Password managers
Maciej Jur 2023.01.20
Password managers
- Introduction
- Types of password managers
- Choosing a password manager
- Using a password manager
- LastPass leak
- Summary
Not every password is safe
Password I used for most of my accounts in the past:
www.security.org/how-secure-is-my-password/
Why reuse passwords?
https://www.darkreading.com/endpoint/password-reuse-problems-persist-despite-known-risks
https://www.darkreading.com/endpoint/password-reuse-problems-persist-despite-known-risks
Some more statistics
https://www.techspot.com/news/91388-most-people-reuse-passwords-across-multiple-sites.html
https://www.techspot.com/news/91388-most-people-reuse-passwords-across-multiple-sites.html
https://www.techspot.com/news/91388-most-people-reuse-passwords-across-multiple-sites.html
Password managers can help
Types of password managers
- Offline
- Online
- Stateless
- Hardware
Offline password managers
Example: KeePass(XC)
These password managers can still be online
Dropbox, Google Drive, SyncThing, etc.
https://keepass.info/help/kb/trigger_examples.html
Pros
- Simple and safe to use
- Your password vault never leaves your device (unless you want it to)
- You can transfer vaults between devices using thumb drives or cloud sync
Cons
- You have to move/sync the vault beetwen devices on your own
- That could be a hassle
Online password managers
Example: LastPass
Pros
- Most of the pros of offline password managers
- Automatic sync, can access your vault as long as you have access to the Internet
- It’s slightly more convenient
Cons
- The vault lives on some random server
- You have to trust the service provider
- You have to trust the security of the service provider
Stateless password managers
Instead of saving your passwords and encrypting them with a key derived from a master password, these password managers generate passwords on the fly by hashing a master password with the website name.
Example: LessPass
Pros
- You don’t have to synchronize your vault between any of your devices.
Cons
- If your master password is compromised, all of your passwords are.
- If a website has a password policy, you might not be able to generate a password that respects it.
- If password needs to be updated for whatever reason, you need to keep that state somewhere. Example: Password for “StackOverflow2”
- If you already have some passwords that you can’t change (for various reasons), a static password generator won’t help you.
Hardware password managers
Example: OnlyKey
It emulates a HID keyboard and can be programmed to navigate the steps to log in to pretty much any website, even if the login requires tabbing around multiple screens.
Pros
- Pin protected
- Durable, waterproof, and tamper resistant design
- The device isn’t connected to the Internet
Cons
- Cost (260,00 PLN) and learning curve
- There’s a limit to how much you can store
- OnlyKey can store up to 24 online accounts
Choosing a password manager
- Type of password manager - this is the easier choice
- Which password manager - this is the harder choice
Spoiler alert:
There are a lot of them
Some of them:
https://allthatsaas.com/roundup/best-password-managers/
Do I use any one of these?
Answer: Yes
A short comparison
https://blog.devolutions.net/2019/01/updated-2019-most-popular-password-managers-compared/
Why do I use Bitwarden?
Honestly, I’m not sure.
But it has sync and I like the fact that its components are open-source: https://github.com/bitwarden
Using a password manager
I will show Bitwarden, because I already know it.
Vault
Mobile vault
Autofill
Mobile autofill
Generating passwords
Out of curiosity
How do you configure OnlyKey?
Slots
https://docs.onlykey.io/usersguide.html
Autofill
https://docs.onlykey.io/usersguide.html
Even more complex
You need to perform the following:
- Enter the Username
- Press TAB
- Press RETURN
- Wait for website to load next page
- Enter the password
- Press TAB
- Press RETURN
You can enter \t or \r inline with slot data to type the extra TAB or RETURN and \d3 to DELAY 3 seconds.
Username:
onlykey \t \r \d3
Password:
password \t \r
https://docs.onlykey.io/usersguide.html
LastPass Leak
December 22, 2022
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
“Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022.”
August 2022
“An employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code.”
https://techcrunch.com/2022/12/14/parsing-lastpass-august-data-breach-notice/
“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”
“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”
What do we get from that?
- Password managers increase our security…
- …but not ultimately
It’s not the end of the world
Thanks to zero knowledge architecture the attacker still has to crack the master password, which could take years …
… as long as we used a secure password for the master password.
Summary
- Password manager helps manage passwords
- Allows us to use unique, complex passwords for different accounts without having to remember them all
- By using a password manager, you can improve your security without sacrificing convenience.
- To choose the best password manager for your needs, consider factors such as security, compatibility and convenience.
In general, password managers are an essential tool for anyone who wants to improve their online security and protect their personal information.