Password Managers Require Careful Selection & Use

Many of us have dozens of online accounts including social networks, email, shopping, and work. Each account requires its own password for authentication along with a user name. The problem is that no one can remember so many passwords and user names, so there is a tendency to re-use them.

This raises exposure to risk if a phishing attack is successful. With just one password and user-id, attackers may be able to get into many user accounts, including those of their employers. One solution is to rely on a password manager, which creates and stores unique strong passwords, and then uses them to automatically log into online services.

While many security experts argue in favor of such tools, others note that a single master password is still required to use the password manager, and if that password is cracked then everything is exposed. On the other hand, storing the master password online is strongly discouraged by password manager services with a pop-up warning.

Nevertheless, password manager services are becoming a popular attack vector among hackers with at least one high-profile service having recently been hacked. Although the encryption protecting stored passwords was not violated, users were advised to change their master password as a precaution.

High Stakes of a Data Breach

If hackers eventually succeed in breaking the encryption used by password manager services, the stakes can be high for both individuals and organizations:

  • Cracking a password manager could expose a person’s entire online life – including professional, health, financial, political and sexual – and inflict tremendous damage on the user.
  • Users generally have no way of knowing what security tools are used for the password manager, and how well they are implemented and patched, making it difficult to choose the safest one.
  • Users may have no way to determine if a breach has occurred unless the password manager service tells them.

Despite the real and potential problems with password manager services, they offer much needed convenience and a high level of protection by encouraging the use of a strong, unique password for each online account.

Top 10 Considerations with Password Managers

The key to avoiding trouble with password manager services is to choose wisely and use common sense…

  • Do not store the master password online
  • Check for any default settings and review them immediately
  • Select a service that offers multi-factor authentication
  • Choose a service that includes a password audit feature
  • Make sure the service can quickly lock down user data during a real or perceived attack
  • Choose a service that automatically changes a password if an online service has been hacked
  • Make sure the service offers a security report and periodically check it for any anomalies
  • Select an “open source” solution that has been audited by third-party security experts for code integrity
  • Ensure that the service has a good reputation for transparency
  • Choose a service that offers cloud and desktop password management to suit individual preferences and changing circumstances

With so many online accounts to keep track of, it is all too easy for users to get sloppy with password security, exposing themselves and their employers to attack and damage. Password managers can help, but only if the solution is carefully selected and used with common sense.

DataLink has security solutions to suit any business need, including protecting networks, systems and users from potential harm. Contact us today: 410.729.0440 or sales@DataLinkTech.com.