Password Manager

The previous article we talked about how to create secure passwords and in particular the storage method, unfortunately the passwords to remember are constantly increasing, some people have to manage over a hundred, a not insignificant effort for our memory, and since the future without password, (passwordless) as called by some, is still far away, we have to find a strategy that gives us a hand about it, for that Password Manager were invented, (no they are not the post it attached to the computer monitor), joking aside, they are programs that can store hundreds of passwords.

Given that there are different types of programs to install on your computer or to use on the Cloud (Topic of the next article), some free and others paid, but what are they and how do they work?

What are they? They are programs and apps that store in a secure and encrypted way the credentials (username and password) of access to web services (and not only) in a sort of virtual safe ("Vault"), making it available to the user when he needs it.

The best PMs are "cross-platform", that is, they are available for Mac, Windows, iOS and Android systems. This allows (but is not an obligation) to synchronize through the cloud (p.es. Dropbox) passwords on each device on which they are installed (computer, laptop or smartphone).

They are protected by a Master Password, which is used to open them and therefore becomes the only password you need to remember. Let's delve deeper into these concepts, but we also recommend that you read the article on how to create secure passwords.

This clashes, today, with the number of passwords that each of us must manage in our digital lives: according to industry experts, the average employee of a company manages 191 passwords. A web user must manage at least a hundred passwords.

This creates the conditions for one of the most frequent and serious mistakes that the user is led to commit: the password reuse, that is, the use of the same password for different accounts.

It is a dangerous habit that allows attackers to use the credential stuffing technique: in practice, usernames / passwords (collected in databases of stolen credentials, easily found on the Dark Web) are tested to fraudulently access user accounts.

So passwords must be: always different, long and complex. "The only secure password is the one you can't remember": in this sentence, which is the title of a famous article by Troy Hunt in 2011, there is the summary of the problem: we must use passwords that are impossible to remember.

It would seem a problem without a solution, but – on the contrary – today the password managers come to our aid.

But how they work, both those to be installed and on the Cloud at the first access you create a Master Password, which will be the only one you will have to memorize, losing it means losing all the content of the Password Manager, the data are stored securely and encrypted, readable only through the Master Password, this means that no one else can read the content, not even the administrators who manage the Cloud of the password manager, for this reason they are classified as safe.

Then you will have to feed it manually by entering all your passwords, which you can automatically recall on the site you are accessing.

Currently in addition to password manager programs, there are some antivirus that also have this option, in addition to Internet browsers (Edge, Chrome and Firefox), but the level of security is not the same.

What are the advantages of Password Manager:

1. You need to remember only one password: as mentioned, it is the Master Password to open them;

2. They offer standard templates to be used to facilitate the compilation of the main types of entries to be inserted. We will then have templates for: bank account, credit card, document, login, email account, secure note, Wi-Fi password etc .;

3. For each item we can add and store a lot of data: username, password, phone numbers, expiration dates, photos of documents or credit cards, etc. and customize them to our liking. This makes them much more practical and complete than the password managers that are natively present in the main browsers (Chrome, Firefox, Safari);

4. In the best PM stored data is encrypted with AES 256 bit encryption, the same used as a standard by the US government to protect documents classified "Top Secret". This encryption is considered unbreakable by current computers. So, even if an attacker managed to get hold of the file (vault) with our passwords, he would not be able to decrypt it;

5. They have the ability to automatically generate secure and complex passwords: so whenever we have to set or change a password, just have it created by the PM and it will be made with the best security requirements to be adopted for passwords;

6. Most PMs integrate an intelligent form autofill system into websites. There is therefore no need to "copy/paste" passwords to complete the login. This feature is exceptionally convenient: simply enter the login page of the site, have the PM unlocked and this will automatically recognize the site by entering its credentials. At this point the length of the password will no longer be a problem! To use it, you must install the password manager extension on each browser. In the most advanced PMs, autofill works not only in login forms, but also for the automatic filling of credit card data. This is very practical to avoid the – inadvisable – practice of storing credit card information within a site;

7. The autofill function is also implemented on the mobile applications (iOS and Android) of PMs;

8. Autofill generates an additional advantage: it protects against Phishing scams. In other words, if we landed on a login page through a phishing link, this will be fake, that is, different from the URL of the real site. So the autofill function will fail, because it does not match the URL where we are and the one saved on the PM;

9. PMs are not able to change / update passwords on sites independently, this operation will obviously have to be done by the user. However, thanks to the browser extension, they are able to recognize the password change (at the time it is done) and can automatically update the password within their database. Typically, before doing so, they require confirmation from the user (to avoid incorrect or unwanted updates).

The disadvantages of the Password Manager:

The best PMs are safe and easy to use, but although they are very useful tools, it will also be good to highlight the possible mistakes that the user should not make in their use.

I point out only three possible risks (or disadvantages):

1. Forgetting the Master Password: in most PMs there is no usual "I forgot my password" button to recover the access key, just for security reasons. So forgetting the master password means no longer having access to the PM and irretrievably losing all your passwords! Sometimes, during installation, a security key is generated (at least 32 characters long), to be used in case of emergency. Obviously, this "secret key" must also be kept carefully, because it represents the last chance to recover access to your safe;

2. Get your Master Password stolen: keeping all your passwords in a single archive can be risky, so let's protect it with a strong password, after all it is the only one we will really have to remember. This is unquestionably true and is – in fact – the main criticism that is made by those who do not appreciate PMs;

3. Choose an unsafe Password Manager: it could be dangerous to entrust your passwords to software created by others, because an attacker could package and market a PM specifically to steal your passwords. To avoid this risk – which is real – I recommend choosing only PMs from well-known and reliable companies.