Picture this...
Welcome to the frightful world of password management—a spine-chilling labyrinth that sends shivers down the spines of even the bravest souls!
Picture this: you wake up in the dead of night, drenched in cold sweat, haunted by a ghastly nightmare. But beware, dear reader, for the real horror story begins when you find yourself staring blankly at your computer screen, besieged by an army of passwords that seem to multiply like zombies. Your heart pounds, your fingers tremble, and your mind races, desperately trying to remember if your favourite pet’s name from primary school is indeed the key to safeguarding your precious online accounts.
In this spine-tingling tale of terror, every online portal demands a unique and complex password, as if they secretly conspired with dark forces to test your memory’s breaking point. Fret not, for amidst this chaos, there exists a ray of hope—a powerful, mystical tool that can vanquish these password phantoms and restore order to your digital life.
Introducing the valiant knight—the Password Manager!
What is a Password Manager?
Password managers are nothing new, but it’s somewhat surprising how very little we come across them in our internal infrastructure security assessments. Regularly, we find plain text passwords stored in text/CSV files (even for high-privileged accounts). In our password cracking exercises, we manage to crack more passwords than our initial aspirations. We figured we’d shed some light on why ALL organisations should incorporate password managers in their infrastructure in the hopes that our beloved readers get rid of that text file with all the keys to the kingdom. After all, on many systems, passwords are the first line of defence against the bad guys and there has been no shortage of breaches that were a direct result of the compromise of passwords. As such, organisations need to be sure that they’re playing their cards right when it comes to setting and managing passwords for their infrastructure.
A password manager acts as a central repository, encrypting the passwords and requiring users to remember only a single master password to access them. Additionally, many password managers offer features like auto-fill and password strength analysis, streamlining the login process and promoting better password hygiene. There are third-party service-based password managers, self-deployed password managers (usually a web application), as well as local/offline ones. The self-deployed option would be most useful for organisations as no trust has to be delegated to a third-party and they can also be used as a platform for safe password sharing. It would also give the option of keeping it internal (e.g. within the organisation’s VPN) which would add an extra layer of protection against prying eyes.
Why Use a Password Manager?
To understand the strengths that password managers bring to the table, it’s important that we first understand the implications of manual password management. As human beings, our memorisation abilities are limited. Sure, we can come up with a few strong passwords and retain them in memory, but in today’s day and age where everything is getting digitised, everyone opens up at least a dozen accounts a year, each requiring a “complex” password. Passwords for work just add fuel to the fire.
Given such circumstances, users will naturally resort to making matters easier for themselves; i.e. they will resort to bad practices. These practices and their respective risk can be summarised in the following:
- Weak passwords: increases the chance of success of both online and offline bruteforce attacks
- Password re-use: compromise of one password means compromise of several accounts
- Unencrypted storage of passwords: basically rolling the red carpet for malicious actors
Potential Downsides
It’d be very naïve of us to leave it at that and call it a day. As all things cybersecurity-related, it’s important that we look beyond the rainbows and fluffy bunnies and consider the downsides.
One cornerstone premise of password managers is that if a malicious actor ever gains access to the password manager database, they are unable to directly obtain the passwords stored within given that they are encrypted. Bear in mind that this premise only stands if the master password is strong enough such that it is computationally infeasible to bruteforce. It is important therefore, to choose a strong master password (and not write it down somewhere). Not to mention, a well-positioned attacker may also retrieve the master password through inspecting unencrypted network traffic, key logging, etc., so it’s definitely not foolproof.
Secondly, if the master password is somehow ever “lost”, recovering the encrypted passwords would not be possible without successfully bruteforcing it (refer to previous point). This may entail delays in regular business operations and, depending on the context, a somewhat miserable day for the IT help desk.
Another thing to consider is the challenges of bringing everyone in the organisation on-board and fully migrating to password managers. As the saying goes: “old habits die hard”. Depending on the size of the organisation, training everybody to exclusively depend on password managers will probably require some effort. However, we believe that it’s a struggle worth going through. This may even change the perspective of how employees manage passwords for their personal accounts and overall lead them to embracing the movement.
Needless to say, much like any other software, password managers can suffer from vulnerabilities with varying severities. Therefore, be sure to stay up-to-date in case a self-deployed password manager is your responsibility. You only need to look back to December 2022 as an example of this:
https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/
Conclusion
That said, it’s very apparent that password managers are extremely beneficial as they ease the pain of password management. With the increase in passwords per individual, we see no reason for organisations to not use password managers as long their strengths and weaknesses are clearly understood and accounted for. Multi-factor authentication should still be enforced where applicable to stay in-line with security best practices.
