Technology

Are Password Managers Really Safe To Use?

This intuitive blog post reveals how much safe is your data from hackers with your password managers. Let’s begin with the most debated question dispensed across all over the world.

Are password managers really safe to use?

A recent CSO study apprises us with the following facts.

The study reveals that autofill password policies of popular password managers like Lastpass and RoboForm are deficient in many aspects. A remote network hacker can easily retrieve multiple passwords from the user’s password manager without interacting with the user!

Real incident

LastPass, a major password management company was hit with a major server breach. As a result, an unknown hacker gained access to all the password-reminder hints, email addresses, and encryption keys linked to master passwords of thousands of users. Unfortunately, LastPass also admitted its failure of not being able to recover the files containing passwords (which it names “vaults”).

What lacks in terms of comprehensive data protection?

LastPass, and other password managers like Dashlane and RoboForm, were launched to overrule the idea of passwords as an inferior form of security. Individuals often use and re-use similar easy-to-remember passwords for multiple accounts, which are easy to crack. People also often forget passwords. To make password management easy and secure, LastPass came up with a process that only requires remembering a master password. Its 75 million users use a robust master password to login to all their individual accounts. Therefore, hackers only have one wall of master password to breach to access the entire digital life of the user.

People use password managers to create difficulty for hackers to crack their passwords. Password managers store individual passwords on behalf of its users. However, the issue is that a single encryption key or a master password protects the pool of crucial user credentials. If a hacker decrypts the master password, all other user credentials are exposed to the hacker.

Hence, if we analyze the security of popular commercial password managers, there are several significant, high, and medium risk level vulnerabilities. Hackers can easily exploit these vulnerabilities to crack the security of password managers.

Many password managers fail to respond during a breach-

This is another major obstacle. Companies such as Anthem, Sony, LastPass, and Gemalto do not recognize how to react when the keys are compromised during a breach. Hackers often target encryption keys and security certificates to break into enterprises. However, most security managers panic due to their inability to respond when the keys are compromised during a breach.

For instance, LastPass, a password manager recently got hacked due to their uniform encryption keys which are easy to crack. Another example is Sony where several of their keys and certificates were exposed which lead to data theft. Surprisingly, to this date also, only 8% of security professionals surveyed express their full confidence in efficiently tackling a Sony-like attack by ad-hoc replacement of potentially compromised keys.

Some important questions remain unanswered

Users of password management services often bring up two valid questions-

  • How can we believe that our password manager won’t misuse our master password?
  • What if a government agency or other legal power asks the password manger to provide a user’s encryption keys?

I would genuinely want to keep everything secure from the agencies. This includes my login credentials and protected resources. However, the above two questions still yearn for absolute and reliable answers.

In simple terms, password managers and providers of Identity Management solutions are a honeypot of credentials. Hackers can easily target this source to gain access to crucial data which is protected by only one master password.

So what we need?

It is evident that hackers will use stolen keys to access your data again. Stolen keys also enable hackers to monitor your communications. Hackers can also diffuse malware in the form of legitimate applications; a hoax for users to sign in and reveal personal credentials.

Therefore, you need a system where even if a hacker encrypts your password, is not able to access your data. And this happens when the system is protected with ‘changing key protocols.’

How do changing key protocols benefit us?

Also known as ‘on the run key protocols’, it reverts you to a secured state whenever there seems a possibility of a data breach. Hence, even if the hacker breaks into a user’s account it cannot gain access to the data due to ‘altered’ encryption keys. The keys change on an ad-hoc basis making it impossible for hackers to crack. Therefore, you can depend on similar services offering SmartSignin. Unlike all password managers, SmartSignin NEVER stores your encryption/decryption keys anywhere. Therefore, only you have the sole authority to access data. Hackers will pull their hairs not being able to gain your encryption keys from any other sources but you.

Related Articles

Back to top button