Password Managers Rethought
Recently I wrote a favorable review of Passpack and stated that I was going to test several others with an open mind.
I am still quite impressed with Passpack, and I really like its features, especially that it requires a pass phrase to log into it.
But in the geekish part of my mind I have been reconsidering the entire idea of password managers. Personally I don’t think they are a good idea. As I was getting ready to do a write-up of the next password manager on my list, I was doing some basic research when I found an academic paper called The Emperor’s New Password Manager: Security Analysis of Web Based Password Managers . I hope you will be patient as I give a fairly brief summary. I know that this does not seem like an exciting subject, but I would be remiss in my concern for you not to tell you about it.
To simplify: the study used 4 of the major password managers and found vulnerability in the following areas:
Password managers are security sensitive applications. Allowing them to exist on the same platform with the websites they manage is dangerous in itself. Password managers co-existing with other websites makes them vulnerable to cross-site request forgery and cross-site scripting attacks. These have the capability of compromising the entire web security model, exposing the secured credentials from the password managers.
Sharing authorization credentials also imparts some level of weaknesses to the web-based password managers. Sharing of master passwords should only be done between users that completely trust each other. The master password must be protected. Failure to do so means the entire web-based password manager could be exposed to attackers.
Most of the web-based password managers are prone to phishing attacks. Originally, the password managers were designed to guard against phishing attacks. However, in recent times, these attackers have refined their trade and can easily intercept iframe (an HTML tag) dialogues and hack into online password managers.
Want to avoid these problems? Consider a USB password manager.
These are portable and allow you the flexibility of moving around with the password manager. If you password protect or encrypt the usb drive, your passwords are most likely safe from stealing should an unauthorized person “borrow” or find your USB.
I have seen several of these but cannot as of yet recommend one over another. Some you actually buy the USB from them and they mail it to you. One I know of is free for downloading and is open source called KeePass.
However, even though I can’t recommend a specific USB password manager, I definitely can recommend that you make your own simple .txt file and encrypt it yourself with a pass phrase you won’t forget. Keep an encrypted copy on your PC and your backup drive as well. Modify them as necessary. This is what I do. Then I give it a weird name so no one would think to look there for passwords
For other helpful tips check out the official zookaware page on Twitter