Password managers: The good, the bad, and the ugly
When your security needs more security.
By Violet Blue, PCWorldMay 12, 2017 5:30 am PDT
In a world where we’re being told to change our passwords every five minutes thanks to the latest massive breach, it’s hard to imagine life without a password manager. Though now that these killer apps are a dime a dozen, the market has predictably been flooded with options you should think twice about using.
Once you’ve started using a password manager, you realize just how absolutely insane things have gotten that we’d be expected to not only remember a jillion passwords, but also be able to spontaneously make up words and phrases that follow all the different and bizarre password-creation rules that sites require of us.
If you’re reading this and not using a password manager, keep reading. You’re in a high-risk category for getting hacked and exploited. Even if you’re already utilizing the best consumer tool for computer security since antivirus, you should also keep reading—because not all password managers are created equal.
If you’re unfamiliar, a password manager is an app that remembers your passwords for you and stores them in an encrypted vault. One master password unlocks the vault when you need to retrieve a password or create a new one, and does it without anyone being able to read what you type over your shoulder or track the login with a keylogger.
For those of us who’ve long known about the risks of allowing a browser or operating system to remember and autofill password fields, trusting a password manager doesn’t come easily. But the attack surface is significantly minimized with a manager, and the encryption on top seals the deal.
A manager usually has other nifty features too, like helping you search for (and change) duplicated passwords. One common way people get their social media and email accounts hacked is when malicious hackers comb through old breach dumps online, grab the logins and passwords, and then try them on your current accounts in the hopes that you’ve reused the password since.
The 2012 LinkedIn breach dump has been a hacker gold mine for five years, with news items still cropping up in 2017 about individuals and businesses who didn’t change their LinkedIn passwords after the breach and then had other accounts hijacked. It’s embarrassing, and worse.
Password managers also give users a way to automatically create new, long, complex passwords that follow all the crazy rules sites make for us: things like including upper- and lowercase letters, numbers, symbols, and a given number characters.
But like I said, not all of these cool tools are as secure as you’d think. Choosing the right one is critical when you’re keeping all your password eggs in one basket.
For a couple weeks in a row, leading password manager LastPass was schooled by a security researcher at Google, which found multiple flaws that put its users at risk. One was a “major architectural problem” that could’ve given attackers access to people’s passwords. The researcher published his findings, and while LastPass was worryingly quiet about dealing with its problems, the public scrutiny forced the company to act fast in fixing its service. Still, not everyone is convinced that LastPass has brought its service up to snuff.
It goes to show that even the most reputable password manager, like any other company, can have problems. And LastPass isn’t alone in falling under the scrutiny of Google’s security team. Keeper, Dashlane, and even 1Password have had bugs found and outed over the past year.
The harsh attention on password managers might be because the next version of Android, called “O”, is going to officially (and efficiently) support password managers.
That’s because despite issues of bugs and a market flooded with good and bad choices, security experts agree—a rarity—that password managers are the safest way for people to manage their accounts. The security benefits far outweigh the risks. So choosing carefully is key.
Research password managers individually before you settle on one. Search their names with words like “hacked” and look for their names in news articles. Search Twitter to see what the infosec community might have to say about them. Pay attention to which managers are used by hackers and researchers, and which ones they don’t like. An absence of recommendations or reviews is as much a negative as stories about flaws that didn’t get patched.
A company’s response to uncovered flaws is also telling: Was the company accountable and quick to remediate, or did it go silent? Did it act only when caught, or did it promptly inform customers about an incident or flaw?
Despite its past product flaws, I, like other hackers and security nerds, use 1Password. I understand the technology, the attacks, and the product sector—and I was really satisfied with the way 1Password handled their bugs and PR.
And believe me: I spend a lot of time watching these companies screw up.