Tag Archives: Password Manager

News

Tech Insight : What Is A Password Manager?

In this tech insight, we look at challenges to using passwords, what password managers are, and why they are still so important.

The Limitations and Challenge of Passwords

Passwords have long provided a practical way to log in to websites, platforms, apps and other access gateways yet using passwords comes with many limitations and challenges, most of which are around security. These include:

Human Limitations and Human Error

People can typically only successfully remember shorter, more uniform, or more memorable strings of characters, and consequently these often end up being partly words, names, dates, or a combination thereof, which can make them easier to crack. Also, trying to remember longer groups of unrelated characters is unduly onerous for most people.

Password sharing (i.e., using the same password for multiple platforms/websites) is a security issue because if one site is compromised and password details are stolen, criminals can quickly attempt these in many other locations( which could result in financial loss and multiple accounts for one person being taken over.

The use of default passwords (e.g. with IoT devices and gadgets) or using very easy to guess/crack passwords are highly risky and expose users open to hacks, data-theft and financial loss. For example, the top 5 passwords in the (Nordpass) list of the 200 most commonly used passwords for 2021 are 123456, 123456789, 12345, qwerty, and password.

Criminal Activity

Cybercriminals have found passwords easier to beat in recent years due to factors such as:

– The massive leak of 2.6 billion rows of personal data from 12,000 files dubbed Collection #1, plus the many other collections of personal data and passwords now available to buy/swap/download on the dark web and other places.

– Password brute-forcing tools are now widely available online, e.g., Cain and Abel, Hashcat, John the Ripper, and Ophcrack.

Cyber-criminals can use the stolen/purchased password details for:

– Credential stuffing attacks. This is where cyber-criminals use software to automate the process of trying breached username/password pairs on many other websites to see if they can gain access.

– Phishing attacks.  The stolen credentials can be used to automatically send malicious emails to a victim’s list of contacts.

– Targeted digital identity attacks. The breached credentials can be used in targeted attacks designed to steal a victim’s entire digital identity or steal their money or even to compromise their social media network data.

Password Managers

Password managers are typically installed as browser plug-ins.  They are used to handle password capture and replay, and when logging into a secure site, they offer to save login credentials. On returning to that site, they can automatically fill in those credentials.

Password managers can also generate new passwords when needed and automatically paste them into the right places, as well as being able to sync passwords across all devices.

Popular Password Managers

Examples of popular password managers include Google Password Manager, Microsoft Authenticator, Dashline, LastPass, Sticky Password, Password Boss, Keeper (good for cross-platform uses), 1Password, and LogMeOnce.  There are also password vaults in other programs and CRMs that act as password managers, such as Zoho Vault, and Digital Vault.

Google Password Manager and Microsoft Authenticator

Google’s Chrome browser has a password manager to help to stop people from using weak passwords by suggesting combinations of characters that may be more secure. Microsoft’s Authenticator app can manage passwords for both Edge and Chrome.

Benefits of Password Managers

The main benefits of password managers include:

– Convenience and saving time. Having the password available in a secure browser extension is very helpful where, for example, the password has been forgotten or the password is too difficult to remember. Password managers are also particularly helpful for businesses, most of which have a large number of passwords to remember/store, and for businesses that may need to store a number of logins for their customers’ apps and platforms (e.g. digital marketing companies).

– Added security. Most password managers use 256-bit, military-grade AES encryption, thereby ensuring password security while keeping passwords close to hand for when they’re needed.

What Does This Mean For Your Business?

Even though big tech businesses are now offering users ways to log in that don’t use passwords (Microsoft announced in September that it is getting rid of all password logins and encouraging the use of an authenticator app or other solution) many businesses still need to use multiple passwords in a secure and convenient way. Password managers, therefore, serve a useful purpose in tackling the challenges of human limitations and human error, helping with work on the go and remote or hybrid working (syncronising passwords across devices), and the ongoing effort of cyber-criminals. The increased strength and convenience, however, mean that that the days of passwords now appear to be numbered but, in the meantime, there are many different password managers for businesses to choose from.

News

Tech News : Get Notified By Google If Your Passwords Are Compromised

As part of Google’s latest security updates to Chrome and Android, users will not only be alerted if any of the passwords in their Password manager are compromised but will also be given the opportunity to make a quick fix.

Quick Fix – Change Password

In the ongoing competitive battle between Google’s Chrome browser (and its Android OS) and Apple’s equivalent, Google has released new security updates. Part of the updates to the Password Manager that’s built-in to Chrome and Android is the new quick-fix feature which will enable the Google Assistant to navigate to the compromised accounts and change passwords within seconds. 

Benefits

Firstly, the fact that users are alerted when a password has been compromised is valuable because if users are made aware of a problem, they can quickly take action before more damage is done, rather than simply finding out after the event (e.g. stolen data or money) and/or the password being used by other attackers after being passed on/sold on.

Secondly, having a fast-track route to a quick fix through being offered a one-click ‘Change Password’ button means that users can minimise the amount of time that they are exposed to risk, and can quickly and conveniently change a password without having to go back to the site where it has been compromised, click on the forgot password/change password link, and go through a longer process that way.

Setting Up The Feature

The feature, which is powered by Google’s AI technology (since 2018) ‘Duplex’, is available to users who have turned “Safe Browsing” on and who are signed-in and syncing to Chrome.

On Android, for example, to receive alerts if any passwords have been compromised (e.g. in a data leak on a third-party website or app) navigating to the ‘Settings’ in Chrome and selecting ‘Privacy and security’ > ‘Safe browsing’ and tapping on ‘Standard protection’ gives users the option to switch “Warn you if passwords are exposed in a data breach” to on or off.

Users can also choose to check saved passwords themselves to see if any have been exposed in a data breach. Again, this can be done via ‘Settings’ in the Chrome app, by tapping ‘Passwords’ > ‘Check Passwords’.

What Does This Mean For Your Business?

This is one of several new security features announced in answer to Apple’s recent iOS 14.5.1, and macOS 11.3.1 security updates, and specifically, is an answer to Apple introducing compromised password alerts with iOS 14. Clearly, being alerted and being able to check password compromises, and being able to change a password quickly and easily is likely to be very beneficial to users.  Google also recently announced that it will soon be automatically enrolling its users in Two-Step Verification ‘2SV’ to improve the security of its services, but the future of authentication and verification is most likely to be ‘passwordless’ and based on biometrics. For example, last year, Google announced that users could verify their identity by using their fingerprint or screen lock instead of a password when visiting certain Google services (e.g. Pixel devices and all Android 7+ devices) due to Google’s collaboration with many other organisations within the FIDO Alliance and the W3C that led to the development of the FIDO2 standards, W3C WebAuthn and FIDO CTAP that allows fingerprint verification.  Both Apple and Google may, therefore, be highlighting features based around more traditional security ideas now, but the direction of travel is away from passwords altogether.