Is a password manager right for you?

Organisations need to weigh up all the pros and cons of password managers to decide if they meet their needs, or whether SSO is a better option.

Passwords have frustrated enterprise security experts for many years. Despite repeated warnings, too many users have the same password across multiple applications and websites. With best-practice guidelines also stipulating the use of complex passwords with a mixture of character types, it’s hard to blame them, as the average human brain can struggle to store multiple strong passwords at once.

The security of a password-based login system hinges entirely on the strength of the password used. Besides repeating passwords, end users often use simple passwords that are easily guessable. Or they will leave their passwords where others can find and read them, for example on sticky notes near their computer.

Password managers are an attempt to solve this problem. Password managers can take many forms, but in essence they are designed to serve as a database to store and organise passwords and other codes.

Password managers can come as desktop software, mobile applications, web-based services or over the cloud. Some come in the form of USB sticks that can be used on any computer. They are typically designed to automatically generate strong passwords when a new database entry is created.

From an end-user perspective, the most immediate advantage of the password manager is the need to remember only one strong password. They can still use different, effective passwords across every application and website that needs one.

In addition to storing passwords, many password managers on the market can act as a form-filler and serve as a protection against phishing by comparing the URL of the current site against the URL of the currently accessed site.

Password managers can also act as a protection against keylogging, as by using automated form entry or by copying and pasting the password, the user never need type in the password.

Beware the drawbacks

But there are also weaknesses inherent to password managers, the most obvious being that from a single point of intrusion, hackers can potentially gain access to a user’s entire password library.

Some desktop password managers store their databases in an unencrypted form, meaning anybody gaining physical access to a computer can access and read them. Some use a master password to lock up the database, but the effectiveness of this approach then hinges on the strength of the master key.

Another consideration is the method the password manager uses to automatically generate the passwords. If the password manager users a weak random number generator, the password could potentially be guessed using brute force methods.

These weaknesses can be addressed using other technologies including two-factor authentication, advanced encryption techniques and security failsafes - such as a password manager that locks up after an incorrect master password is entered a certain number of times.

For enterprises, password managers can serve as an alternative to single sign on (SSO) systems. SSO systems typically use security authentication tokens to enable users to log in once and access a range of applications and systems. But the advantage of SSO is it can be configured to use other authentication methods beyond passwords, including smart cards or biometrics. Companies which are serious about security may want to consider adopting SSO instead.

Image courtesy Angel Arcones under CC