A Password Manager is a tool that securely stores your credentials made up of your username and password. They often also store the URL of the website they apply to make it easier to remember. Many of us are working from home during the pandemic and trying to remember an ever-growing list of passwords simply isn’t feasible. Top this off with the frustration of many password reset processes on top of navigating various password complexity requirements and you have a problem.
Attacks on passwords are on the rise through various methods from password spraying to credential stuffing which require that you have unique credentials for each website or web application you use. Wherever possible, we should be using two-factor authentication, but what do we do for those websites that do not support it yet? Choose a long, random, difficult-to-remember password. This is where a Password Manager comes in. Password Managers protect your most sensitive credentials and securely stores them. This is way beyond the Microsoft Excel document with passwords we often find on your workstation during one of our assessments.
What problems does a Password Manager solve?
Password Managers solve a number of problems depending on the capabilities of the tool selected. These problems are exacerbated by the growing number of websites you need unique credentials for. As of 2020, NordPass estimates that the average person has to try to remember unique passwords for 70-80 accounts. Without a Password Manager, our brains are hardwired to create shortcuts. For example: SuperSecurePasswordFacebook for your Facebook password and SuperSecurePasswordLinkedIn for LinkedIn. Don’t do this. From an attacker’s perspective, this makes our lives much easier.
Trying to remember 80 passwords is difficult and this tends to steer us to only use unique passwords on accounts we truly care about and McAfee thinks this number is somewhere around 13 unique passwords with 31% using the same two or three passwords. Password Managers make it trivial for you to have strong unique passwords for each and every website but then notify you in the event one of them is compromised.
Password Managers help us remember to change our passwords on a more frequent basis. Most people do not change passwords for their accounts. Changing your password on a regular basis, reduces the time it can be used by an attacker. It takes time to crack strong passwords and when you change them, they’re no longer useful for an attacker.
What features are valuable in a Password Manager?
There are several Password Managers on the market and not all will meet your requirements and protect your accounts. It is important to perform research on each solution to understand their strengths and weaknesses. Below, we’ve outlined the most important features based on our experience:
- Strong Encryption: Your passwords must be stored using reversible encryption which sounds scary, but you need to be able to decrypt your password to use them. At a minimum, you should make sure the solution you select makes use of AES 256 and you should be the only one with access to the key. There should be no method for you to call support and ask for help if you forget your password.
- Two-factor authentication: The password used to encrypt your password archive must be very strong and never used anywhere else. This is the one password you have to remember now but it’s worth planning a backup solution to protect your accounts just in case. Make sure your solution makes use of two-factor authentication because even if this strong password is compromised it cannot be used to access all of your accounts.
- Cloud-based with Mobile App: Free solutions, such as KeePass, are great, but what happens when your laptop dies and your backup is out of date? Cloud-based solutions make it easier for you to leverage your archive on multiple devices, including mobile.
- Breach Notifications: One of the best features we’ve seen in Password Managers is breach notifications. Password Managers that monitor publicly disclosed breaches make it even easier to reset or change your password where they may have been compromised.
- Password Reuse: Credential stuffing is when an attacker attempts to log in to other websites (e.g., CRA, Instacart, Loblaw) using a set of compromised credentials. Great password managers help increase your awareness that having unique passwords for each website mitigates this risk.
How is a Password Manager different from a Privileged Access Manager?
Within an organization, Password Managers are helpful for almost all staff, but what is the solution for privileged accounts? What is a privileged account and why do you need more capabilities in these offerings? Privileged accounts are those that have access to administer critical systems (or all systems), have access to sensitive information, or shared or service accounts that run critical business functions or processes. Privileged Access Managers are used to enforce policies over privileged accounts including the Principle of Least Privilege, offer enhanced auditing and alerting of privileged account use, and diligently monitor their usage.
Password Managers help offset the shortcuts taken to choose weak, easy to remember passwords, for the over 70 unique passwords the average person should have. In the past, choosing a strong password was effective, this is no longer the case. With the prevalence of credential stuffing, the ever-growing list of unique passwords to remember, and the significant focus attackers are placing on making use of stolen credentials Password Managers are essential.
At Packetlabs, we compromise corporate endpoints every single day and we often find spreadsheets, text documents, Post IT notes and several other methods of storing passwords. These stand no chance and make our jobs much easier as attackers. Contact us to discuss what an Objective-based Penetration Test would look like at your organization and whether you are impacted by the insecure storage of passwords.