There is no simple answer to the question of our title. We have recently heard of different news related to different password managers which are listed below. But, before we start, it is necessary to contextualize and explain what a password manager is.
According to Wikipedia, password managers are:
“A password manager is a software program used to store a large number of user/password pairs. The database where this information is saved is encrypted with a single password (master password) so the user only needs to memorize one password to access all the rest. This makes password management easier and encourages users to choose complex passwords without fear of being unable to remember them later.”[1]
Therefore, we can understand that a password manager or software is where we store passwords thanks to which we only need to remember one single password that will give us access to all the rest. The password that we need to remember is the master password needed to access our password database.
However, some password managers have not required this master password for a while now. Such managers are already included in the web browsers of our devices. A malware called “Redline Stealer” that exploits the database used by some browsers to store passwords has recently been in the news. In this database you can find the user, password, website URL, and the last time you logged in or even how many times a website has been accessed.
This malware is being used by cybercriminals behind some current attacks where the news about the latest Covid-19 variant called Omicron is used as bait. FortiGuard Labs[2] detected these malware attacks and warns that even though the effect caused by this malware are not catastrophic for the affected devices, the information obtained can be very dangerous as it can be used for malicious actions or sold to third parties.
For this reason, we think we need to be cautious about password managers embedded in browsers as their access has proven to be very easy.
As an alternative to embedded managers, we have software-based managers. Yet, we must highlight that some of the most popular password managers are not exempt from news where their security is questioned. Since the end of 2021, LastPass is suspected to have suffered a security breach in which the master passwords of users using this software have been exposed.
The company claims that there has been no such security incident and ensures that no information has been compromised. The Verge[3] reports the following: ”Our investigation has found that some of these security alerts, which were sent to a limited subset of LastPass users, were likely triggered by mistake. As a result, we have adjusted our security alert systems and this problem has since been solved.”
But this does not convince LastPass users as all concerns about data leakage remain.
As a recommendation, double factor authentication should be enabled in order to access the stored credentials. This way, there is always one more factor added to the authentication with this service. In other words, this will not only be something I know such as a master password, but also something else like a code generated in a mobile application.
After all these ‘incidents’ mentioned above, I would like to comment on my experience with one of these password managers. I have used a password manager for almost a year now for all my passwords. In the beginning, it is a bit frustrating since they recommend not to reuse passwords. So little by little, I have reset all the passwords of different web services that I use in my daily life or I have used.
All passwords are randomly generated by the software so for almost 6 months now I can say that I can only remember 3 passwords: the master password, the bank password, and the PC password. The rest of my passwords I have delegated to my password manager. To my surprise, when I looked at how many passwords I have stored, I now have 123 passwords that I think I could never learn by heart.
One of the advantages of password managers, especially if they are subscription-based, is the security services they add. In my case, the software warns me when I am reusing passwords, if the passwords are weak or if the password or my account has been involved in a security incident, in which case we are advised to change the password as soon as possible. This service reportedly uses searches on the dark web to see if our accounts have been compromised.
In conclusion, we would like to emphasize that password managers are an essential tool nowadays, given the number of accounts we have for work, shopping, etc. However, even though it is an essential tool, this does not mean that it does not require maintenance and care, because as we have said, there is no such thing as 100% security and we must always be vigilant to see if there has been a leakage of information.
[1] https://es.wikipedia.org/wiki/Gestor_de_contrase%C3%B1as
[2] https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer
[3] https://www.theverge.com/2021/12/28/22857485/lastpass-compromised-breach-scare
If you want more information about Satec please contact us here 👈