Password managers offer peace-of-mind in the form of a secret vault full of your passwords – but are they as safe as they’re ‘cracked’ up to be?
How long can I survive without being hacked? That is the question no doubt many internet users are pondering given recent cyber security breaches and hacks on large-scale businesses and corporations.
Protecting ourselves from hackers and cyber crooks has never seemed so difficult especially with the the modern nature of web3 involving a trade of personal details for engagement.
Every website seems to have a login. We have a password for social media, email newsletters, pdf downloads and much more.
A popular option is to invest in a password manager to keep all our passwords in the one place, away from prying eyes. But are they necessarily a safe option?
The quick and easy solution would be to use a single key that unlocks all the doors you access online. Password managers are a convenient and seeming safe way to achieve this offering the ability to store all your passwords in a virtual vault and generate a different piece of code to access each website that you attempt to login.
Good password hygiene is vital in modern times and danger lurks for those naive to assume otherwise.
The massive uptake in hybrid work since the beginning of the pandemic has created issues for cybersecurity folks in charge of keeping company passwords safe when employees are working remotely, sharing information across broad networks and potentially engaging in poor password security practices. It’s not uncommon for staff to share passwords in spreadsheets across organisations with multiple employees which might provide the right conditions for a hacker to access the network.
Hackers readily manipulate the poor password security and etiquette of users. Foreign state hackers are believed to have run a campaign lasting many years, targeting hundred of thousands users at more than 200 companies to scrape passwords which were subsequently used in an attack on software and cloud service provider, Citrix. The hack resulted in loss of 6TB worth of data including emails, blueprints and business documents.
It’s been reported that a weak password that an intern has used and was publicly accessible from a misconfigured GitHub repository resulted in what Microsoft Corporation President Brad Smith labelled “the largest and sophisticated attack the world had ever seen.” Thousands of companies and US government offices were hacked when major technology company, Solarwinds was subject of a cyber attack which spread to its clients and went undetected for months. Emails from government agencies were intercepted when IT management software was infiltrated. The hack is believed to have involved thousands of engineers who used the hack to spy on major cybersecurity firms in the US, senior US Government officials, the Department of Homeland Security & Treasury Department.
Is 2-Factor still enough for me?
Businesses and organisations are widely adopting multi-factor authentication in the wake of data breaches and the rise of cybercrime. No doubt you’ve noticed the beefed-up security measures of government and bank websites in Australia, requiring both SMS and password to access your account. Multifactor authentication involves a two-step process requiring something a user knows (pin, secret question), something you have (card or token) or something you are (fingerprint or other biometric).
Key tokens or fobs offer an added sense of security given that they are a physical thing you can hold in your hand and generate a code to access your data away from prying eyes. With the push of a button you generate a key to unlock your online account which authenticates with a private key stored at the bank. This process of asymmetric encryption offers the most secure mechanism and is the preferred method supported by companies like Google, Amazon and Microsoft.
However, despite the benefits of a physical token, uptake of the method is low. Deakin University’s Centre for Cyber Security Research and Innovation recently conducted a study on the adoption of multi-factor authentication tools, giving participants a key fob for a month to trial. While users found the keys easier enough to use, lack of platform support and setup instructions created a perception for users that they were too complex and difficult to install which resulted in a lack of willingness to adopt the technology.
To vault or not to vault?
While storing every password you use inside a vault and relying upon one single password to access every website you login might seem like a counterintuitive idea to obtaining cybersecurity online, especially given Web 3.0 provides us with everything online and all our data is stored across multiple websites. A hacker breaking into your vault might seem like opening your own form of online Pandora’s Box. However, there are several layers of encryption involved to make sure that your passwords are kept safe and multiple ways you can keep your vault away from the clutches of thieves.
Password managers involve storing all your passwords inside a vault. It can be kept locally, offline stored in a device such as a computer or smartphone in the form of an encrypted list. Accessing your vault requires entry of a master password. Think of it like your personal key to unlock your safe.
The major benefit of keeping everything offline is that a hacker must gain physical possession of it. However, the benefits of remaining isolated quickly break down if you wish to use the manager with multiple devices. This usually involves granting access to your device so it can be accessed online which might defeat the purpose of isolating your secret list of passwords.
The most popular option is to use a web-based password manager which involves layers of encryption to keep your vault safe. Storing your vault in the cloud means that you can access your passwords from anywhere and consistently update your vault with a touch of a button. A number of web-based managers offer a browser based captcha like option where you’re prompted with password suggestions to increase the strength of your stored passwords. This means that adding to your vault is a breeze, however be sure to strengthen the complexity of passwords in your vault and make sure that the master key is difficult to guess to bulk up your all ‘round security. If what’s inside the vault is just as tough to crack as the master key itself then it will be very difficult for a hacker to get inside.
To gain access to a vault or break passwords, hackers are using blunt force attacks upon a password. This involves a program running through trillions of permutations in order to try and guess your password. Strong passwords add to the complexity and theoretical time it could take to hack into an account.
Weak passwords, not so much. Password Management Company, Keeper claims that a hacker could run through the approximate 3.5 trillion permutations to crack a password within an hour or two.
A benefit of an online password manager is the multiple layers of encryption and the asymmetric process that requires that the user inputs their password to unlock their vault and the server or password manager provides a key to unlock the vault.
Making a deal with the Devil
But should you really trust a company with access to all your passwords? If a hacker gained access to the password manager’s server then essentially aren’t all these security methods rendered essentially useless?
Well, another handy feature of cloud based password managers are the ability for users to create a key that is derived from their master password and complete the encryption process themselves before sending it across to the servers of the password manager. This means that neither you nor the server can unlock your vault without your special master key.
After your master password is passed through many permutations, the password manager allows you to authenticate yourself without storing your password before releasing your vault. This feature of ‘Zero Knowledge Storage’ means that no one else can access your vault.
The password manager then allows users to create a key to decrypt the vault and make any changes or updates as needed. Once you’ve done with your vault, you encrypt the data again and send it across to the password manager where it’s stored on a server.
However, if you wanted to avoid a vault entirely and generate a new password each time then a Stateless Password Manager offers the ultimate incognito in password security. With the use of a USB flash drive, users login and generate a new unique token each time they access their account. There’s no database in the background available to provide synchronization which means hackers have no ability to access your accounts. The obvious disadvantage is that if you lose the device then you lose access to your accounts. Also, stateless password managers are typically open source and lack a lot of support for users, other than an online knowledgebase to trawl in the event of user difficulty.
With the expansion of web3 interfaces that rely on interactivity and the handing over of personal details, ensuring our online security seems to have become an increasing ‘roll of the dice.’ While password managers offer layers of encryption to reassure users that their secrets are kept safe, few services offer a service of zero knowledge storage that is updatable at the touch of a button.
Until it becomes easier for users to encrypt and decrypt their personal data in real-time across the internet while adding to a vault, password managers are likely to remain the exception. The potential for poor password practices or worse storing personal details within browsers is likely to remain the norm.