INTRODUCTION: The process of identifying security issues manually or by using automated tools is known as threat hunting. Threat hunters require advanced knowledge of cybersecurity tools, penetration testing, programming languages, etc. So that they can use their tools in detecting threats accurately. The experts may also have ample knowledge related [...]
A password manager is an application or computer program that allows user to store their passwords. Different password managers contain different functionalities like some managers save passwords just on current devices while some synchronize our passwords across different devices. Some managers not only save the passwords but also generate random, unique, and complex passwords whenever users try to create or change existing passwords. Almost all password managers auto-fill the details on different websites. These managers use different types of encryption methods to protect our passwords. They are your digital gatekeepers that contain all information regarding your accounts.
An online survey conducted by Google in 2019 found that almost 52% of people reuse a single password for their multiple accounts. It means most of the users reuse the same password for their different accounts which is very dangerous as if someone steals your one password then he can access your all other accounts. That means by knowing only one password hackers can access all of your accounts. Another survey conducted by Verizon Data Breach in 2019 reports that almost 80% of data breaches are due to weak and compromised passwords. To avoid such a situation we are supposed to create unique and hard-to-guess passwords for all of our accounts but if someone owns 20 different accounts then it becomes very difficult for the user to remember all. So what are we supposed to do?
The solution to these problems may be just a password manager as most of the managers have the ability to autosave the passwords and then automatically fill the appropriate password into different apps, websites and prevent the user from manually entering the password.
Password managers use different encryption methods and algorithms to generate complex passwords. These algorithms are very difficult to understand and generate an unpredictable, unique and complex password that includes a combination of digits, special characters, uppercase letters, and lowercase letters. Password managers give us the option to generate the password as long as possible as we don’t need to remember it.
Password managers use different techniques to encrypt and decrypt data so that it can only be accessed by authorized parties. One such military-grade level cipher technique is 256-bit AES encryption which has been adopted by most of the companies for VPNs, password managers, and firewalls since 2005.
In the 256-bit AES encryption technique, AES is encryption while 256-bit is the key. Encryption keys contain random combinations of 0 and 1 so the total available combinations are 2^256. It is hard to brute force the password if these combinations are more. 256-bit AES is also known as a private key encryption algorithm. Data is encrypted and decrypted by using this key, so both parties must have information regarding this key.
Another password-encryption technique is the AES 128-bit algorithm. This technique is less secure but still very hard to brute force. It is mostly used by free and open-source password managers. XChaCha2 is also a password encryption technique that is much stronger than that of AES 256-bit. In this technique, Argon2 is used for key derivation whereas XChaCha2 is used to encrypt our password vault. This technique is only implemented in NordPass VPN. Zero-knowledge is also an encryption technique in which passwords are first encrypted and then leave your device. The end servers don’t have any tool to decipher that password. In most password managers, a master password is used to access the vault. If that password is safe and strong, we don’t need to worry about other passwords. Two-factor authentication (2FA) is used to increase the security of a database. Biometric authentication, face scan, and fingerprint can also be used to secure our personal data.
Password managers can be divided into different categories according to their functionalities, however, we will explain the working of four types.
There are four types of password managers that are offline password managers or Locally installed password managers, Online password managers or Web-based password managers, Token-based password managers or Stateless managers, and Single Sign-On Password Managers (SSO).
All these types need a master password to access the vault except token-based password managers.
As the name implies, offline password managers that are locally installed on your system store all of your data and passwords on your device. That device may be your cell phone, computer, or your laptop. These passwords are stored in an encrypted form in a separate file other than that of the password manager. In order to increase overall security, some password managers store each password in a separate file. A master password is required to access those passwords files. If that password is a strong one then it’s very difficult for the hackers and government to access our local database and steal our information because brute-force encryption requires a lot of time.
It’s very difficult to use offline password managers on multiple devices. The main vault is located in one device and other devices somehow have to synchronize with it. For synchronizing, all of the devices must have to be online. When the main device with the passwords vault is online then it becomes accessible to third parties. In case if you want more security then save your passwords on different files. All these files require a unique key. Moreover, if the device with the password vault breaks down and you don’t have any backup, then be ready for a lot of manual work.
Safest password managers
It is not internet-dependent.
It minimizes the risks that hackers can breach into our vault.
It’s a free-of-cost service.
You can access your password vault on one device only.
Backups are manually done.
In case you lose your device, it becomes very difficult to recover the passwords.
Online password managers, also known as web-based password managers, store all of our passwords on the cloud. It means we can access our passwords from anywhere and anytime. We do not need to manually install the online password manager software on our device. If we fail to access the main password vault through a web application then we need a mobile application or browser extension.
Browser-based password managers are a type of online password manager. These password managers are secure but when we closely look into them, they appear to be less secure. This type of manager operates just on a single browser. It’s very difficult to import and export data from one browser to another browser and nearly impossible to synchronize vault on different browsers.
All web-based password managers don’t have the feature to generate passwords so we have to create passwords manually.
These password managers also failed to detect reused and weak passwords.
Most of the reputed online password managers use zero-knowledge technology to secure the user’s personal data.
Zero-knowledge technology is a cryptographic technique that separates data verification from data. Zero-knowledge are digital protocols that allow the sharing of data between two parties without passing any personal data like passwords with transactions. In short, this technique encrypts your data on your side before sending it to the server providers. But if you are not using two-factor authentication and a keylogger or any other malware is installed on your device then this security means nothing.
These web-based password managers are paid as well as free versions are also available. But free versions limit some of the functionalities like device limits, password synchronization as free versions don’t allow you to stay logged in continuously. You have to login before entering a new password and have to manually synchronize it on other devices. Most of the free versions don’t allow the sharing of credentials and dark web scanning is also not available.
On the other hand, premium versions allow us to share credentials with others. These versions also allow dark web scanning.
In the end, both versions are reliable and selection depends on your needs like if you just want to save the passwords and don’t have any issue in updating passwords manually then the free version is enough for you. But if you want to synchronize your passwords on all devices then go for a premium one.
Very convenient to use.
Cloud backup.
Can be accessed from anywhere
Datastores on third-party servers.
Internet connectivity is required for authentication.
Stateless password managers are also known as token-based password managers. In these password managers, a token is generated on any external device like flash USB that will unlock your account. In this scenario, there is no need for any password vault as the password manager always generates a new password every time we try to login. We can use two-factor authentication for additional security. Two-factor authentication involves a token and a master password.
As the database is not involved in stateless password managers so synchronization between different devices is not required. These types of password managers are safer as there is no place from where a hacker can hack your password unless he knows the master password and has information regarding your accounts.
Stateless password managers are free to use and open source. These password managers get all the support from different forums and that support is usually a knowledge base.
Credentials are saved on an external device.
Efficient to use.
Requires both hardware and software.
If we lose an external device, we can’t excess our data.
Unlike other password managers that generate a unique password for each application, single sign-on or SSO password managers generate only one password for all the applications. When we use SSO, we don’t need to verify our identity while logging into the application as SSO vouches for our identity. In short SSO password managers are convenient and secure to access different applications.
Increase speed
Saves time as we don’t need to authenticate again and again.
Diminishes third-party risks.
Access to the system is lost in case of SSO failure.
A lot of implementation and configuration is required.
Compromise security in shared computer networks.
Some password managers work on multiple devices while some only operate on a single device. It depends upon the type of password manager. In stateless password managers, a single device generates passwords for multiple accounts and there is no password vault in it. Locally installed password managers or offline password managers are also not suited to operate on multiple devices due to the synchronization as it can be possible but not much convenient. Web-based password managers can operate on multiple devices, browser extensions, and different mobile applications.
We don’t need to spend a lot of time in creating a strong password. Most of the password managers provide an auto-generated password feature which is typically activated whenever we create or change a password. It not only saves time but also helps us to generate a long and complex password which is very difficult to guess.
Password managers save all the passwords so we don’t need to remember them. We need to memorize only the master password to access the password vault from anywhere. Due to its auto-fill feature, we don’t need to manually enter the password and other details (Name, Email, Phone No., Address, and Credit Card details). It saves a lot of time and protects us from manually entering every single detail regarding our accounts.
Many users share logins with their friends and family members like Netflix allows multiple users to share accounts. However, copying account details in the chatbox compromises account security. Password managers provide the feature to share accounts securely with friends. Some password managers provide a feature in which if you die it allows your beneficiaries to access the account. This feature is called digital inheritance. We have to provide details of certain family members to administer.
Some hackers try to access your account details by sending spam or spoofed emails. These emails look like they are received from a friend, family member, or from a legitimate organization. When we open that email it redirects us to a website that is designed to steal our credentials. If the password manager is enabled then it will not recognize the site and hence fails to auto-fill the details. If you are using multiple operating systems, you can easily access the same password vault on different platforms (web browsers, mobiles applications).
Sometimes cybercriminals install keyloggers or other malware on your device through which they steal your master password. But that password is of no use if you enabled two-factor authentication as still, they can not get access to your sensitive data. Without authentication, your vault remains locked and secure.
By using password managers, you are generating a unique and hard password for each site which automatically increases the security of your accounts. For example, if a cybercriminal steals the password of your one account then he cannot get access to your other accounts.
There are certain risks that are associated with password managers:
All of our sensitive data like bank details, credit card details, passwords are stored at one place. If our data is breached or hacked, it takes a lot of time to change passwords and other details that provide an opportunity for hackers to do damage.
If you don’t back up the data and the server breaks down then there are high chances that you will not access your accounts. Keeping backup on an unprotected cloud server or hard disk also won’t help either.
All devices are not secured so hackers can exploit your system and get access to all of your login information in just one attack. If a device is infected with malware then cybercriminals can access the master password and steal all data stored in the device.
Poor password managers also increase the risks of data loss due to their poor encryption techniques.
We can access password managers through mobile applications, desktop software, or browser extension. If we continuously logged into the manager then it becomes easy for someone to access all the sensitive information. Like we forget to lock our laptop before going outside and someone gets physical access to our laptop, steals all the data regarding email, social, banking, other accounts, and causes damage.
Setup entirely depends on the type of password manager. For token base managers, firstly we need to decide the device for a key generation then move on to further setup. For offline password managers, we need to choose a device on which the database will be stored. For online password managers, our first priority is to select if we are using the free version or paid version of password managers.
There are seven steps for setting a password manager.
In the first step, decide on which device you want to use your password manager and make sure anybody else does not know your device access code.
In the next step, select the password manager of your choice. There are a lot of free and paid managers. Check the available features in managers and select the best one. Firstly make sure that the selected password manager supports your operating system and web browser. If you want to import your vault then check that it is possible or not.
In the third step create a complex and strong password for your vault. Some password managers allow the user to recover the master password, in that scenario, choose a hard password or maybe a passphrase containing 4-5 words.
In the fourth step, enable two-factor authentication as it improves the overall security of passwords. In 2FA choose a second factor according to your device, it may be biometric verification, face scan, or fingerprint authentication.
The fifth step in setting a password manager is to generate a complex password for the email that you are using to recover the master password so that the hacker cannot access it.
The sixth step is to add other sensitive information. Most of the password managers save not only login details but also other personal information like bank and credit card details. It saves some time while online shopping and other works as payment details are auto-filled.
The seventh and last step is to share the login details. Sometimes your friend or any family member asks for Netflix login details. Some password managers provide this feature so that you can share the password.
For most people, it enhances the overall security of current passwords and forces people to think about whether they have secured themselves online or not. Password managers allow the user to keep track of all the passwords without memorizing them. Password vault also stores credit card information securely and also changes and generates passwords in just one click. It also makes our life easier as we don’t need to write down all of our passwords in an email or on other unencrypted mediums.
Security is the main concern when we are dealing with sensitive information and all this information is stored in one place. Despite all the concerns and security flaws present in some password managers, it’s better to use them as something is better than nothing. You have to trust password manager companies. They are more secure and have flawless reputations.
In the end, password managers are not the only things that protect and secure our personal information as single security is not foolproof so you also need to install a reliable antivirus that will protect your device from malware and other virus attacks. Timely software updates are also very important.
Keeping your information safe from unauthorized access
