The Anti-virus Times

Friday, February 9, 2024

Passwords have been used to authenticate users practically since the dawn of the computer age. With the development of the Internet and the gradual increase in digital security requirements, along with passwords, other methods for controlling access have come into use—things such as two-factor and SMS authentication, tokens, biometric recognition and other technologies. At the same time, passwords have not gone anywhere, and today they still remain one of the basic means of protecting information from unauthorised access.

The very concept of using a password implies the presence of a fundamental vulnerability — a password may not be able to withstand hacking. In addition, users often use the same or even identical passwords for authorisation in different systems and services. Cybercriminals know this, and therefore theft, phishing and password guessing are, unfortunately, very common phenomena when it comes to hacking various systems and stealing data. In turn, in most cases, a long, unique and periodically updated password will be a very difficult obstacle for an attacker to overcome. However, it is quite hard to keep a mental list of such passwords, let alone periodically update it. Therefore, many people often neglect security for the sake of some imaginary convenience.

Is there any solution for organising and storing complex passwords? In today's issue of the Anti-virus Times, we will talk about special programs — password managers. Should you start using them? How do you choose an assistant that will really provide reliable protection for your passwords?

Why do you need complex passwords?

Let's recall one of the golden rules of security: a good password should be long, arbitrary and unique, and it should be updated periodically. Everything is simple with a long password: the more characters in it, the more difficult it is to crack it by brute force. Moreover, the complexity involved in cracking it, depending on the number of characters, increases non-linearly. The set of characters making up a password plays an equally important role. The wider it is, the shorter the password itself can be, while the strength level is still maintained. For example, a combination of 5-6 characters can be cracked almost instantly using modern computer power. Meanwhile, in theory, it can take thousands of years to crack a password consisting of 12-15 alphanumeric characters if the code word is arbitrary. Such a password is difficult to guess, since it contains absolutely random words or a sequence of characters. Then it is easier for a potential attacker to get the password another way — for example, by stealing it or tricking the user into entering it on their own. It is important to understand that if you use the same password everywhere, when it is compromised in one system, all the other accounts protected by the same password are automatically placed at serious risk. Therefore, unique combinations should be used wherever possible. Finally, even a strong and unique password can be compromised as the result of a leak, malware activity, a network attack, or phishing. Thus, even a good and secure password should be periodically changed to a password of comparable complexity.

It’s fair to ask: how can you remember a complex password — and not just one, but a whole host of them? And after all, the whole list needs to be updated regularly. Alas, secure passwords are extremely inconvenient for a person to use. Therefore, from year to year, different information security analysts publish the same statistics on cracked passwords, where you will always find "qwerty123", "Password1, "admin321", etc.

What if you store strong passwords locally, for example in a txt file? This approach has significant drawbacks. First, in this case, all your passwords are stored unencrypted in one place — which means that by gaining access to the text file, a potential cybercriminal will immediately get all your secrets. For example, the file can be stolen by a stealer or another malicious program. In addition, in this case, there is the possibility of gaining physical access: anyone who somehow gains access to your device will be able to open and view the password file.

Then, maybe, should we additionally protect the file and archive it? Now to view all your passwords, you need to enter a so-called master password — the only one that you will have to remember. We’ve just come up with the simplest and most primitive, and, at the same time very inconvenient, password manager. However, this is the basic principle that most such programs follow. Of course, using them is much easier than using an encrypted archive.

Before jumping directly to password managers, let's get a little ahead of ourselves and think about the “diamond rule” of security: don't rely solely on passwords. A login-password pair is used for one-factor authentication, which in modern realities sometimes does not provide the proper level of security. We recommend that you enable two-factor authentication wherever possible and pay attention to device security, which is used as a second factor for logging in to a particular system.

What is a password manager, and how do you go about choosing one?

A password manager is a special program for storing, organising, conveniently using and protecting your passwords and other secret combinations. Of course, everyone can identify risks, develop a personal password policy and their own algorithm for remembering complex and secure passwords, and do without such a manager. A password manager is no panacea, but it can help users who have decided to work with passwords deliberately, not overload their brains, and retain convenience and speed when entering their authorisation credentials on sites and in various systems.

There are many different products, both commercial and completely free. How do you choose the right solution? In this article, we will not recommend any specific products, but we will help you determine some criteria so that you can better orient yourself when making your choice.

Here are some common points to consider:

1. The type of implementation: cloud service, local program or client-server solution.
2. The reputation of the development company.
3. The openness of the source code.
4. Technical features.
5. The ability to be integrated with browsers.
6. Cross-platform format.
7. The ability to import and export passwords, as well as synchronisation between devices.
8. The ability to differentiate rights and access levels.
9. Support for two-factor authentication and one-time codes.
10. A user-friendly interface.

Let's discuss each point in more detail. Password managers for home users are divided into two large groups — cloud services and locally isolated programs. Cloud solutions provide you with a client application or a browser extension for password management, with all your passwords stored on the developer's server in encrypted form. At first glance, cloud storage seems convenient, but the main drawback of taking such an approach from a security standpoint becomes obvious. You can't check how secure your passwords are while they are being stored and transmitted over the Internet; nor can you know whether they are being transmitted to third parties or to the employees of the development company themselves. For example, an attacker can hack the account you have with such a service and gain access to all your passwords at once. Cybercriminals can also attack the company and compromise the source code, customer data, or even the database containing the passwords. Alas, such precedents have already occurred. And here we come back to the issue of trust in the cloud service operator. Some archive containing photos is one thing, and your passwords are quite another. Therefore, when choosing an online solution, you should assess the risks.

Local password managers work differently. The program is installed on a local computer (although there are portable versions), and all passwords are stored in the device itself in encrypted form. This approach works for security’s sake: after all, passwords are not transmitted to third-party servers. To encrypt and access information, a master password or a key file is used; they must be sufficiently strong, since the security of all your other passwords will depend on their safety.

Another selection criterion is the openness of the source code. Closed source software does not allow you to independently check the code for errors, vulnerabilities and backdoors. The details of the implementation are also unknown — which means that you have to blindly trust the product developer. On the other hand, the ordinary user doesn’t particularly care whether a program’s source code is open or closed. Open-source software is available for review by enthusiasts, and if you want, you can search for relevant studies of the program you select. If, by doing this, you make sure that it is reliable, then you can choose an open-source password manager. Also, the technical features of redesigning a particular solution count in favour of open sources. This can be an important criterion if you are choosing a password manager for an organisation.

Client-server solutions are designed primarily for enterprise use. In this case, the server is configured in the corporate network, and client applications are configured on employee devices. The openness of the source code is more important in this instance, especially with regard to the client's software. The distinctive features of such password managers, in addition to the architecture itself, are the capabilities to flexibly configure access levels and to integrate them with standard directory access protocols.

The level of technical implementation is responsible for reliability, security and, in general, the quality of the program. There are a number of vulnerabilities that attackers use to intercept passwords. For example, these can include the ability to get a password from RAM. The manager can also use a poorly implemented password generator or a vulnerable encryption algorithm. An inexperienced user cannot verify this in any way, but the open-source code and the attention of researchers make it possible to disclose such problems and also to release the necessary improvements. Therefore, before choosing a password manager, you should study whatever materials and publications are available online.

The developer's reputation also plays an important role. Should you entrust your secrets to an unknown program or service? At the same time, a rare commercial password manager does without advertising statements about the most resistant "military" encryption and absolute privacy of user data. However, only open source and independent verification will allow you to fully verify a reliable implementation.

A password generator is another feature that every self-respecting password manager has. It is used to create a random password. This is convenient, but the generation algorithm must be reliable so that special malware does not take advantage of the vulnerability of a particular password manager and decrypt the generated combination. Trusted and developer-supported programs that are regularly updated are the best solution for those who really care about the security of their data.

As for the other criteria listed above, they all make the password manager more functional and convenient, but they are meaningless without the proper level of technical implementation and security. Cloud managers are tailored to work with webpages, so each of them should work properly in any browsers. As for local solutions, most of them are compatible with browsers using plug-ins. Note that any third-party extension is a potential security breach, so the best solution would be to use only official or developer-proven plug-ins. As a rule, they can be found on a program's official website.

Some password managers are quite capable of protecting against phishing. So, when a user visits a fake webpage containing an authorisation form, they will not substitute credentials, since technically such a page will not correspond to the original one. This is a useful feature, but we don't recommend relying on it alone.

The cross-platform feature allows the program to work on different devices. If you need to access a password-manager database from both your computer and smartphone, choose a program with the appropriate functionality. The ability to synchronise passwords between devices can also be useful, although any synchronisation involves transferring an encrypted database over a network. Synchronisation in the local manager can be configured manually — by placing an encrypted database in the cloud for subsequent access to it from various devices. Recall that without a master password or a key file, it will not be possible to get passwords from an encrypted database, so, with certain reservations, such a solution can be called secure.

Some password managers support two-factor authentication to provide additional security. For example, a program can be configured so that when attempts are made to access encrypted records, not only is the master password requested, but also the key file, which can be stored on a removable drive. This approach will make it possible to keep code words secure even if the master password is compromised. Most cloud solutions also support two-factor authentication to access an account. In addition, there are password managers that can generate one-time codes for authorisation in systems where two-factor authentication has been configured. This functionality can either be present initially or added by installing plug-ins.

Finally, as for the interface, this is a matter of habit and taste. The main thing is that it is functional, convenient and meets the capabilities of the product. We will only note that rich functionality and high reliability do not always coexist with a beautiful graphical interface — and vice versa. Free open-source solutions can also scare away newcomers with their discreet appearance or archaic design. However, when it comes to the security of almost all digital data, we should focus on the more significant criteria discussed above.

About saving passwords in browsers

The ability to save passwords in browsers is sometimes considered a built-in password manager. However, this feature is more of a way to increase work speed and convenience than it is a full solution designed to protect data. First, passwords stored in this way are particularly vulnerable to malware that specialises in stealing credentials from browsers. Second, there is the potential risk of physical access. By default, passwords are protected only by the user account. If the device is lost and then unlocked, all passwords will be clearly visible. In addition, cybercriminals can steal the account itself in the browser.

But are things really that bad? When someone has a negligent attitude and saves all their passwords — the answer most likely is "yes". But this option also has a right to life; if you use it wisely — for example, by saving only passwords from sites where you did not specify any of your personal or other important data.

Disadvantages of password managers

"A key fob is the little thing you need in order to lose all your keys at once". Such a phrase can characterise the main disadvantage of password managers. In this case, the key fob is your master password. If your master password, key file, or cloud account is lost or compromised, all of your stored passwords are more likely to be lost or stolen. To avoid this, the master password must be long, arbitrary, unique and, at the same time, memorable for you personally.

Like any software, password managers can be attacked by intruders or malware. Possible software vulnerabilities, attacks on the developer’s infrastructure, fake updating files, the use of keyloggers — all this poses a direct security threat to end users.

Finally, using a password manager can create a false sense of security. This is also unacceptable: as mentioned above, these programs are no panacea, but just a convenient tool that allows you to work properly with passwords and complicate the lives of potential hackers. The effective use of such software requires a deliberate approach to security and an observance of the rules of digital hygiene.