Password manager

A password manager is a computer program that allows users to store and manage their passwords[1] for local applications or online services such as web applications, online shops or social media.[2]

Password managers can generate passwords[3] and fill online forms.[2] Password managers may exist as a mix of: computer applications, mobile applications, or as web browser extensions.[4]

A password manager may assist in generating passwords, storing passwords,[1][5][6] usually in an encrypted database.[7][8] Aside from passwords, these applications may also store data such as credit card information, addresses, and frequent flyer information.[3]

The main purpose of password managers is to alleveate a cyber-security phenomenon known as password fatigue, where an end-user can become overwhelmed from remembering multiple passwords for multiple services and which password is used for what service.[3]

Password managers typically require a user to create and remember one "master" password to unlock and access all information stored in the application.[9] Password managers may choose to integrate multi-factor authentication[9] through fingerprints, or through facial recognition software.[10] Although, this is not required to use the application/browser extension.

Password managers may be installed on a computer or mobile device as an application or as a browser extension.[5]

CriticismsEdit

VulnerabilitiesEdit

Some applications store passwords as an unencrypted file, leaving the passwords easily accesible to malware or people attempted to steal personal information.

Some password managers require a user-selected master password or passphrase to form the key used to encrypt passwords stored for the application to read. The security of this approach depends on the strength of the chosen password (which may be guessed through malware), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable, meaning that a single point of entry can comprimise the confidentiality of sensitive information.

As with password authentication techniques, key logging or acoustic cryptanalysis may be used to guess or copy the "master password". Some password managers attempt to use virtual keyboards to reduce this risk – though this is still vulnerable to key loggers that take the keystrokes and send what key was pressed to the person/people trying to access confidential information.

Some password managers may include a password generator. Generated passwords may be guessable if the password manager uses a weak method of randomly generating a "seed" that all passwords generated by this program. Or, as in the case of LastPass,[11] the methods used to generate passwords may become comprimised, leading to passwords generated by the application being easier to guess.

Furthermore, password managers have the disadvantage that any potential malicious individual or malware would just need to know one password to gain access to all of a user's passwords and that such managers have standardized locations and ways of storing passwords which can be exploited by malware.[12] This is known as a single point of failure.

Blocking of password managersEdit

Various high-profile websites have attempted to block password managers, often backing down when publicly challenged.[13][14][15] Reasons cited have included protecting against automated attacks, protecting against phishing, blocking malware, or simply denying compatibility. The Trusteer client security software from IBM features explicit options to block password managers.[16][17]

Such blocking has been criticized by information security professionals as making users less secure.[15][17] The typical blocking implementation involves setting autocomplete='off' on the relevant password web form. Consequently, this option is now ignored from Internet Explorer 11[14] on encrypted sites,[18] Firefox 38,[19] Chrome 34,[20] and in Safari from about 7.0.2.[21]

A 2014 paper from researcher at the Carnegie Mellon University found that whilst browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the unsecured (HTTP) version of encrypted (HTTPS) site passwords. Most managers did not protect against iframe and redirection based attacks and exposed additional passwords where password synchronization had been used between multiple devices.[18]

See alsoEdit

ReferencesEdit

  1. ^ a b Waschke, Marvin (2017). Personal cybersecurity : how to avoid and recover from cybercrime. Bellingham, Washington: Apress. p. 198. doi:10.1007/978-1-4842-2430-4. ISBN 978-1-4842-2430-4. OCLC 968706017.{{cite book}}: CS1 maint: date and year (link)
  2. ^ a b "What is a Password Manager? - Definition from Techopedia". Techopedia.com. Retrieved 2022-12-14.
  3. ^ a b c "What is a Password Manager? 2022 Explainer Guide". Tech.co. Retrieved 2022-12-14.
  4. ^ "Definition of password manager". PCMAG. Retrieved 2022-12-14.
  5. ^ a b Seitz, Tobias (2018). Supporting users in password authentication with persuasive design (PDF) (Thesis). Ludwig-Maximilians-Universität München. doi:10.5282/edoc.22619.
  6. ^ University, Carnegie Mellon. "Password Managers - Information Security Office - Computing Services - Carnegie Mellon University". www.cmu.edu. Retrieved 2022-12-14.
  7. ^ Price, Rob (2017-02-22). "Password managers are an essential way to protect yourself from hackers – here's how they work". Business Insider. Archived from the original on 2017-02-27. Retrieved 2017-04-29.
  8. ^ Mohammadinodoushan, Mohammad; Cambou, Bertrand; Philabaum, Christopher Robert; Duan, Nan (2021). "Resilient Password Manager Using Physical Unclonable Functions". IEEE Access. 9: 17060–17070. doi:10.1109/ACCESS.2021.3053307. ISSN 2169-3536.
  9. ^ a b "Best Password Managers for Mac - Security". Tech.co. Retrieved 2022-12-14.
  10. ^ "Best Password Manager for iPhone 2022". Tech.co. Retrieved 2022-12-14.
  11. ^ Toubba, Karim (March 1, 2023). "Security Incident Update and Recommended Actions". LastPass Blog. Retrieved May 13, 2023.{{cite web}}: CS1 maint: url-status (link)
  12. ^ "Pros and Cons of Password Managers". Lumen. 2017-05-13. Retrieved 2021-01-25.
  13. ^ Mic, Wright (16 July 2015). "British Gas deliberately breaks password managers and security experts are appalled". Retrieved 26 July 2015.
  14. ^ a b Reeve, Tom (15 July 2015). "British Gas bows to criticism over blocking password managers". Retrieved 26 July 2015.
  15. ^ a b Cox, Joseph (26 July 2015). "Websites, Please Stop Blocking Password Managers. It's 2015". Retrieved 26 July 2015.
  16. ^ "Password Manager". Retrieved 26 July 2015.
  17. ^ a b Hunt, Troy (15 May 2014). "The "Cobra Effect" that is disabling paste on password fields". Retrieved 26 July 2015.
  18. ^ a b "Password Managers: Attacks and Defenses" (PDF). Retrieved 26 July 2015.
  19. ^ "Firefox on windows 8.1 is autofilling a password field when autocomplete is off". Retrieved 26 July 2015.
  20. ^ Sharwood, Simon (9 April 2014). "Chrome makes new password grab in version 34". Retrieved 26 July 2015.
  21. ^ "Re: 7.0.2: Autocomplete="off" still busted". Retrieved 26 July 2015.

External linksEdit