Password Managers: Handing over the keys to the kingdom?

In Common ByRyan Farmer / 15th July 2014

Over the last several months, the password vault/manager has been on the rise; this statement is based on nothing other than the increased frequency with which they have appeared on my radar as I go about my daily business. That said it’s probably true, and some of my preferred security commentators and tech media purveyors seem to be quick to advocate their use. And why not? The technology makes sense, the average internet user has 26 accounts (according to Experian so seems legit) with login credentials (that they can remember), and of course we all know how dangerous it can be to reuse passwords. This is a simple solution to a common problem.

The problem though is this is an emerging market. Mistakes are and will continue to be made. Developing a full-featured secure product is often a learning curve in the domain of the start-up. Particularly when handling such sensitive information which has to be able to interact with a range of other UIs, bookmarklets, and applications.

Some of the big players have their own solutions, but it’s not the products from the usual security suspects you’re reading about whenever this topic comes up. This is ultimately an industry then that’s being shaped by early stage and niche players. Even if they intend to do security well, it doesn’t necessarily follow that controls will be properly implemented. This is something we have seen with mobile security, for every independent turned major player like Lookout, there’s a fake antivirus solution – like Virus Shield which reached #1 on the Play Store. So who do you trust?

Is the good practice of having more difficult-to-remember, yet harder-to-break password security, worth the risk of one potential point of entry? Yes it minimises the attack surface area, but that one point of compromise is potentially so devastating if undermined that users are presented with a trade-off. Indeed if you were to lose access to your password vault, how easy is it going to be to recall all memberships let alone the login credentials for each account. In the event of a breach, can the stable door be shut before the horse is sold for Bitcoin?

Just this week it has been reported that several key vendors in this space have security vulnerabilities in their products – granted it’s been acknowledged that these are easily patched, but immediately it draws our attention to an active risk landscape. What assurance is on offer when some of the vendors aren’t even encrypting or salting passwords before sending them to their servers?

Then there’s the comfort such solutions afford you, perhaps wrongfully. I’ve signed up, loaded in my best practice passwords, and so my web security is taken care of. The whole Heartbleed saga reminded us that passwords are flawed, is the password manager simply a quick-fix while we await the new authentication silver bullet?

I want to believe password managers work. I want to use one. It encourages good security practice, and makes life a lot easier. It’s a solution to a problem I have – I’ve not been able to save credentials in a browser since seeing Chrome store passwords in plain text. The other problem I have though is I can’t bring myself to hand over the keys to my digital kingdom, maybe I’ve become unhealthily sceptical, but when it comes to passwords I no longer trust.