Password managers

Not every password is safe

Password I used for most of my accounts in the past: www.security.org/how-secure-is-my-password/

Why reuse passwords?

https://www.darkreading.com/endpoint/password-reuse-problems-persist-despite-known-risks

https://www.darkreading.com/endpoint/password-reuse-problems-persist-despite-known-risks

Some more statistics

https://www.techspot.com/news/91388-most-people-reuse-passwords-across-multiple-sites.html

https://www.techspot.com/news/91388-most-people-reuse-passwords-across-multiple-sites.html

https://www.techspot.com/news/91388-most-people-reuse-passwords-across-multiple-sites.html

Offline password managers

Example: KeePass(XC)

These password managers can still be online

Dropbox, Google Drive, SyncThing, etc. https://keepass.info/help/kb/trigger_examples.html

Pros

• Simple and safe to use
• Your password vault never leaves your device (unless you want it to)
• You can transfer vaults between devices using thumb drives or cloud sync

Cons

• You have to move/sync the vault beetwen devices on your own
• That could be a hassle

Online password managers

Example: LastPass

Pros

• Most of the pros of offline password managers
• Automatic sync, can access your vault as long as you have access to the Internet
• It’s slightly more convenient

Cons

• The vault lives on some random server
• You have to trust the service provider
• You have to trust the security of the service provider

Stateless password managers

Instead of saving your passwords and encrypting them with a key derived from a master password, these password managers generate passwords on the fly by hashing a master password with the website name.

Example: LessPass

Pros

• You don’t have to synchronize your vault between any of your devices.

Cons

• If your master password is compromised, all of your passwords are.
• If a website has a password policy, you might not be able to generate a password that respects it.
• If password needs to be updated for whatever reason, you need to keep that state somewhere. Example: Password for “StackOverflow2”
• If you already have some passwords that you can’t change (for various reasons), a static password generator won’t help you.

Hardware password managers

Example: OnlyKey

It emulates a HID keyboard and can be programmed to navigate the steps to log in to pretty much any website, even if the login requires tabbing around multiple screens.

Pros

• Pin protected
• Durable, waterproof, and tamper resistant design
• The device isn’t connected to the Internet

Cons

• Cost (260,00 PLN) and learning curve
• There’s a limit to how much you can store
• OnlyKey can store up to 24 online accounts

Choosing a password manager

• Type of password manager - this is the easier choice
• Which password manager - this is the harder choice

Spoiler alert: There are a lot of them

Some of them: https://allthatsaas.com/roundup/best-password-managers/

Do I use any one of these?

Answer: Yes

A short comparison

https://blog.devolutions.net/2019/01/updated-2019-most-popular-password-managers-compared/

Why do I use Bitwarden?

Honestly, I’m not sure.

But it has sync and I like the fact that its components are open-source: https://github.com/bitwarden

Vault

Mobile vault

Autofill

Mobile autofill

Out of curiosity

How do you configure OnlyKey?

Slots

https://docs.onlykey.io/usersguide.html

Autofill

https://docs.onlykey.io/usersguide.html

Even more complex

You need to perform the following:

1. Enter the Username
2. Press TAB
3. Press RETURN
4. Wait for website to load next page
5. Enter the password
6. Press TAB
7. Press RETURN

You can enter \t or \r inline with slot data to type the extra TAB or RETURN and \d3 to DELAY 3 seconds.

Username: onlykey \t \r \d3

Password: password \t \r

https://docs.onlykey.io/usersguide.html

LastPass Leak

December 22, 2022

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

“Based on our investigation to date, we have learned that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident we previously disclosed in August of 2022.”

August 2022

“An employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code.”

https://techcrunch.com/2022/12/14/parsing-lastpass-august-data-breach-notice/

“The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.”

“These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.”

What do we get from that?

• Password managers increase our security…
• …but not ultimately

It’s not the end of the world

Thanks to zero knowledge architecture the attacker still has to crack the master password, which could take years …

… as long as we used a secure password for the master password.

Summary

• Password manager helps manage passwords
• Allows us to use unique, complex passwords for different accounts without having to remember them all
• By using a password manager, you can improve your security without sacrificing convenience.
• To choose the best password manager for your needs, consider factors such as security, compatibility and convenience.

In general, password managers are an essential tool for anyone who wants to improve their online security and protect their personal information.