 Reeve, Tom (15 July 2015). "British Gas bows to criticism over blocking password managers". Retrieved 26 July 2015.
  8. 1 2 Cox, Joseph (26 July 2015). "Websites, Please Stop Blocking Password Managers. It’s 2015". Retrieved 26 July 2015.
  9. "Password Manager". Retrieved 26 July 2015.
  10. 1 2 Hunt, Troy (15 May 2014). "The "Cobra Effect" that is disabling paste on password fields". Retrieved 26 July 2015.
  11. 1 2 "Password Managers: Attacks and Defenses" (PDF). Retrieved 26 July 2015.
  12. "Firefox on windows 8.1 is autofilling a password field when autocomplete is off.". Retrieved 26 July 2015.
  13. Sharwood, Simon (9 April 2014). "Chrome makes new password grab in version 34". Retrieved 26 July 2015.
  14. "Re: 7.0.2: Autocomplete="off" still busted". Retrieved 26 July 2015.

External links

This article is issued from Wikipedia - version of the Sunday, May 01, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.