advertisement
Woman brainstorming

[Images: Adobe Stock/pathdoc]

Fast Company Executive Board

The Fast Company Executive Board is a private, fee-based network of influential leaders, experts, executives, and entrepreneurs who share their insights with our audience.

BY Stu Sjouwerman4 minute read

One of the oldest forms of online security, passwords help protect accounts, applications, devices, and data. It’s doubtful they’re going away anytime soon. That said, passwords are also problematic. People need to log in to websites and apps multiple times per day and are required to remember over 100 passwords, which leads to password fatigue; and this can cause poor password hygiene and password reuse. An astonishing 85% of people reuse their passwords. Not surprisingly, credential theft is a major root cause of cyberattacks and data breaches.

Password managers offer a solution. A password manager is a software application that generates complex passwords and stores them in an encrypted database that is only accessible by one master password. They come in various shapes and sizes—the leading ones are standalone applications, some come bundled with operating systems while others are browser-based. Let’s explore the pros and cons of using password managers.

THE PROS OF USING PASSWORD MANAGERS

The main benefit of a password manager is that they allow users to create and store unique, strong, perfectly random passwords for every website and service. This prevents hackers from guessing or cracking them. Password managers will inspect your existing password and tell you how strong it is.

Compass Newsletter logo
Subscribe to the Compass newsletter.Fast Company's trending stories delivered to you daily

Some password managers also have an alerting mechanism when a website gets compromised. In other words, if a website gets hacked, the password manager will prompt you to change your password.

Users will typically copy and paste passwords. Password managers will expire or erase clipboards so that your password has a short shelf life on a clipboard. Most password managers also have an auto-fill-in functionality (they will automatically fill usernames and passwords) which reduces password fatigue and doubles up as a useful security feature. So, if a user opens a phishing website and tries to enter their credentials using a password manager, it will not work because the password manager is tied to a particular domain.

THE CONS OF USING PASSWORD MANAGERS

Although password managers have numerous benefits, they are also a single point of failure. This means that if an attacker compromises your password manager, they get all your passwords in one fell swoop. This is different in comparison to situations where a hacker breaks into your system, website, or application and secures only those credentials that are either stored on your computer or application or the ones that you are typing in.

Password managers can be hacked or bypassed in three ways: remote attacks, local attacks, or attacks against the vendor. Social engineering is the most common method hackers use to steal victim passwords remotely. Phishers will use sophisticated impersonations to send phishing emails to victims. Unsuspecting victims click on the email and wait for the password manager to auto-fill the password. Because autofill doesn’t work, victims may think there is something wrong with the password manager program and eventually end up copy-pasting the username and password from the password manager onto the fake website.

Local attacks are ones where hackers successfully infiltrate a desktop or system where a password manager is being actively used. They then install a Trojan horse or keylogger on the victim’s system and wait for them to type in their master password. There are also instances where the password manager or the vendor themselves are hacked or compromised. Many password managers have inherent vulnerabilities that can be exploited and, like all businesses, they are also prone to cyberattacks, breaches, social engineering, and phishing attempts. Late last year, leading password manager LastPass experienced a major cyberattack. Norton LifeLock announced that it too had suffered a major breach.

VERDICT: PASSWORD MANAGERS ARE WORTH IT

In the end, password managers are a business or a risk decision. Password managers take away the risk posed by those who habitually use weak passwords or reuse them on multiple sites; that’s a huge risk—it’s how many businesses get compromised. Security teams must weigh it against a single point of failure. The likelihood of your organization getting compromised because your employees either have shared or weak passwords is much higher than a single point of failure. Currently, only 32% of Americans are required to use password managers at work; globally, that number is even lower (25%).

With that said, if your organization is considering a password manager, below are some tips that can help:

advertisement

• Choose a password manager vendor that really cares about security—someone that practices secure development lifecycle programming (SDL), someone that is transparent in what they do and is responsive and responsible to their communities.

• Ensure that the vendor uses industry-standard encryption rather than rolling their own encryption. Some password manager vendors write their own encryption algorithms or customize existing ones, which may not always be up to par.

• Look for password managers that have strong security features like multifactor authentication options and other contextual features that protect the master. For example, if someone inputs your master password from an unknown location, they will be blocked and you will be notified.

• Set a decent lockout interval on your password manager. Lock the application after every 10 minutes or every hour after logging into the manager. In case a hacker compromises a user’s machine, they will immediately get access to all passwords if the account is not locked out.

• Implement regular security awareness training for employees. Social engineering is the most popular way they could lose a password. Train them to use autofill functionality, and if that doesn’t work, ask them to stop and find out why it’s not working.

• Patch your desktops, applications, devices, and password managers regularly so that attackers cannot leverage those loopholes.

• Check leaked password websites online (like haveIbeenpwned.com) or take breach password tests to check if any passwords are out there in online databases.

Finally, do password managers make sense in 2023? Absolutely. Many password managers are available on the market, including 1PassWord, BitWarden, Dashlane, Keeper Security, LastPass, RoboForm, and True Key.


Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world’s largest Security Awareness Training and Simulated Phishing platform. 


ABOUT THE AUTHOR

Stu Sjouwerman is the Founder and CEO of KnowBe4 Inc., the world's largest Security Awareness Training and Simulated Phishing platform. Read Stu's Executive Profile here. More


Explore Topics