Password manager

src: media.kasperskydaily.com

A password manager helps in generating and retrieving complex passwords, potentially saving the password in an encrypted database or computing it on demand.

Password manager types include:

• locally installed software app
• online services accessed through the website portal
• locally accessed hardware device that serves as a key

Depending on the type of password manager used and on the functionality offered by the developer, the encrypted database is stored locally on the user's device or stored remotely via an online file hosting service. Password managers typically require users to create and remember a single "master" password to unlock and access any information stored in its data base.

Video Password manager

Locally installed software

Password managers are usually on a personal computer or a user's mobile device, such as a smart phone, in the form of locally installed software applications. This application can be offline, where the password database is stored independently and locally on the same device as the password manager software. Alternatively, the password manager can offer or request a cloud-based approach, where the password database relies on the online file hosting service and is stored remotely, but is handled by the password management software installed on the user's device.

Maps Password manager

Web-based services

The online password manager is the website that securely stores login details. They are a web-based version of a more conventional desktop-based password manager.

The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a web browser and network connection, without having to install software), and reduce the risk of losing passwords through theft or damage to one PC - the same is present for the server used to store the user's password. In both cases, this risk can be prevented by ensuring safe backups are performed.

The main disadvantage of online password managers is a requirement that users trust hosting sites and keyloggers are not on the computers they use. With servers and the cloud being the focus of cyber attacks, how one authenticates the online service and that passwords stored there are encrypted with user-defined keys just as important. Again, users tend to avoid security for convenience. Another important factor is whether encryption is one or two ways in use.

There is a mixed solution. Some online password management systems distribute their source code. These can be checked and installed separately.

The use of a web-based password manager is an alternative to single sign-on techniques, such as OpenID or Microsoft's Microsoft account (formerly Microsoft Wallet, Microsoft Passport,.NET Passport, Microsoft Passport Network, and Windows Live ID) schemas, or it can serve as a stop-gap size pending the adoption of a better method.

src: www.intego.com

Token-based hardware

A security token is a token-based password manager form, in which locally accessible hardware, such as smart cards or secure USB flash devices, is used to authenticate users in lieu of or in addition to traditional text-based passwords. Data stored in tokens is usually encrypted to prevent probing and unauthorized reading of data. Some token systems still require software that is loaded on the PC along with the hardware (smart card reader) and drivers to read and decode data correctly.

• Credentials are protected using a security token, so they usually offer multi-factor authentication by merging
  • something a user has like a mobile app that generates a rolling Token that is similar to a virtual smart card, smart card, and USB stick,
  • something the user knows (PIN or password), and/or
  • something the user has like a biometric like fingerprint, hand, retina, or face scanner.

src: allidm.com

Advantages

The advantage of password-based access controls is that they are easily included in most software using the APIs available in many software products, they do not require extensive computer/server modifications, and that users are familiar with password usage. Although passwords are secure enough, the disadvantage is how users choose and manage them, using:

• simple - short passwords, which use words found in the dictionary, or do not mix in different character types (numbers, punctuation, capitalization), or otherwise easily guessed
• passwords that other people can find - on sticky notes on the monitor, in notepad by computer, in documents on computer, on whiteboard reminder, smart device storage in clear text, etc.
• the same password - use the same password for multiple sites, never change account password etc.
• shared password - the user notifies someone else's password, sends unencrypted email with password information, the contractor uses the same password for all their accounts, etc.
• administrative account login where limited login will be sufficient, or
administrator
• that allows users with the same role to use the same password.

It is typical to make at least one of these errors. This makes it very easy for hackers, crackers, malware, and cyber thieves to break into individual accounts, companies of all sizes, government agencies, institutions, etc. It protects against this vulnerability that makes password managers very important.

Password managers can also be used as a defense against phishing and pharming. Unlike humans, the password manager program can also incorporate an automated login script that first compares the current site URL with the URL of the saved site. If both do not match then the password manager does not automatically fill in the login field. This is intended as a protection against visual imaging and similar websites. With these built-in advantages, the use of password managers is helpful even if the user has only a few passwords to remember. While not all password managers can automatically handle more complex login procedures enforced by many banking websites, many newer password administrators handle complex passwords, multi-page add-ons, and multi-factor authentication before.

Password managers can protect against keyloggers or malware keystroke logging. When using a multi-factor authentication password manager that automatically fills in the login field, the user does not have to type in any username or password for the keylogger to retrieve. While a keylogger can retrieve a PIN to authenticate into a smart card token, for example, without the smart card itself (something the user has) the PIN does an attacker badly. However, password managers can not protect against Man-in-the-browser attacks, where malware on user devices performs operations (eg on banking websites) when users sign in when hiding malicious activity from users.

src: cdn2.macworld.co.uk

Problem

Vulnerability

If passwords are stored in an unencrypted way, it is generally still possible to get a password given local access to the machine.

Some password managers use the user's preferred primary password or passphrase to establish the key used to encrypt a password protected. The security of this approach depends on the strength of the selected password (which may be predictable or coercively rigorous), and also that the password itself is never stored locally where malicious programs or individuals can read it. A compromised primary password makes all passwords protected vulnerable.

As with any system involving the user entering a password, the master password can also be attacked and found using key logging or acoustic password readings. Some password managers attempt to use virtual keyboards to reduce this risk - though this is still vulnerable to key loggers who take screenshots when data is entered. This risk can be reduced by the use of multi-factor verification tools.

Some password managers include password generators. The generated password may be guessable if the password manager uses a random number generator that is weaker than cryptographically safe.

A strong password manager will include a limited number of fake authentication entries that are allowed before the password manager is locked and requires IT services to be re-enabled. This is the best way to protect yourself from brute force attacks.

Password managers that do not prevent their memory swapping to the hard drive make it possible to extract unencrypted passwords from the computer's hard drive. Turning off swap can prevent this risk.

The web-based password manager, which runs inside the user's browser, is very full of pitfalls. A detailed study using multiple password managers finds the following deficiencies in the web-based password manager:

• Authorization error : Another possible issue is an authentication error with authorization. Researchers found that some web-based password managers, at one point in time, had such flaws. These issues are specifically present in password managers that allow users to share their credentials with other users.
• Handheld bookmarklet : Web-based password managers typically rely on Bookmarklet to log in to users. However, if not implemented correctly, malicious websites may abuse this to steal user passwords. The main cause of such vulnerability is that the JavaScript environment of malicious websites can not be trusted.
• Weaknesses of the User Interface : Some password managers will prompt the user to sign in via an iframe. Unfortunately this is not safe. This trains the user to fill in his password while the URL displayed by the browser is not one of the password managers. A phisher can abuse this by creating a fake iframe and capturing user credentials. Instead of using an iframe, a safer approach is to open a new tab where users can log in to the password manager.
• Web Deficiency : Classic web vulnerabilities can also be present in web-based password managers. In particular, XSS and CSRF vulnerabilities can be exploited by hackers to obtain user passwords.

Additionally, the password manager has the disadvantage that every potential hacker or hacker needs only to know one password to gain access to all user passwords and that the manager has a default location and how to save passwords that malware can exploit.

Password manager blocker

Various high-profile websites have attempted to block password managers, often withdrawing when challenged by the public. The reasons cited include protecting against automatic attacks, protecting against phishing, blocking malware, or simply denying compatibility. Trusteer client security software from IBM has explicit options for blocking password managers.

The blocking has been criticized by information security professionals for making users less secure and justification false. A typical blocking implementation involves setting autocomplete = 'off' on the relevant password web form. As a result, this option is now ignored from Internet Explorer 11 on the https site, Firefox 38, Chrome 34, and in Safari from about 7.0.2.

A 2014 paper from researchers at Carnegie Mellon University found that while browsers refuse to fill in automatically if the protocols on the current login page differ from protocols when a password is stored, some password managers will insecurely fill in passwords for the word http version passwords stored in https. Most managers do not protect against iFrame-based attacks and redirection and expose additional passwords where password sync has been used among many devices.

src: media.kasperskydaily.com

See also

• List of password managers
• Password exhaustion
• Password management
• Security Token
• Smart card

src: i.ytimg.com

References

src: www.imore.com

External links

• Password manager in Curlie (based on DMOZ)

Source of the article : Wikipedia