Here is one strong reason why you should consider using these cyber security tips utilising a password manager. The following information is provided by the Open University.
A password manager is an application running on your computer that stores passwords for you. Very simple password managers allow stored passwords to be copied and pasted into log-in boxes. More sophisticated managers let users launch and log in to an application or website by clicking on their entry in the manager itself, while some password managers include browser ‘plug-ins’ so that you can complete a log-in on a web page simply by pressing a button.
The majority of password managers also offer password generation facilities. Since computers can remember arbitrarily long pieces of nonsense text, say MHpKQCvpYoouTAaPiiW password managers have no problems with creating passwords that are highly resistant to both brute force and dictionary attacks. Since a password manager has a great deal of extremely valuable information it represents an attractive target for an attacker. Before choosing a manager you should check that:
The password manager itself requires a password to use it. This prevents an attacker simply starting the password manager and accessing your passwords.
The password manager should lock itself after a period of inactivity. This stops an attacker accessing the passwords if you have previously used the password manager and then left your machine unattended.
The passwords themselves should be encrypted on your computer. This prevents an attacker reading your passwords without needing to open the password manager.
Most modern web browsers offer to remember passwords when you enter them into web forms, providing password management for websites you visit using the browser. This can be very convenient for frequently visited sites where you regularly have to enter details. The security of this password storage is strong and your data will not be visible to casual inspection, but you should be extremely careful using them on any computer that you do not own or have sole control of, since your data will be stored on the machine and could be misused by another user or an administrator.
You should only consider using a browser’s password storage on a machine that you are the sole user of, or one where you entirely trust the other users. Under no circumstances should you store passwords in the browsers of public machines in places such as cafes, libraries and workplaces.
When using a password manager check that the password manager’s security functionality has been evaluated by a reputable independent organisation. Additionally, make sure you select a very strong password for controlling access to the password store. This will minimise the risk of attackers having access to your passwords, even if they do manage to steal the encrypted password store, either from your machine or from online storage provided by the password manager software.
Before choosing any product to manage your passwords, you should make sure that it meets your requirements – in particular:
Is the software available for your computer?
Does it manage passwords on one machine or more than one computer?
Can it synchronise passwords between multiple machines?
Does it have a good reputation?
Check that the password manager software has a good reputation by making sure that it has been evaluated by a reputable organisation. Don’t depend on anecdotal evidence.
Some examples of password manager applications are:
LastPass is available for a range of operating systems, including mobile devices. It can generate and store passwords, and manage them across multiple devices.
1Password is available for Windows and Mac computers as well as mobile devices running iOS, Android and Windows Phone. As well as generating and storing passwords, 1Password can be used to hold other confidential documents. It offers password synchronisation through the free Dropbox cloud service where encrypted copies of all 1Password data are shared between your machines.
KeePass is available for Windows, Mac and Linux operating systems. It is an open source password manager, which makes it easier for security experts to check its program code and identify potential security problems.
The protection offered by a password manager is only as good as the password you select to control access to it – the ‘master password’. Therefore, make sure to select a long, hard to guess password – ideally a phrase or combination of random words. This will prevent attackers from getting access to all of your passwords, even if they steal the password store from your machine or an online password system. For example, in June 2015 attackers were able to steal a large number of password stores from LastPass, putting those users with very weak master passwords at risk of having all their passwords used by hackers.
Using a password manager makes your life much simpler because, rather than having to remember a multitude of passwords, you only need to remember a single password and the computer does the rest.
But what if you forget that password? All of a sudden all of your passwords are unavailable. And what if your password manager’s data file falls into the wrong hands? You’d better hope your password is strong, otherwise all of your passwords are accessible to an attacker. But, what are the alternatives?
For an increasing number of websites it is possible to use your existing online accounts, such those provided by Google or Facebook, to register and log in. This approach for managing users’ account details depends on an authentication mechanism called OAuth (i.e. Open Authentication).
This method of checking a user’s identity requires the website to ask the user’s computer for some proof that the user’s identity has been authenticated by the OAuth provider (e.g. Google). This requires the user’s computer to first contact the OAuth provider where the user can input their username and password. The OAuth provider provides a digitally signed token that confirms the user’s identity.
You will learn more about digital signatures in Week 5 of the course, but for now it is sufficient to understand that in this case the digitally signed token cannot be created or modified by anyone other than the OAuth provider. Once it receives the token all the website needs to do is to check that the signature on this token is valid to confirm the identify of the user.
So using OAuth can simplify your password management because all you need to remember is the username and password for your account with the OAuth provider. However, just as with password managers, if you forget this password you will no longer have access to any of the accounts. Additionally, if an attacker gets access to this password, they will be able to access all the online systems you are able to access using your OAuth account details.
So password managers and online authentication services like OAuth can simplify the management of your online accounts, they are not complete solutions. Next, we will look at another way of improving the security of the authentication mechanisms we use.