Passwords have become a cornerstone of the Internet. These strings of letters and numbers allow us to validate access to various communities, online tools, healthcare, banking, and more. As more and more information is stored behind passwords, efforts to steal and crack them have vastly increased.
These new cyber threats led to the creation of tools called password managers, to which hackers responded with attacks specifically targeting these applications. As some password managers were breached, their public perception has taken a hit in recent years. Even though password managers have been proven to reduce identity theft by 30%, only 35% of users said they trust password managers.
The reality is that password managers are only good when paired with proper cyber security awareness. With the latest Gone Phishing Tournament findings showing that over 60% of those who clicked on a phishing link submitted their business account passwords, it’s not hard to understand how password managers still get cracked occasionally.
Still, these applications remain essential tools for everyone and provide very high levels of security when used correctly. This article will review the basics of password managers, explain how they can be breached, and provide tips to ensure that doesn’t happen to you.
What is a password manager?
A password manager is a software that stores and encrypts online credentials such as passwords, PINs, and credit card numbers. Popular options like 1Password, Bitwarden, and Dashlane also offer browser extensions that automatically enter credentials based on the visited URL and fill out forms with your personal information.
Are password managers secure?
Yes, they are undeniably the safest way to store your passwords. They provide strong encryption to protect your passwords from cyber criminals.
However, it’s also important to note that they aren’t 100% impenetrable. Over the years, hackers figured out a way to target password manager software.
Here are the four prominent recent breaches:
- In November 2022, LastPass announced a breach where hackers obtained password vaults of over 25 million users, including encrypted and plaintext data. Subsequent major cryptocurrency thefts have led experts to believe that some LastPass vaults from this attack may have been cracked.
- Norton LifeLock disclosed a data breach affecting thousands of customers, attributing the incident to a credential stuffing attack and underscoring the value of two-factor authentication as a security measure.
- A new vulnerability in password managers dubbed “AutoSpill” could pose a significant threat to the industry. As the vulnerability is linked to Google’s Webview app input protocol, future Chrome updates should fix the issue relatively quickly. Most popular password managers have since released fixes and mitigations targeting this threat.
- Researchers found +critical vulnerabilities in the Passwordstate password manager by Click Studios, allowing attackers to bypass authentication and access users' passwords. Patched in November with version 9.6 build 9653, these flaws, including a critical API bypass and XSS vulnerability, highlight the risks even in enterprise security tools.
What types of attacks does a password manager prevent?
Password managers are excellent at countering malicious apps that cycle through data to guess credentials. However, these tools only work if used as intended, with unique alphanumerical passwords protecting every website login stored.
Here are the main cyber threats countered by password managers:
- Brute force attacks: Using a password list from a previous breach, this malicious code cycles every option on a site’s login page until it arrives at the correct one and gains access to the account.
- Dictionary attacks: This variation of brute force attacks uses commonly used words and numbers in passwords until the correct one is cracked.
- Phishing mitigation: While phishing attacks can still be successful on users who rely on password managers, the damage is limited to the one account the user surrendered the password to.
How do password managers store passwords securely?
Password managers use high-end, sophisticated cyphers to encrypt your data. The two main ones used are AES 256-bit, which is the military standard, and XChaCha20, which major companies like Google choose.
These tools also rely on Zero-Trust Architecture to encrypt your passwords even as they are shared with a website. This process ensures that potential breaches remain isolated and one server breach has no domino effect.
Pros and cons of password managers
If anything, password managers highlight that even with software on your side, using strong, secure passwords for every account is essential. The pros and cons of password managers aren’t a debate about using them or not. It’s abundantly clear everyone should utilize these tools, considering they can provide a false sense of security to careless users.
Pros
- Allows users to manage passwords easily while using unique alphanumeric options for each site they visit.
- Conveniently autofill passwords and forms based on the visited URL or mobile app used.
- Most popular password managers offer secure sharing to provide an encrypted way to send passwords and sensitive information to friends and family.
Cons
- It’s only as good as password hygiene from the user. A password manager can still be cracked if unsafe or reused passwords are used.
- Can be breached if malware is installed on a computer via a phishing attack.
- Password managers are vulnerable to social engineering to convince the user to give up his master password.
So, are password managers safe to use?
Yes, they are definitely the most secure way to handle your passwords. But while password managers are a big convenience and security upgrade, it’s important to remember that they are only one part of a healthy cyber security mindset.
Password managers can still be hacked if your machine is infected with malware. Weak passwords are still dangerous if they’re stored in a password manager. Hackers can still convince your users to give up their master password if they lack cyber security awareness. These tools lose all their power if they aren’t used correctly or safely.
Get your free copy of Human Risk to Human Fix to see how you can transform your employees into your first line of defense in just five steps.