Password managers: Are they safe? Which is the best?

When an online service suffers a data breach – as recently happened to eHarmony, LinkedIn and Yahoo – there’s a risk that an intruder will discover your password and gain access to your account. That danger is multiplied if the compromised password has been used across multiple sites.

Passwords present an online dilemma; seemingly every service you use online requires a password, and for those passwords to be secure, they have to be complex. However, unless you’re blessed with savant levels of memory, it’s impossible to remember half a dozen mixed-case, alphanumeric, special-character inclusive, lengthy random keys – so it’s no surprise that people resort to reusing passwords.

This is where password managers come in – they do the remembering for you. But how do you pick the right one? What questions should you be asking of such applications, and is such an approach actually secure?

How safe are password vaults?

It’s been argued that using a password manager is “putting all your security eggs in one basket” – and with good reason: if you keep all your login data in one place, then any hacker successful in compromising it has been handed the keys to your online kingdom. At first glance, this may seem like an instant deal breaker. From a risk perspective, it requires a breach of only one service to have a domino effect on every other service you use.

Yet the actual risk of compromise is far less than if you reuse one password across multiple sites. In this scenario, you’re relying on dozens of sites keeping your data safe. It takes only one of them to suffer a breach and all the others are compromised as a result. Regular readers of PC Pro will be only too aware of how many popular internet services have suffered breaches over the past couple of years, with password databases being high on the list.

Meanwhile, the major players in the password manager sector haven’t suffered any breaches – with one notable exception. Certainly, there’s been no successful compromise of encrypted password hashes. Even the one exception, when LastPass security was possibly breached at the start of 2011, seems not to have caused catastrophic damage. LastPass noticed a traffic anomaly, rather than the theft of any data, and reacted immediately by forcing all users to change master passwords before their stored information could be accessed. For extra security, the change was required to be from a known IP address or confirmed with email validation. Even if password hash files were downloaded (and it isn’t clear that this was the case), as long as those users had followed the recommended advice regarding master password strength and complexity, their password vaults remained safe.

Passwords in the cloud

If you’re a typical PC Pro reader then you probably use a number of different devices running various operating systems during the course of a day. If your password vault sits on your Windows laptop, but you have access to only an iOS device at the time, then you’re in trouble. A password manager that keeps your passwords “in the cloud” gives you the convenience of accessing your passwords from any device, anywhere, at any time – but it means the actual database file isn’t under your direct control. A local store on your laptop or a removable USB drive is less of a target to hackers than a centralised cloud password store.

The risk of using a cloud service isn’t as great as it may seem. Services such as LastPass use SSL for data transfer, in addition to your data being encrypted with 256-bit AES, and have a policy of not receiving private data that isn’t already locked down with your master password (which is never known to the company). By using local encryption and decryption on your PC, with locally created one-way salted hashes, and making brute-forcing of master passwords all but impossible by utilising a large number of PBKDF2-SHA256 iterations to create them, the number of attack vectors is reduced considerably.

The bigger question is what happens if a cloud service is unavailable – or, worse still, if the provider goes bust? Keeping an off-site backup of your password database, encrypted with an application such as TrueCrypt, answers the latter half of the question, but it won’t help you when you need access to a site or service and are stranded in the field without your password.

Local clients, with your encrypted database stored on the device from which you’re accessing them, aren’t reliant on third-party balance sheets or network connectivity. Even if the vendor goes out of business, you have the application installed and it still works. Such clients work on only the devices supported by the vendor, but 1Password supports Mac, Windows, iOS and Android platforms, while the open source KeePass has ports available for Linux, Windows Phone, BlackBerry and even PalmOS – in addition to the usual OS suspects.

So what happens if you lose the phone that stores your local client password manager, or your laptop dies? This isn’t a problem if you keep an encrypted backup somewhere else, or if you have the same database on multiple devices. By using 1Password, for example, you can sync your encrypted password database to Dropbox; from there, it will sync with any device running another instance of the local client. Since the password database itself is strongly encrypted before it arrives at Dropbox, even if Dropbox should itself suffer a breach, the risk of exposure is minimal. These hybrid password solutions combine the best of both worlds: the security of local storage and the convenience of the cloud. They remove the risk associated with a single point of failure.

Master password security

Many password manager applications combine two features that make for strong protection – namely, the ability to generate random and complex password strings, and the ability to automatically log the user into the service or site using those passwords.

Since you don’t have to remember each random string, each password can be as long and complex as you like, which adds to the security of your access. And if the login process is being handled by the application then you don’t even have to know what the password is in the first place.

The one password that needs to be long, strong and complex, but very much known to you, is the master password; it acts as the encryption key to lock away all the others. A password manager is only ever as secure as this master password, so it needs to be a good one. The idea of having to memorise a password that’s at least 12 characters long, which includes both cases, both numbers and letters, and special keyboard characters for good measure, sounds much worse than the reality. I use a master passphrase of more than 15 characters and change it every three months, yet have never once forgotten it.

The key, if you’ll excuse the pun, is to abandon the truly random approach here and go for something you’ll remember – but in a format that makes it difficult for a human to make a guess or a machine to use brute force. You can combine words, with mixed cases and special characters in-between, throw in a few numbers and still have something that’s memorable but almost uncrackable. For example, the easily recalled phrase “my car is a pocket rocket” could be turned into a strong passphrase with the use of some misspelling and capitalisation, the addition of the numerals from your number plate and a couple of question marks to make it “?myKar13isaPokitRokit?”.

If the master password is your key to password file security, then encryption is the lock that protects that file. LastPass and 1Password, for example, encrypt your data locally on your device using the master password, so that any data stored online in the cloud is already encrypted before it arrives.

Security matters

It’s a given when choosing a secure password manager that it should use a high level of data encryption. In practical terms, this means a minimum of 256-bit Advanced Encryption Standard (AES) or equivalent algorithm. One common myth, which we touched on earlier, is that your passwords become vulnerable as soon as they’re stored in the cloud.

The truth is that as long as your password data files are encrypted and protected by a secure master password – one that isn’t written down or reused elsewhere – then your passwords are safe even when stored online. In order to compromise them, an attacker would first have to compromise the password service, then crack the encryption protecting your password file. It really isn’t any more risky than if the password file were stored locally, as your laptop or USB drive could always be stolen; it’s the encryption that’s important.

For the truly paranoid it’s possible to strengthen your password vault further. Some password managers – RoboForm and LastPass Premium, for example – allow for the use of biometrics, by way of a fingerprint reader, to replace the master password for access. Both LastPass Premium and KeePass support the use of YubiKey hardware two-factor authentication tokens. These can be purchased cheaply online, and provide a time-variant secure login code when the button on the USB stick is pressed, by simulating a USB keyboard. This 128-bit code (which means the number of possible combinations is three followed by 38 zeroes) is unique every time the device is used and, as such, can’t be copied and reused. Adding a requirement for something you physically have (the YubiKey token) to something you know (your master password) considerably strengthens the access security to your password vault.

Password managers aren’t a magic bullet against those who would steal your data, and shouldn’t be regarded as a replacement for other essentials, such as security software and large doses of common sense. The autofill function of a password manager can make it harder for malware to capture live login data (a keylogger will fail since no keystrokes are being made), but it doesn’t make it impossible; a man-in-the-middle attack could still compromise your security once you’ve logged in.

All the same, software that makes it practical to use regularly changed, truly random and complex passwords is a powerful security tool – and one that’s increasingly becoming essential.

Password manager tips

1. Password manager software keeps “all your eggs in one basket”, so ensure that your chosen application allows you to make backups of your password database – in a secure fashion, with the backup data remaining encrypted.

2. It may seem desirable to be able to recover your master password from the application vendor, should you forget it, but making this possible would introduce a number of weaknesses into the security equation. First, how could you satisfactorily prove that you were the person asking for the data recovery and not just someone with access to your device? Second, if the vendor knows your master password then a rogue employee could use it to access your password vault. And if the vendor can decrypt and access your database, hackers could do the same. Removing this possibility keeps you much safer from intruders, and also prevents law-enforcement from successfully demanding the keys.

3. Essentially, password managers are just big notebooks (albeit super-secure ones), so it’s essential to think about the risk of others taking a sneaky peek at them. Always delve into the configuration options and reduce the shutdown time-out to as short a period as possible. Defaults can vary from minutes to a couple of hours, leaving way too much opportunity for a screen to be readable while you’re away from your device. This becomes particularly relevant with mobile devices such as smartphones or tablets. Always opt for the minimum time-out and, if possible, set your software to automatically lock the vault when switching between applications or going into any kind of sleep mode.

4. Some password managers will make it easy to migrate from a competitor: for example, LastPass has import routines for many file formats covering the big players in the field, and RoboForm will happily import from LastPass. However, some of these processes rely on the use of easily readable CSV files, which introduces an obvious element of risk. Whichever export process you use, make sure you completely delete these files once they’ve been imported using a secure file-deletion tool.

Password managers: the big four

LastPass uses an access-anywhere, server-based storage model. The free version provides basic functionality, including one-click login, automatic form-filling, cross-browser synchronisation and secure password generation. For $12 per year (£6.50) the Premium edition of LastPass adds support for mobile platforms – plus two-factor authentication for YubiKeys and USB drives. LastPass suffered from some negative media coverage over a potential security breach early in 2011, but its response was pretty positive, and new security features now provide even better protection.

RoboForm is one of the most flexible vault services around. It’s available in a limited functionality, free version, providing an encrypted password store for ten logins and an auto-fill function. You’ll need the Desktop 7 version (costing £19.95) for unlimited logins and multiple profiles on a single PC. The real flexibility comes from adding RoboForm Everywhere for Windows, Mac and mobile into the mix. This offers cloud-based synchronisation across mobile devices, but at a further cost.

The open-source KeePass project offers advanced tweaking options that make it suited to enterprise use. But it’s also straightforward for consumers – and it’s free. Primarily a local client, KeePass supports the use of YubiKeys for two-factor authentication, and a staggering number of platforms, including Linux. Since it’s open-source, there are also myriad third-party plugins available to add features.

1Password started life within the Mac marketplace, but has extended to embrace iOS, Android and Windows. Beyond a 30-day trial, you have to pay for 1Password, but decent import options, a secure password generator and the ability to store more than login data (such as software licence keys, notes and credit card details) are coupled with strong encryption and an intuitive interface.