What’s the big deal with Password Managers anyway?
It seems like every few months there’s another major security breach that compromises Americans’ personal data. Some of the most recent highest-profile security attacks (like Deloitte’s recent breach) were a result of social engineering. What makes a social engineering hack so difficult to prevent is the numerous forms it can take. In one all-to-common approach, hackers will create a fake phishing email that encourages the user to click a link or download a file. 97% of these attacks are going after the user, not the user’s machine (1). The hacker exploits the user, attempting to uncover a key piece of data such as an email password. Since most people use the same passwords across multiple sites, uncovering even a single user password can be devastating. Criminals can reverse-engineer access to many other sites and services by gaining access to a single account.
In a corporate environment, hackers may often attempt to target users with administrative credentials. With admin access, a hacker can uncover whole databases worth of confidential customer information, take down security protocols, or even lock out genuine employees. This is exactly what happened to Deloitte, just a few days ago, when hackers acquired a single admin password to the firm’s email system (2). Allegedly, Equifax also used “admin” for its Username and Password of an important database (3).
An organization’s data is often priceless, or at least a substantial component of the organization’s overall value. It is essential to take every step to secure data, and particularly, employee credentials. That is why Lucid Agency often recommends using a password management to encrypt user account access credentials.
What is a password manager?
A password manager is a 3rd-party software (often web-based) application that stores all of a user’s passwords. Users access those passwords by signing into the single, secure password manager. Password managers are essential because the only secure password is one that is not easy to remember, and humans physically can’t remember more than about 10 passwords. There are two things that people typically do if they are NOT using a password manager:
- They use the same password (or maybe the same 3 passwords) for every website and app
- They write their passwords down in a notebook, excel sheet or sticky note (often placed prominently on a desk or monitor, or in a desk drawer)
Both of these options are extremely risky and lead to significant vulnerability. If a hacker uncovers even one password, he or she now has access to any of the personal accounts using that password. Writing passwords down in an unencrypted location is also a terrible idea. Security experts agree that password managers are often one of the best ways to empower users to use unique, randomized and highly secure passwords for every website or app they need to access.
Now, perhaps you are thinking…
“How could having all of my passwords in one place possibly be safe?”
“This just makes things EASIER for hackers! What if they get the login to the password manager?”
A lot of people do not trust the idea of a password manager, and think it must be dangerous to use one. While there really is no method that’s 100% secure, password managers are currently one of, if not the, best option available. So far, there has never been an attack on a major password manager that has actually exposed users’ password vaults (knock on wood). Considering the huge target on their backs, these providers have a great track record. (4)
Remember the old adage about “not keeping all of your eggs in one basket?” Dashlane CEO Emmanual Schalit put it best: “Sometimes, it’s better to put all your eggs in the same basket if that basket is more secure than the one you would be able to build on your own.” (5)
Dashlane, and other major password managers like 1Password and LastPass, go to extreme measures to secure user data. Upon signing up for a password manager, users must create a secure Master Password. That Master Password is not store ANYWHERE on the password manager’s server, which means that even if the Password Manager’s servers are hacked, a criminal would still not be able to access the information in the encrypted database.
“How does could my Password Manager not know my Master password? Don’t the servers get it when I login?”
When a user logs into a password manager, two things are generated: the password hash and the decryption key, NOT the Master password itself. All of this happens on the local machine. (6)
Generally speaking, most password managers store credentials (besides the Master Password) in an encrypted cloud database. Depending on the password manager, users who are uncomfortable with storing passwords in the cloud may have the option to store them locally instead. There is obviously a usability tradeoff to storing passwords local-only, so it’s worth weighing security vs usability to make the best decision. Users that do choose to store passwords in the online cloud vault can opt for additional security features such as multi-factor-authentication (MFA) on accounts to mitigate risk.
Password managers also include password generation tools that allow the user to create a complex and secure password for each and every site. Since users do not have to actually remember the password, they are empowered to use a different password for each and every account. This way, if a single site gets hacked, all the criminal will get is the user’s password to one site as opposed to every site the user has ever visited. Many password managers will also run a “security check” on existing credentials to identify weak passwords. Some will even give users the ability to replace weak passwords with more secure credentials with a single click.
Additionally, password managers may require the user to provide multi-factor authentication (MFA). With MFA turned on, simply providing a master password is not enough to gain access to a user’s data. The user must provide a secondary means of proof that guarantees that she is who she says she is. Common MFA options include texting a code to a personal phone or sending a verification link via email. This extra layer of security ensures that even if a hacker gets a Master Password, he still won’t be able to access a user’s passwords.
Password managers also offer some great usability benefits. Many offer browser extensions that will log users into saved sites automatically. Password managers are also cross-platform, providing users access to their data regardless of device.
If you aren’t using randomized passwords stored in an encrypted location… you may be playing a dangerous game with your personal information.