Exploring the risks and benefits of password managers

A digital representation of a lock
(Image credit: Altalex)

Passwords, one of the earliest forms of online security, are crucial for safeguarding accounts, applications, devices, and data. Despite various challenges surrounding them, they are unlikely to become obsolete soon. The main issue with passwords is their number and frequency of use. With the need to access various websites and apps daily, people often have to remember more than dozens of passwords, leading to password fatigue. 

To counter these challenges, password managers have emerged as a viable solution. These software applications create complex passwords and store them in an encrypted database accessible through a single master password. Available in different forms, some of the leading password managers are standalone applications, while others are integrated with operating systems or are browser-based. In the 2023 Bitwarden Password Decisions Survey, password management software was recognized in among 84% of respondents as the go to solution for managing passwords at work.

Reader Offer: Get 60% off RoboForm Premium ($0.99/month!)

Reader Offer: Get 60% off RoboForm Premium ($0.99/month!)
RoboForm offers a reliable, user-friendly, and efficient solution that is likely to appeal to a broad range of users. Get RoboForm Premium for 60% off.

Preferred partner (What does this mean?

The dual edges of password managers

Password managers are sophisticated applications designed to store an extensive database of a user's passwords, making the challenging task of remembering complex credentials a thing of the past. The primary key to this vault is a singular master password. Upon its input, users gain access to all their passwords within the manager.

Many of these utilities have automatic password generators, churning out complex credentials on demand. They offer the advantage of autofill capabilities, eliminating the manual chore of copying credentials – an advantage especially valuable for mobile device users.

However, given the potential vulnerabilities of the hosting servers, utilizing online password managers poses risks of their own. Hence, these tools considerably elevate security standards but don't offer absolute invulnerability.

Pedro Fortuna

CTO and Co-Founder, Jscrambler

The pitfalls of automatic auto-filling

Though conceived for bolstering security, password managers auto-fill functionalities can inadvertently populate credentials into dubious or malicious websites.

Cybercriminals deceive these managers by skillfully manipulating website components or crafting persuasive phishing sites. This becomes a greater issue when users don’t put in their due diligence to ascertain the site's authenticity and instead lean too heavily on the auto-fill feature. Such negligence could inadvertently hand over their credentials to adversaries, leading to potential account breaches.

Moreover, Google's advisory in January unveiled that several password managers were susceptible to mistakenly auto-filling credentials on untrustworthy pages, posing a tangible risk of account breaches for users.

Specifically, Safari browsers, and extensions, such as Bitwarden and DashLane, were identified as potentially auto-filling login details within forms embedded in sandboxed iFrames. Fortunately, by the advisory's release, these flaws had been addressed.

Understanding password managers

In light of these revelations, our security research team undertook comprehensive tests on prevalent browsers and password managers, evaluating their responses to same-origin and cross-origin iFrames, notably those unsandboxed.

Our observations highlighted Chrome and Firefox's robust security stance - neither auto-filled credentials nor presented the option. Contrastingly, the Edge browser did auto-fill the username or email field, although it left the password field untouched.

For password managers, Passbolt and 1Password emerged as frontrunners in security, refraining from both auto-filling and offering the option to users. BitWarden and LastPass, whilst adopting a different approach, present users with a precautionary prompt when credentials may be forwarded to a divergent domain. This pivotal prompt allows users to auto-fill or decline, even in unsandboxed cross-origin iFrames.

Secure password management not only relies on users choosing strong passwords but also using due diligence when choosing a password manager and utilizing its functions. We strongly recommend users disable any auto-fill features and only manually trigger the feature when users are confident that the form presented is legitimate and should be filled.

Best practices for a robust password

Password security is paramount, not only for individual users but for the broader integrity of databases. While protective mechanisms can counteract some user lapses, individuals remain particularly vulnerable when employing weak passwords. So, what constitutes a robust password?

1. Incorporate alphanumeric characters: While recent studies suggest that simply adding upper and lowercase letters might not drastically enhance password strength, their inclusion, even marginally, can fortify defences. 

2. Embrace length: One of the most effective strategies is lengthening your password. Extended character sequences significantly challenge recovery attempts. Familiarise yourself with the latest methods advocating for comprehensive passwords. 

3. Integrate symbols: Current research underlines the effectiveness of symbols. Their inclusion proves more potent than switching between upper and lowercase letters. 

4. Prioritise unpredictability: Crafting unconventional passwords is key. Avoid the temptation of dictionary words or predictable sequences. Aim for originality, confounding potential intruders.

What to look for in an enterprise password manager?

When security administrators consider password management solutions for their businesses there are a couple of key aspects that they pay attention to. The right choice can obviously be vital for businesses of any size. Unlike the consumer versions, enterprise password managers allow setting and enforcing of password policies (length, complexity, change frequency, etc.). Moreover, they often have a feature that analyzes passwords for potential vulnerability according to current security trends. 

While no longer solely the domain of enterprise password managers, MFA and strong encryption are the key elements to analyze before choosing one. A growing trend is the incorporation of behavior analysis powered by machine learning and analytics, which helps administrators identify and address risky user behaviors.

Today's enterprise password managers are increasingly sophisticated, but many still lack tools for developing effective password compliance programs. However, this functionality is expected to become more prevalent, enhancing the capacity of security teams to enforce and manage password security effectively.

By adhering to these principles, users can significantly reduce their vulnerability in the digital sphere. Password management services require a two-way relationship. It’s important we don’t rely solely on this advanced technology and instead remain judicious and proactive in our online conduct. Despite being formidable allies in online security, they are not without their intricacies. Understanding the nuances and potential hazards linked to auto-fill features is central to user protection. We advocate for a more cautious stance - disable the automatic auto-fill function and opt for a manual trigger instead. Users should activate auto-fill exclusively when they are certain of the form's authenticity.

We've listed the best business password managers.

Pedro Fortuna

Pedro Fortuna, CTO and Co-Founder, Jscrambler.