We all know what a password manager is, a way to keep track of different, complex passwords so that we do not get caught out by things like password reuse across the web, or passwords that are easy to remember but easy to crack.
Password manager services seem like a good idea, but are they really safe? Here is an excerpt from the UK’s National Cyber Security Centre, where Emma W explains more:
“People keep asking the NCSC if it’s OK for them to use password managers (sometimes called password vaults). If so, which ones? Who should use them – private citizens, small businesses, massive enterprises? And how should people use them? Is it safe to put all your crucial passwords into a password manager, and forget trying to remember any at all?
This is a big topic, so we’re chunking it up. This blog explains what I think about password managers in general, and how I use them myself. This might be helpful if you’re an individual deciding whether and how to use a password manager for your personal use. If you’re looking for business use, this blog post won’t hold all the answers you need (look out for more from the NCSC on this soon).”
There is more advice on passwords here from the US NCCIC (National Cybersecurity and Communications Integration Center) that touches on the topic of password managers. Another NCCIC tip is on supplementing your passwords.
Password managers are an excellent tool but pose a risk. If those are compromised, then potentially so are all your passwords. This was at the root of a situation last year. The retail bank Santander went so far as to block password managers and advise their customers not to use them, as reported in Computer Business Review and elsewhere.
The bank told Computer Business Review: “We discourage the use of any system which would allow another person to gain access to or use the customer’s password or other security details. This may include some forms of password manager such as those built into browsers.”
So, who is right? Is it NSCS or NCCIC, the globally respected agencies and part of their respective government’s cybersecurity infrastructure, or a retail bank?
Actually, in many ways the answer is ‘both’!
The advice on password managers is good, even accepting that it places greater trust in the password manager provider. However, the bank’s position also recognizes that passwords are fast losing their effectiveness as protection for important data.
Password management infrastructure company Thycotic has some sobering figures in this blog post.
“If you include symbols, then depending on the symbols used, there are about 80 characters in the set. To break a password such as “%ZBGbv]8”, it would take (1.7*10^-6 * 80^8) seconds / 2, or 45.2 years. On a supercomputer or botnet, this will take 4 hours.
So, even if you use a very secure set of characters, your password should be at least 10 characters long. To break a 10 character password that uses letters, numbers, and symbols, such as “%ZBGbv]8g?”, it would take (1.7*10^-6 * 80^10) seconds / 2 or 289217 years. This would take about 3 years on a supercomputer or botnet.”
As the installed base of computing power potentially available to botnets continues to be on a path of exponential growth, it is going to be the password length that matters to keep the vulnerability of a password at acceptable levels.
As passwords get longer, they get more complex and so the need for password managers becomes ever greater and so the advice to use a password manager from a reputable provider makes sense.
On the other side, the advice to NOT use password managers and instead choose complex, multi-factor controls for the most sensitive information also makes sense.
Based on that argument, Santander is also making a valid point, perhaps even being a little ahead of the curve on consumer internet security.
Either way, the message is clear—the days of a ‘strong’ password being sufficient to protect your data are numbered.