The use of password managers is increasing. No surprise, as they simplify password security and are user friendly. Why do you need one and what are the benefits? We asked Stefano Zanero, Associate Professor at the Politecnico di Milano University.
Stefano, what exactly is a password manager?
A password manager is a tool that stores in a secure way all your logins and passwords. In addition to this, most modern password managers can automatically fill the login fields, to automatically keep passwords up to date, to generate secure passwords for the user, and to synchronise passwords across different devices for ease of use.
What types of password manager are there?
The big distinction is between online password managers (which store and retrieve data in an online service) and offline managers, that store data solely on the device.
Most services are online nowadays. Some tested and widely used services are 1password, LastPass and Dashlane, which are largely equivalent (it’s mostly a matter of personal appreciation of the interfaces).
What are the pros and cons of an online / offline password manager?
The advantage is that online managers can synchronise passwords across different devices of the same user. The disadvantage is that it becomes very important to safely choose and memorise a single credential (the one used to access the account).
Are password managers safe? Isn’t there a big risk when such a site is hacked?
Let’s clarify that the single biggest risk today for users is password reuse (using same or similar passwords over different websites). Since the average user has hundreds of accounts, it is impossible for them to pick different passwords without the support of a tool. So, password managers are a necessity and using one will always improve the security stance of a user.
To address the question specifically, most password managers utilise the user’s credentials as an encryption key, therefore in the unpleasant case one such service is broken into, the users’ credentials would not be at risk.
What should you pay attention to when using a password manager?
First, allow the password manager to randomly generate your passwords: if you still can remember some without using it, you are doing it wrong!
Second, many password managers can import your old passwords from browsers, for instance. This is great but remember that until you change them to new, randomised, strong passwords generated by the password manager, you have not actually improved your security stance.
What if I have forgotten my master password?
If the password manager employs robust encryption appropriately, (un)fortunately your master password is the only way to recover your secrets. This also means that, unfortunately, if you forget your master password everything else is gone.
I must say that this is an unlikely event: you will type your master password often, to unlock the password manager.
What additional measures can I take to add extra security?
Multi-factor authentication wherever it is possible is a great idea, in particular if realised with security keys or authenticator apps (which are more secure than SMS codes). Also, all other basic security measures such as updating our systems and protecting them from malware will help also with keeping our accounts and credentials safe.
About Stefano Zanero
Stefano Zanero is an associate professor at Politecnico di Milano university, where he teaches “Computer Security” and “Digital forensics and cybercrime”. His research focuses on malware analysis, cyberphysical security, and cybersecurity in general. Stefano is also a prolific author and speaker at conferences worldwide. He is a Senior Member of the IEEE and sits in the Board of Governors of the IEEE Computer Society; he is a lifetime senior member of the ACM and has been named a Fellow of ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading security assessment firm; and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.
Read more on the GÉANT Cyber Security Month 2020: https://dev.connect.geant.org/csm2020