Tag Archive for: password manager

Exploring the risks and benefits of password managers

In recent years, password managers have become an indispensable asset for individuals and organisations, fortifying their IT infrastructure. However, while they deliver unparalleled convenience by securely storing and auto-populating login details and generating robust, unique passwords, they’re not without vulnerabilities.

For example, a Google advisory published this year highlighted a concerning flaw where several password managers could be deceived into auto-filling credentials on unauthorized sites. This scenario serves as a pressing reminder that risk often shadows convenience for companies and users alike. It’s crucial to understand these vulnerabilities and maintain constant vigilance, especially concerning website auto-fill features.

The dual edges of password managers

Password managers are sophisticated applications designed to store an extensive database of a user’s passwords, making the challenging task of remembering complex credentials a thing of the past. The primary key to this vault is a singular master password. Upon its input, users gain access to all their passwords within the manager.

Many of these utilities have automatic password generators, churning out complex credentials on demand. They offer the advantage of autofill capabilities, eliminating the manual chore of copying credentials – an advantage especially valuable for mobile device users.

However, given the potential vulnerabilities of the hosting servers, utilizing online password managers pose risks of their own. Hence, these tools considerably elevate security standards but don’t offer absolute invulnerability.

The pitfalls of automatic auto-filling

Though conceived for bolstering security, password managers auto-fill functionalities can inadvertently populate credentials into dubious or malicious websites.

Cybercriminals deceive these managers by skillfully manipulating website components or crafting persuasive phishing sites. This becomes a greater issue when users don’t put in their due diligence to ascertain the site’s authenticity and instead lean too heavily on the auto-fill feature. Such negligence could inadvertently hand over their credentials to adversaries, leading to potential account breaches.

Moreover, Google’s advisory in January unveiled that several password managers were susceptible to mistakenly auto-filling credentials on untrustworthy pages, posing a tangible risk of account breaches for users.

Specifically, Safari browsers, and extensions, such as Bitwarden and DashLane, were identified as potentially auto-filling login details within forms embedded in sandboxed iFrames. Fortunately, by the advisory’s release, these flaws had been addressed.

Understanding password managers

In light of these revelations, our security research team undertook comprehensive tests on prevalent browsers and password managers, evaluating their responses to same-origin and cross-origin iFrames, notably those unsandboxed.

Our observations highlighted Chrome and Firefox’s robust security stance – neither auto-filled credentials nor presented the option. Contrastingly, the Edge browser did auto-fill the username or email field, although it left the password field untouched.

For password managers, Passbolt and 1Password emerged as frontrunners in security, refraining from both auto-filling and offering the option to users. BitWarden and LastPass, whilst adopting a different approach, present users with a precautionary prompt when credentials may be forwarded to a divergent domain. This pivotal prompt allows users to auto-fill or decline, even in unsandboxed cross-origin iFrames.

Secure password management not only relies on users choosing strong passwords but also using due diligence when choosing a password manager and utilizing its functions. We strongly recommend users disable any auto-fill features and only manually trigger the feature when users are confident that the form presented is legitimate and should be filled.

Best practices for a robust password

Password security is paramount, not only for individual users but for the broader integrity of databases. While protective mechanisms can counteract some user lapses, individuals remain particularly vulnerable when employing weak passwords. So, what constitutes a robust password?

1. Incorporate alphanumeric characters: While recent studies suggest that simply adding upper and lowercase letters might not drastically enhance password strength, their inclusion, even marginally, can fortify defences. 

2. Embrace length: One of the most effective strategies is lengthening your password. Extended character sequences significantly challenge recovery attempts. Familiarise yourself with the latest methods advocating for comprehensive passwords. 

3. Integrate symbols: Current research underlines the effectiveness of symbols. Their inclusion proves more potent than switching between upper and lowercase letters. 

4. Prioritise unpredictability: Crafting unconventional passwords is key. Avoid the temptation of dictionary words or predictable sequences. Aim for originality, confounding potential intruders.

By adhering to these principles, users can significantly reduce their vulnerability in the digital sphere. Password management services require a two-way relationship. It’s important we don’t rely solely on this advanced technology and instead remain judicious and proactive in our online conduct. Despite being formidable allies in online security, they are not without their intricacies. Understanding the nuances and potential hazards linked to auto-fill features is central to user protection. We advocate for a more cautious stance – disable the automatic auto-fill function and opt for a manual trigger instead. Users should activate auto-fill exclusively when they are certain of the form’s authenticity.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechRadar Pro

/by

Password Fatigue Is Real. Here’s What Businesses Need to Know

Password fatigue is a real problem for businesses. Here’s what they can do while they await passwordless authentication.

Does the term “password fatigue” sound familiar? It’s ironic that increased security measures put in place to keep us safe may sometimes do the exact opposite. Mandatory password changes, lengthy password requirements and security questions, while well intentioned, can lead some people to backslide with their digital hygiene.

With the average person reusing the same password 14 times across their portfolio of digital accounts, it’s no wonder the FBI received a record number of cybercrime complaints from the American public last year, with potential losses exceeding $6.9 billion.

How To Prevent Password Fatigue

Password fatigue is a reaction to the fact that safety and functionality are often seen as in opposition to each other. Our days are filled with a series of different programs and platforms, each requiring its own login credentials.

The average adult has at least 100 passwords to keep track of, and the majority of Americans say they’re locked out of an average of 10 accounts per month. It’s impossible to remember all the passwords that safeguard our daily lives. The seemingly endless need to remember or reset passwords can wear people down, resulting in risky behavior.

One study revealed that 92 percent of people are aware of the security risk associated with reusing passwords, but 65 percent reuse them anyway. The password has stuck around so long despite its flaws precisely because it is not easy to replace.

Passwordless authentication is available for use today; however, most organizations have not yet deployed the technologies to support it. For now, they rely on multi-factor authentication to mitigate the risk of passwords being hacked. That’s a good intermediate step, but it doesn’t do anything to solve password fatigue.

Resetting Passwords: What You Need to Know

In addition to multi-factor authentication, businesses can help employees by deploying password management technology that acts as a digital logbook — a compilation of passwords to various accounts that can be accessed through a single master password.

Password managers can automatically monitor your password strength and help you create strong, unique passwords for every account.

Take the following factors into consideration when deciding which password manager is best for your needs:

  • Will it protect your organization against a cyberattack? You are best served by a manager that cr­eates high-strength, random passwords for each website, application and service that you use. Ensure you have alerts and dark web monitoring engaged so you can take immediate action if your credentials are leaked in a public data breach.
  • Does it enable multi-factor authentication? An additional PIN sent to employees’ digital devices, or one that works in tandem with an authentication app, is one element that separates a dedicated password manager from a browser-based manager, which saves and auto-fills passwords, giving anyone using your computer access to your online accounts.
  • How flexible is it? Some password managers can only be used with one device type, or with specific software systems. Make sure you’re protected on every platform, with a manager that securely syncs across all your devices.
  • Is it easy to use? Safely storing passwords should make employees’ lives simpler. Ensure your password manager can auto-fill user IDs and passwords, and consider additional features, such as the ability to add payment cards for faster checkouts.

Custom fields can help securely save important information such as your driver’s license or passport number, or even sensitive files, documents, photos and videos. Most experts agree that the ongoing use of passwords represents a security risk for organizations. Until passwords are a thing of the past, however, businesses should do all they can to reduce that risk.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from BizTech  SOURCE

/by
,

Are Password Managers Safe?

If you’re struggling to juggle your passwords, the solution to your woes is a password manager. See our recommendations.

Password managers are a safe, secure way of logging into your various online accounts. In fact, they’re vastly preferable to the alternatives of either trying to remember multiple unique passwords or re-using the same password over and over.

According to Pew Research Centre, half of users have up to 25 password-protected accounts online. That’s far too many for the average person to remember, making it hard to stay secure. A secure password manager will automatically store all your logins, meaning that you’ll never have to remember one ever again, and can even generate passwords for you.

Given that even industry-leader LastPass was once the victim of a hack, concerns remain over using password managers. Besides, you may be questioning the wisdom of storing all your passwords in one place. These are legitimate concerns, but research has shown that using a password manager is far more secure than not using one. The risk of your business getting hacked is high, particularly during the pandemic, so we’d strongly recommend getting one yourself.

As for which password manager you should choose? We’ve tested some of the best password managers around, and while they’re all safe and secure, the best on test was LastPass. This stands out thanks to a simple interface, secure setup, and brilliant family-sharing options. Plus, you can try LastPass for free to see if you like it.

Is it Safe to Use a Password Manager?

Yes – a good quality password manager is a safe, trustworthy and highly recommended security tool. In fact, security experts almost uniformly believe that password managers are infinitely safer than virtually every alternative there is, for businesses and individuals alike.

Top password managers, such as 1PasswordDashlane or LastPass, can be trusted to protect your account logins thanks to secure encryption that keeps your passwords secret.

Here’s how it works in practice. You create an account with a password manager, then create a single “master password” to log into it. To keep your password manager safe to use, it’s essential that your master password isn’t anything obvious. So that’s no to “12345,” “qwerty,” or “passwd.” Instead, pick a longer phrase or mix and match cases and special characters – just ensure it’s unique and memorable.

Then, the password manager can get to work automatically generating complex, unique passwords for every service you log into online – one for your Amazon account, email account, Facebook account and so on. You won’t need to memorize these – whenever you login in, the password manager will automatically apply the password (and you enable the password manager via that single master password).

This entire process is far more secure than re-using the same password over and over on multiple sites – the single biggest risk you can take with you and your business’ online security. It’s also far easier than attempting to remember multiple unique passwords.

So, if it’s all win, why are there any questions around password manager safety? Largely, these come down to an understandable concern over the security of handing over your logins to a third-party service. That’s why we’d recommend only using a trustworthy, well-rated password manager. So which ones would we recommend?

Most Secure Password Manager

If you want a secure password manager, you should opt for a paid one. Free password managers tend to be restricted in some way, and are usually supported with adverts. Additionally, free password managers are simply not set up to handle a full business’ security needs, which means paid for is always the way to go.

In our testing, we found LastPass to be the most secure password manager. For a few dollars a month, it could save you a lot of headaches, as well as time spent waiting for password reminder emails to drop into your inbox.

Do Password Managers Get Hacked?

No online system is infallible. Password managers – just like any other online service you use, such as Amazon, Twitter or Facebook – run the risk of being hacked. In fact, some have been.

The best password managers, however, will take your security very seriously – after all, you’re paying for the service. If you lose trust in them, they lose your patronage, and with it, your payment.

When LastPass was hacked in 2015, users were right to be concerned – after all, if a hacker could get into the system, they could, in theory, have access to every password that LastPass users had stored there. However, even though its security was breached, hackers were unable to steal any information – all of the passwords were protected by the users’ Master Password, which is not stored on the LastPass servers. This meant that the encryption on the passwords stored by LastPass was unable to be cracked. And that is why you should pay for a password manager.

Password managers are also a common target for ‘ethical hackers’ — those who like to test the security of online systems to flex their coding muscles. Password managers are their white whale – crack one of these open, and they’ll win the acclaim of the industry.

This isn’t as scary as it sounds though. In fact, ethical hackers are offering a great service, finding exploits in online systems before more nefarious people do. Once they’ve found a vulnerability, these hacklers will make contact with the service and let them know, allowing the provider to then fix the issue.

Verdict – Should You Use a Password Manager?

We can’t state this clearly enough – a password manager is a safe, recommended way to secure your online logins. The alternatives are far, far riskier – in particular, that old habit of re-using the same old password again and again across multiple websites (please, just don’t).

No system is guaranteed bullet-proof, and as the LastPass hack showed, even password managers can be vulnerable. However, as that very incident showed, there are serious protections in place, and these prevented the LastPass hack from being a disaster for any customers.

In the age of hybrid work and vast security breaches, we’d strongly recommend getting up and running with a password manager for proper online peace of mind.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from Tech.co SOURCE

/by