People are lazy. To put a finer point on it, people are lazy with passwords. That’s the harsh reality, and there’s data to prove it. You can actually download all the passwords from Have I Been Pwned and even see how many times each password occurs in their half-billion strong database. It’s breathtaking. A recent Verizon study again reiterates this fact. Even knowing what makes a bad password, people are still making the most common of common password mistakes.
But maybe lazy isn’t the right word. It’s more like fatigue. The average business user has 191 passwords. At that rate, you could reasonably be changing multiple passwords per week to system-enforced password formats. (No recycling passwords allowed).
Organizations have been taking note of this password weariness and started rolling out password managers. Great, right? Maybe. If you are a security-conscious IT pro, you reasonably have your doubts.
Here’s a look at whether such skepticism about password managers is warranted.
Pro: One key to rule them all
Storing a master password that holds the key to all your other accounts might feel, well, weird. This is generally not considered a good security practice and isn’t recommended. However, password managers have changed this mentality — and there hasn’t yet been a Yahoo!-type incident among the major password managers. And theoretically, there shouldn’t ever be.
Most password managers use a “zero-knowledge” security approach. That means the provider shouldn’t see, doesn’t see, and doesn’t ever want to see user data. They’re just the scrupulous bagman, passing heavily encrypted data back and forth between servers and devices.
There’s one key to your data: Your password. And hopefully, some two- or multi-factor authentication for added measure.
Con: One key to rule them all
There’s just one problem with keeping all your passwords in one spot. They’re all in one location — with one key to open the door. You lose that key and you’re locked out.
Password manager providers each take a different approach to this dilemma. Depending on the settings, LastPass can be forgiving about a lost master password. DashLane, however, has a zero-tolerance policy. You lose your key. They can’t help you. Many other managers take this approach as well.
Each provider has their own specific recovery steps that you need to follow. It’s a good idea to familiarize yourself with the recovery process when you sign up. It may require an epic quest by foot with some friends and a wizard. Or there may be nothing you can do at all.
Pro: You can generate more robust passwords
Password managers are really good at making passwords for you. You can even customize these passwords. Here are a couple of the options you have.
Length. In cryptography, password length impacts keyspace — or all the different permutations of a key. You want a big keyspace, but not too big. There’s a point of diminishing returns. Shoot for 15 characters. You can opt for 100 characters, but that’s a little overkill.
Readability. Password generators may offer the option for a readable, randomly generated password. You may want to use this type of password for a master password — or something you actually want to remember.
With a password manager, you can generate robust passwords for all your different logins. Maybe not quite as intense as some of your favorite ASCII art from the 90s, but still pretty complex. You don’t have to remember how to type your passwords out. You’re all good once your accounts are linked to your master password. There’s no more remembering multiple passwords.
Con: A good password isn’t everything
As we’ve seen so far, password managers are really good at protecting your passwords. (Perhaps, even from you.) However, they are defenseless against keylogging software, shoulder surfers, and that sticky note on your monitor.
Using a password manager does not mean all your accounts are immune to every security threat. There are still common security threats to be aware of including:
Credential leaks. Organizations may accidentally leak access keys and hard-code API keys into their public source code. Open repos and S3 buckets are notoriously soft targets for access keys, tokens, and even passwords.
Dictionary Attacks. Most attackers will try a dictionary attack before a brute force because they’re hoping you have a human-generated password. With a dictionary attack, they don’t have to run through an entire keyspace. They can focus on munged words. For instance, we noted in an entire article about password mistakes that the password s3ash311 (or the munged seashell) took 2.5 seconds to crack.
Keyloggers. These are always a threat. This type of breach will record every key pressed. Keyloggers can scrape financial information, passwords, medical information, and anything else you choose to type.
Insider breaches. Some companies have encountered insider threats from employees who may opt to sell sensitive data for the right price.
Phishing emails. With all the personal information floating around out there, these types of emails have become really sophisticated. In one recent instance, scammers managed to take Facebook and Google for $100 million with phishing emails. So, that email may look like it’s coming from your bank or your boss, but it’s not. It can be hard for the average recipient to tell them apart from authentic messages.
With all these attack vectors, hackers may not be going for the motherlode in the password manager. They’re looking for other lapses in security best practices.
Pro: Password managers take one thing off your plate
System administrators and security professionals work together to set password policies for company accounts. In the past, that’s extended as far as Active Directory, AWS AMI, or other platforms with granular access management settings. Enterprise password managers provide sysadmins greater control over everything.
Let’s say that you have strict password controls in Active Directory. You do monthly password resets with a 20-character keyphrase that must be unique to the user. That’s great. But that doesn’t keep someone in your finance department from using the infamous p@ssword123 for the payroll software. Similarly, it doesn’t keep the accountants from emailing passwords, writing them on sticky notes, or all the other ways to share passwords for common accounts.
From the admin dashboard on most enterprise password managers, sysadmins can restrict all passwords to strong combinations — and allow sharing among teams in a secure way. In fact, users don’t even need to see the password. The password manager auto-fills the field.
If used correctly, password managers can work very well. There is a reason they are becoming so popular among companies. However, password management is only one piece of the puzzle.
Con: Password managers require buy-in and setup
You can buy the licenses for a password manager. You can set it up. But you can’t make everyone use it. You may theoretically have control over all company passwords, but that’s assuming everyone trashes their stick notes and installs the plugin on their browser.
There’s another obstacle for security-minded sysadmins. Password managers start empty, and you have to fill them up with your passwords. There’s no silver bullet to getting your potentially hundreds of passwords into the software. You either have to take the time to load them all or enter them organically.
If you’re able to enter all your credentials at the same time, that may mean you have a password spreadsheet. It’s probably titled “Passwords”. It’s probably on a network drive. You’re doing the right thing. Now delete that spreadsheet.
The organic approach is much more common. Go about your business. When you hit a login page, enter your credentials and don’t forget to add the password to the manager as you go. Most password managers will prompt you.
It’s a pain, but eventually, you’ll have everything in your manager and — good or bad — you’ll never have to remember or create a password ever again. Except for the master. Don’t forget that, and please don’t write it down.