There are a lot of password managers out there. In this article, you can find out why you should use them, how to use them, and what they provide you with.
Secure your online presence | Password managers
The dependency on online services is increasing day by day. Thus, a large amount of confidential data like credit card numbers, bank account details, and account passwords are stored on servers, always at risk of being stolen in a data breach incident. The Internet and online business for people are becoming inevitable in today’s world, and because of that, online security is in high demand. People tend to keep passwords that are easy to remember, and this is what hackers take advantage of.
Passwords containing names, phone numbers, etc., are often easily guessable or can be cracked with a word list. A secure password must contain arbitrary numbers, characters, and special characters and be at least eight characters long. Brute forcing these passwords would seem infeasible if they are long enough, containing arbitrary characters and numbers. Keeping secure, non-guessable passwords should be the highest priority when creating an online account, considering the consequences of not doing so. Using arbitrary passwords is the safest way to secure an online account.
Password managers are not a new concept. They have been in existence for more than a decade now. Password managers usually come as a bundle with three key features:
- Random and secure password generator (which generates secure random strings to be used as passwords)
- Encrypted storage vault to store all the passwords
- Two-factor authentication code generator
Some password managers implement a local database to store all the passwords, while some use remote encrypted online stores. Many password managers and digital vaults have that kind of feature. It also provides users with dark web protection, a secured cloud vault, and encrypted chat services for the ultimate protection for business and personal use. These password managers are accessible through web applications or mobile applications. Apart from these, hardware devices can also be used as password managers.
Master password usage
Using password managers that use a single master password to encrypt all your account passwords to provide you with better cybersecurity and information requires a central authority that stores the encrypted data on a server. Retrieving these passwords from the server requires an active Internet connection. Password managers tend to store the encrypted vault on the user’s device to tackle this. If the device is stolen or lost, or if the master password is not strong enough, all the data may be compromised.
Storing private data on central servers may often produce a feeling of mistrust since there is always a chance of data getting breached. Even though hardware password managers are secure, it involves carrying the device everywhere. If the device is lost, as no online backups are kept, all the password data is lost. Some password managers are local-storage-based but use a web interface to interact with the user. A small flaw in the algorithm design may break the complete system. Also, one has to ensure that the data from the server is synced with multiple instances of the app on various platforms like mobile, computers, smartwatches, and so on. If they are not in sync, a newly added password to the vault may not be accessible from a different or new device. A personal device on which the password manager app is stored is always needed to access the passwords.
Enablement through algorithms
The master password generator algorithm is an algorithm that doesn’t store passwords anywhere. The setup starts with the user selecting a master password. Then, the user enters the website for which he/she wants a password. Afterward, the user selects the type of password – a numeric, alphanumeric, character-only, or passphrase. The algorithm generates a new, secure, and unique password for the website. The user then sets this generated password as the site’s password. This algorithm ensures that every time you enter the master password and the website name correctly, it will produce the same password as generated initially.
Thus, passwords are created on the fly. The only inconvenience involved in this method is changing the existing insecure website passwords to these newly generated passwords, which is to be done just once. After the initial setup phase, the algorithm will always create the desired password, provided that the master password, website name, and password type are the same. This algorithm does not restrict itself to generating arbitrary passwords. It can also create PINs or even passphrases.
A passphrase is a set of unpredictable but meaningful words used together as passwords. They are easy to remember due to the usage of common words, and the master password uniquely produces them. The major advantage of this password manager is that there is no way of breaching any data. Also, there is no way for the attacker to know whether his/her guess of the master password is correct since the master password algorithm will always have a unique set of passwords associated with the master password. The algorithm can be implemented as a web, mobile, or standalone desktop application, with the same algorithm implemented on all platforms.
The algorithm can be deployed as a complete cross-platform password manager application. An extension to this can be creating a browser plugin/extension that can be used to auto-fill passwords on websites. The password generation algorithm is not restricted to a particular programming language. The accessibility of the password manager is crucial, and hence, it should be implementable on various platforms, including websites, phone applications, and desktop applications. Creating a stand-alone hardware device with a biometric sensor, USB HID (human interface device) capability and buttons for site selection may also be possible.
Such a device could be attached to any device that accepts USB keyboards, and the generated passwords can then be entered without a driver. However, requirements for such hardware to exist are algorithms that can produce a hash based on fingerprint minutiae that must be studied and carefully applied. Such a hardware device will be cost-effective to construct, would work for any person (no storage and no vendor lock-in), and on any device that accepts USB HID keyboard input. If device manufacturers deem fit, all upcoming devices can implement this functionality by default, virtually eliminating the need to remember passwords or use weak ones.
Photo credit: The feature image has been done by Jezael Melgoza. The photo of the USB dongle has been taken by Sara Kurfeß. The picture “woman in black” was prepared by Donny Jiang. The photo “women’s blue denim jeans” was done by Joshua Gandara.
Source: Alison Grace Johansen (NortonLifeLock) / Merriam-Webster
