We all know the problems with passwords: Good ones are difficult to remember and shouldn’t be repeated. But one of the best solutions around this problem often results in more problems, according to a recent report.
The recently released security report “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers” was put out by University of California, Berkely researchers. According to the report:
Widespread adoption of insecure password managers could make things worse: adding a new, untested single point of failure to the web authentication ecosystem. After all, a vulnerability in a password manager could allow an attacker to steal all passwords for a user in a single swoop.
Essentially, with all the passwords stored in one place, it’s one-stop shopping for hackers. By getting access to a password manager, an attacker instantly gains credentials to several services and websites all at once.
Password managers failed the test
But that kind of attack wouldn’t work unless the password manager itself was found to have vulnerabilities.
And according to the researcher, boy, do they ever.
Out of five popular password managers tested, the researchers found critical vulnerabilities in each. In four out of five, they found vulnerabilities which could lead to attackers stealing credentials.
Because the researchers used manual methods to try to find vulnerabilities, they admit that there could be many more flaws yet to be discovered.
Here are some pros and cons to using password managers.
- Creating random passwords. With a password manager, there’s no need to remember a password after it’s been created. So instead of “12345” your password can be “16434ad0@98jSeE#2X093Balk43.” No one will be able to guess it. And without being able – or having any need – to commit it to memory, there’s no chance of it being phished away.
- It isolates the problem. With so many accounts these days, users are all but forced to reuse passwords to have any chance to remember them. That leads to a fatal flaw … If a hacker discovers the username and password for a relatively harmless account, they can plug that into other sites in the hopes of finding a duplicate.
- A false sense of security. Like all security measures, putting too much faith in a single service is asking for trouble. Users may believe themselves to be impervious to attack because of the password manager.
- Single point of failure. Of course, if the password for a manager is discovered, users are all but sunk. This single access point could lead to every password being discovered – and the worst day of your digital life.
Ultimately, this is one of those conundrums there’s no single rule for.
Best bet however: If a password is for a truly important site, don’t risk it. Create a strong unique password that isn’t kept on a password manager. Save that tool for the less important accounts.