Password managers: Secure tool or single point of weakness?

Let’s face it: Passwords are not only a hassle, they also don’t make the most effective locks.

The average person has dozens of username and password combinations to remember. People who are very active online have hundreds of such combinations. It’s just impossible to remember them all, and that’s a big reason why people tend to use the same password over and over again.

Enter popular password managers such as MyPasswords, LastPass, Keeper, Dashlane, 1Password and others.

There are certainly pros and cons to these applications. They typically offer a (hopefully) secure way for users to store and create strong passwords, private notes, credit card and financial account information and perform Web form filling, among other secure tasks.

Without password managers, it’s almost impossible for users to create and remember the strong passwords they need to stay secure. Most of us are just not going to put in the effort to create and manage so many strong passwords — and so we reuse username and password combinations, which clearly increases risk.

The tradeoff with password managers is that they become a single point of weakness. They are literally the key to the castle. In this environment, application security becomes critical, but unfortunately, that security consistently comes into question.

For instance, a few weeks ago, security research group TeamSIK identified critical vulnerabilities in common Android password managers 1Password, Dashlane, LastPass and others. “Some applications stored the entered master password in plaintext or implemented hard-coded crypto keys in the program code. Consequently, attackers can easily circumvent the crypto algorithm altogether and thereby gain access to all of the user’s data. In other cases, we could simply access all ‘securely protected passwords/credentials’ with the help of an additional app,” the TeamSIK team wrote in their blog.

Some password manager-makers are not taking the news idly.

For instance, while Agilebits, the makers of 1Password, has always had a bug bounty program, it just upped what it will pay for certain security flaws uncovered in the 1Password password manager up to $100,000.

“We believe that we’ve designed and built an extremely secure password management system. We wouldn’t be offering it to people otherwise. But we know that we – like everyone else – may have blind spots. That is why we very much encourage outside researchers to hunt for security bugs. Today we are upping that encouragement by raising the top reward in our bug bounty program,” the company wrote in its blog.

“Our top prize goes to anyone who can obtain and decrypt some bad poetry (in particular, a horrible haiku) stored in a 1Password vault that researchers should not have access to. We are raising the reward for that from $25,000 to $100,000,” the blog states.

That’s certainly going to capture the attention of more software security researchers. Perhaps someone will be able to capture the bad poetry, or perhaps not. But while trying to crack the crack the app to capture the hidden content, they may find other flaws that escaped the Agilebits development team.

Either way, the more eyes looking for serious flaws the better, and anything that password managers can do to continue to improve the security of their apps is welcome.

RELATED LINKS

Is it time to STOP expiring passwords?

5 common password sins that weaken security

Is it time to ditch passwords for apps?

Comments

  1. I’ve been using Keeper for several years and have appreciated its ease and the unique, complex passwords it creates. After the 1Password breach a few months ago, it was good to learn Keeper doesn’t keep our master passwords in its system at all. I suppose there is always some level of risk, but I find Keeper to put my risk at a minimum.

    Like

Trackbacks

  1. […] I also recommend password managers, with one condition. Don’t use the form filler plug-ins, as those seem to be an area of weakness for these apps. We covered the pros and cons of password managers here. […]

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: