Password Manager, Anyone?

The answer to the question, are password managers necessary, would differ from person to person. Those of us who are active on the internet have multiple online accounts requiring multiple passwords, ideally unique. 

Despite knowing the importance of a strong password, people are lax about it. The figure below shows the five most common passwords created by Indian users and the time taken to crack them. 

One hears news about cybercrime every day and there is considerable awareness about such threats increasing significantly, but as is obvious from the above, people are still indifferent in their password habits. When asked, the answer is that they opt for simple passwords to ensure that they can memorise them and not experience the frustration of forgotten passwords and having to restore them through a complicated process of answering security questions, the answers to which they have forgotten. This is beautifully portrayed by xkcd.com in its comic, “Password Strength”, with the comment “Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess”. 

This is where password managers come in. With so much of our data in the public domain, password managers are the protection from theft of that data. They are the first line of defence that can keep cyber criminals at bay. Password managers are of different types; built into web browsers or third-party extensions for the browsers, on-device or token-based. Malwarebytes Labs defines a password manager as “a software application designed to store and manage online credentials. It also generates passwords. Usually, these passwords are stored in an encrypted database and locked behind a master password”.

At one’s discretion, password managers can generate, store and autofill strong passwords, along with other frequently used information, such as credit card numbers. One just needs to remember the master password to get access.

Password managers can – 

• synchronise passwords across devices
• warn of single password usage across accounts
• work on multiple operating systems
• spot fake sites
• provide an alert if a login has been breached
• create a Virtual Private Network (VPN) to disguise IP address ensuring protection of one’s information when using public WiFi 

Each type of password manager has its pros and cons. The ones inbuilt into the browsers are convenient and portable across devices. However, with extra convenience comes the risk of reduced security since they store the passwords online and are the prime target of cyber-attacks.

Password managers installed on the device lessen the risk associated with browser-based ones since the passwords are stored locally. Another big advantage is that they can be used without connecting to the Internet. The flip side is that they are not portable and need to be installed on every device used by the individual.

Token-based password managers can be in the form of USB devices, smart cards or key fobs. In this case, passwords are stored on these devices. The issue with these types is the risk of the devices getting damaged or stolen.

*Considerations in selecting a password manager 

Cloud-based or on-device – the former is quite popular, since it is device independent and works across devices, but if one is a cloud sceptic, then the on-device password manager works equally well.

Device compatibility – it is important to check whether the selected application works on operating systems seamlessly and has browser extensions for browser-based usage. It should also have syncronisation option across devices.

Additional security – does it offer two-factor authentication and biometric features like fingerprint or facial recognition?

*Why password managers

With digital becoming a way of life, individuals have several online accounts from social media to financial to shopping and a user id and password is a must for each one. Under the circumstances, the convenient option is to select a relatively easy to remember password leaving them open to the risk of a data breach. Many understand the need for a strong password, and do take steps to create long, complex passwords, but it becomes a problem remembering them, especially for accounts that are not in use on a regular basis. This leads to frustration and stress about managing passwords.

Are password managers absolutely safe? No one can guarantee that and there have been breaches in the past, but with military grade encryption that most password managers use, their track record has been pretty good to-date.

So, if you are from that breed of people who regularly get locked out of accounts and have to use the forgot password option frequently, you are a candidate for using a password manager.

Whether to use a password manager or not is a matter of personal choice. But if the decision is to use one, the importance of the master password cannot be stressed enough. While password managers store passwords of individual accounts in an encrypted form, the master password is not stored and needs to be ideally memorised or kept in a safe place, because if it is lost there is no way to recover the stored passwords.

If the decision is against using a password manager, do follow these good password habits –

• Create strong passwords – at the least, 12 characters with a mix of uppercase and lowercase letters, numbers and symbols.
• Do not use personal information like name or birth date in the password. 
• Use separate passwords for different accounts and avoid reuse of passwords.
• Memorise passwords and do not write them down.
• Do not share passwords.
• Use two factor authentication where possible.

In conclusion, in the context of password management, the words of James Scott, Senior Fellow Institute for Critical Infrastructure Security, ring so true; “There’s no silver bullet solution with cybersecurity, a layered defense is the only viable defense”.