Rob Behnke
October 5th, 2021
It’s no secret that cybercrime is a growing problem in the blockchain space and on the internet as a whole. IBM’s latest Cost of a Data Breach Report highlights that the average cost of a data breach is currently the highest it’s been in the last 17 years. This, coupled with the fact that most data breaches are caused by human error as well as weak, reused, and stolen credentials, illustrates how having a password management solution is critical for an organization’s information security.
But with the plethora of password manager options, and the promise of data security they all offer, how do you know which password manager is right for your organization? That will depend on a number of factors including: ease of use, your organization’s structure, whether you want to host the data on your own servers or not, and many other things. So in this article, which is part of our InfoSec series, we’ll have a look at the inner workings of password managers, different password manager products to consider, and which one would work best for your needs.
One of the key features of password managers is that they help you create strong, secure passwords that are less likely to get cracked by cybercriminals. We covered key safety considerations and the elements of a strong password in our recent Password Management 101 guide, and we encourage you to check that out to discover how to protect yourself from having your passwords stolen or bypassed.
That said, there are over 300 billion passwords in use by humans and machines today, and research from NordPass reveals that the average person has 100 passwords. This means that you’ll be entrusting an incredible amount of credential data with your chosen password manager, not to mention the information those credentials are set up to protect. So, below, we’ll have a look at some of the most important factors to look for when choosing a password manager.
Increased security for your information is the top reason you’ll want to use any password manager. So as part of your due-diligence process, we recommend looking for the following security features to be included in your chosen password manager service:
End-to-End Encryption: Top password managers use AES 256-bit encryption to keep your data safe and to ensure that only you can access your password data.
Password Generator: Password managers help you create secure, strong passwords that are more difficult for hackers to crack. These generators make the process as simple as clicking a button.
Multi-Factor Authentication: With multi-factor authentication, a user is required to access the password manager with a password and a secondary method of authentication such as a secret key or authentication code – making it less likely that a cybercriminal can access your data even if they obtain your master password.
Support for Browser Plugins: Password manager browser plugins allow for your passwords to safely be passed to your accounts and services without the password data passing through your clipboard. This is important because clipboards often expose your password to any application on your computer that has access to your clipboard.
Alerts for Security Breaches and Reused Passwords: If any of your passwords are involved in a data breach, you’ll want to know about it so that you can quickly change the password.
The key thing here is you’ll want to know about any known data leaks that happened involving your chosen password service provider. Leaks can potentially happen at any service, so the important thing is to note if any have happened, and if so, what the service provider has done or is doing about it.
LastPass for instance, has been previously hacked, but they were open about it and detailed what data was affected and their steps to prevent it from happening again. You’ll want to be sure your chosen password management service operates with the same level of transparency.
Beyond the essential features, the flexibility and extras of a given password manager might sway your decision for one service provider over another. 1Password for example, has a feature that allows you to turn off access to specific credential data when you are travelling, using their travel mode. This can be handy if you’re travelling and are ever forced to open your digital devices and hand over access to your accounts, which can happen when going through customs in certain scenarios.
With that in mind, let’s have a look at the different password managers available on the market.
There are dozens of password management tools available on the market, and this Wikipedia page has a detailed comparison of password managers, their features, pricing, and operating system support, integration options, and more.
What we’ll do here is look at two kinds of password managers that fit most business and personal needs, but we encourage you to do further due diligence into how any password manager could fit into your information security strategy so you can find the best password management tool for your particular needs.
Password managers like 1Password, Dashlane, and LastPass should be considered if you’re looking for a password manager with lots of features and flexibility. Password managers in this category offer personal and business versions, desktop and mobile apps, local installation and cloud syncing services, browser integrations, multi-factor authentication and more. These kinds of services also include the ability to help you import from competitor services, which could prove crucial in the event that you ever want to switch service providers.
Because password managers house so much critical information, you may want the ability to audit the code of the platform and ensure the security promises of the service provider are being truthfully and properly implemented. Popular examples of open source password managers are Bitwarden, Padloc, and Keepass. Many open source password managers also offer the ability to self-host your data, for an added layer of security and control.
Password management tools make the InfoSec process easier, but they do come along with their own set of security risks. Below, we’ll have a look at some common ones.
Password Manager Spoofing: One of the biggest problems in the crypto space is the use of fake exchange websites to fool users into entering their credentials. This also happens with password managers where users can be sent fake emails that request resetting or re-authenticating their accounts. So always pay close attention to the URL, and use bookmarks when accessing your password manager service provider’s online site.
Your Data Is in the Hands of a Central Authority: Unless you’re using a purely offline solution, one of the risks of using a password management service is that your data is housed within a centralized organization. This means in the event of a data leak, there is a possibility that your credentials can be exposed to the dark web.
Securing Your Secret Keys: In addition to using a password, username and 2FA method to authenticate users, many password managers also come with a secret key. This key is unique to each account and is needed to authenticate additional devices. Of course, this secret key should actually be kept a secret, and should never be shared with anyone who isn’t authorized to access that information. You can think of it like the seed phrase for a crypto wallet. If another entity gets a hold of it, you risk having your data stolen.
Another quick, but good rule of thumb, is to use a unique email address just for your password manager. This will help limit the possibility of your associated email being exposed to any other third party, thus keeping your data that much safer.
Given the inherent security risks that come along with using a password manager, double-blind passwords provide an extra layer of protection and dramatically reduce the risk of your passwords being stolen – even if the email, secret key, and 2FA of your password manager are all compromised.
Essentially, what you’re doing is storing part of any given password within your password manager, and another part outside of it. For example, let’s suppose you had a password that was, Apple.Orange.Lemon.Kiwi stored in your password manager. But it actually wasn’t the entire password. Once you copied Apple.Orange.Lemon.Kiwi into your account login area, you manually added the numbers 36823 to the end of it, making the entire actual password Apple.Orange.Lemon.Kiwi36823. Of course, you could add any set of characters to the end of the password that’s stored in the password manager, once it’s copied over.
This strategy ensures that no central authority ever has the complete picture of your password information, and again reduces the likelihood that your accounts will be broken into even if your password manager secret key and 2FA method are compromised. We recommend checking out this video by All Things Secured which provides an informative breakdown on this password strategy.
The worldwide information security market is predicted to reach over $170 billion by next year, and cybercriminals are aware of the growing opportunities to steal credentials. To ensure you keep your data and credentials safe, we encourage you to consider the recommendations we’ve provided in this article and reach out to our cybersecurity experts at halborn@protonmail.com for more information on how to keep you sensitive data secure.