HOME

TheInfoList



OR:

A password manager is a computer program that allows users to store and manage their passwords for local applications and online services. In many cases software used to manage passwords allow also generate strong passwords and fill forms. Password manager can be delivered as a one of or mixed of:
computer application A computer is a machine that can be programmed to carry out sequences of arithmetic or logical operations (computation) automatically. Modern digital electronic computers can perform generic sets of operations known as programs. These progra ...
,
mobile application A mobile application or app is a computer program or software application designed to run on a mobile device such as a phone, tablet, or watch. Mobile applications often stand in contrast to desktop applications which are designed to run on de ...
, web browser extension, web based service,
portable software A portable application (portable app), sometimes also called standalone, is a program designed to read and write its configuration settings into an accessible folder in the computer, usually in the folder where the portable application can be f ...
for USB units. A password manager assists in generating and retrieving complex passwords, storing such passwords in an
encrypted In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
database In computing, a database is an organized collection of data stored and accessed electronically. Small databases can be stored on a file system, while large databases are hosted on computer clusters or cloud storage. The design of databases sp ...
, or calculating them on demand. Depending on the type of password manager used and on the functionality offered by its developers, the encrypted database is either stored locally on the user's device or stored remotely through an online
cloud storage Cloud storage is a model of computer data storage in which the digital data is stored in logical pools, said to be on "the cloud". The physical storage spans multiple servers (sometimes in multiple locations), and the physical environment is t ...
. Password managers typically require a user to generate and remember one "master" password to unlock and access information stored in their databases. Modern password managers increase security using 2F authentication and extend usability using embed in device biometrics like faceID or touchID. Many password manager applications offer additional capabilities that enhance both convenience and security such as storage of credit card and frequent flyer information and autofill functionality.


Locally installed software

Password managers commonly reside on the user's
personal computer A personal computer (PC) is a multi-purpose microcomputer whose size, capabilities, and price make it feasible for individual use. Personal computers are intended to be operated directly by an end user, rather than by a computer expert or tec ...
or
mobile device A mobile device (or handheld computer) is a computer small enough to hold and operate in the hand. Mobile devices typically have a flat LCD or OLED screen, a touchscreen interface, and digital or physical buttons. They may also have a physical ...
, in the form of a locally installed
software application Software is a set of computer programs and associated documentation and data. This is in contrast to hardware, from which the system is built and which actually performs the work. At the lowest programming level, executable code consists ...
. These applications can be offline, wherein the password database is stored independently and locally on the same device as the password manager software. Alternatively, password managers may offer or require a cloud-based approach, wherein the password database is dependent on an online file hosting service and stored remotely, but handled by password management software installed on the user's device. Some offline password managers do not require Internet permission, so there is no leakage of data due to the network. To some extent, a fully offline password manager is more secure, but may be much weaker in convenience and functionality than an online one.


Web-based services

An online password manager is a website that securely stores login details. They are a web-based version of more conventional desktop-based password manager. The advantages of online password managers over desktop-based versions are portability (they can generally be used on any computer with a
web browser A web browser is application software for accessing websites. When a user requests a web page from a particular website, the browser retrieves its files from a web server and then displays the page on the user's screen. Browsers are used on ...
and a network connection, without having to install software), and a reduced risk of losing passwords through theft from or damage to a single PC – although the same risk is present for the server that is used to store the users passwords on. In both cases this risk can be prevented by ensuring secure
backup In information technology, a backup, or data backup is a copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event. The verb form, referring to the process of doing so, is "back up", w ...
s are taken. The major disadvantages of online password managers are the requirements that the user trusts the hosting site and that there is no keylogger on the computer they are using. With servers and the cloud being a focus of cyber attacks, how one authenticates into the online service and whether the passwords stored there are encrypted with a user defined key are just as important. Another important factor is whether one- or two-way encryption is used. Some online password management systems, such as Bitwarden, are
open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
, where the source code can be independently audited, or hosted on a user's own machine, rather than relying on the service's cloud. The use of a web-based password manager is an alternative to
single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...
techniques, such as
OpenID OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...
or Microsoft's
Microsoft account A Microsoft account or MSA (previously known as Microsoft Passport, .NET Passport, and Windows Live ID) is a single sign-on Microsoft user account for Microsoft customers to log in to Microsoft services (like Outlook.com), devices running on on ...
(previously Microsoft Wallet, Microsoft Passport, .NET Passport, Microsoft Passport Network, and Windows Live ID) scheme, or may serve as a stop-gap measure pending adoption of a better method.


Token-based hardware devices

Token-based password managers need to have a security token mechanism, wherein a locally-accessible hardware device, such as smart cards or secure USB flash devices, is used to authenticate a user in lieu of or in addition to a traditional text-based password or other
two-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
system. The data stored in the token is usually encrypted to prevent probing and unauthorized reading of the data. Some token systems still require software loaded on the PC along with hardware (smart card reader) and drivers to properly read and decode the data. * Credentials are protected using a
security token A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples of security tokens incl ...
, thus typically offering
multi-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
by combining ** ''something the user has'' such as a mobile application that generates rolling a Token similar to virtual smart card,
smart card A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
and
USB stick A USB flash drive (also called a thumb drive) is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and much smaller than an optical disc. Most weigh less than . Since first ...
, ** ''something the user knows'' (PIN or password), and/or ** ''something the user is'' like
biometrics Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify in ...
such as a fingerprint, hand, retina, or face scanner. There are a few companies that make specific third-party authentication devices, with one of the most popular being
YubiKey The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Fact ...
. But only a few third-party password managers can integrate with these hardware devices. While this may seem like a problem, most password managers have other acceptable two-step verification options, integrating with apps like
Google Authenticator Google Authenticator is a software-based authenticator by Google that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; spec ...
and in-built TOTP generators. While third-party token devices are useful in heightening security, they are only considered extra measures for security and convenience, and they are not considered to be essential nor are they critical to the proper functioning of a password manager.


Advantages

The advantage of password-based access controls is that they are easily incorporated in most software using APIs available in many software products, they require no extensive computer/server modifications, and that users are already familiar with the use of passwords. While passwords can be fairly secure, the weakness is how users choose and manage them, by using: * simple passwords – short in length, that use words found in dictionaries, or do not mix in different character types (numbers, punctuation, upper/lower case), or are otherwise easily guessable * passwords others can find – on sticky notes on monitors, in a notepad by the computer, in a document on the computer, whiteboard reminders, smart device storage in clear text, etc. * the same password – using the same password for multiple sites, never changing account passwords, etc. * shared passwords – users telling others passwords, sending unencrypted emails with password information, contractors using same password for all their accounts, etc. * administrative account logins where limited logins would suffice, or * administrators who allow users with the same role to use the same password. It is typical to make at least one of these mistakes. This makes it very easy for
hacker A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
s, crackers,
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
and cyber thieves to break into individual accounts, corporations of all sizes, government agencies, institutions, etc. It is protecting against these vulnerabilities that makes password managers so important. Password managers can also be used as a defense against
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
and
pharming Pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the computer. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a ...
. Unlike human beings, a password manager program can also incorporate an automated login script that first compares the current site's URL to the stored site's URL. If the two do not match then the password manager does not automatically fill in the login fields. This is intended as a safeguard against visual imitations and look-alike websites. With this built-in advantage, the use of a password manager is beneficial even if the user only has a few passwords to remember. While not all password managers can automatically handle the more complex login procedures imposed by many banking websites, many of the newer password managers handle complex passwords, multi-page fill-ins, and multi-factor authentication prior. By that same logic, password managers can also protect against
keystroke logging Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
malware (keyloggers). When using a multi-factor authentication password manager that automatically fills in logon fields, the user does not have to type any user names or passwords for the keylogger to pick up. While a keylogger may pick up the PIN to authenticate into the smart card token, for example, without the smart card itself (something the user has) the PIN does the attacker no good. However, password managers cannot protect against
man-in-the-browser Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify tra ...
attacks, where malware on the user's device performs operations (e.g. on a banking website) while the user is logged in while hiding the malicious activity from the user.


Issues


Vulnerabilities

If the passwords are stored in an unencrypted fashion, it is still generally possible to obtain the passwords given local access to the machine. Some password managers use a user-selected master password or
passphrase A passphrase is a sequence of words or other text used to control access to a computer system, program or data. It is similar to a password in usage, but a passphrase is generally longer for added security. Passphrases are often used to control ...
to form the
key Key or The Key may refer to: Common meanings * Key (cryptography), a piece of information that controls the operation of a cryptography algorithm * Key (lock), device used to control access to places or facilities restricted by a lock * Key (map ...
used to encrypt the protected passwords. The security of this approach depends on the strength of the chosen password (which might be guessed or brute-forced), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password renders all of the protected passwords vulnerable. As with any system which involves the user entering a password, the master password may also be attacked and discovered using key logging or
acoustic cryptanalysis Acoustic cryptanalysis is a type of side channel attack that exploits sounds emitted by computers or other devices. Most of the modern acoustic cryptanalysis focuses on the sounds produced by computer keyboards and internal computer components, bu ...
. Some password managers attempt to use
virtual keyboard A virtual keyboard is a software component that allows the Input device, input of characters without the need for physical keys. The interaction with the virtual Computer keyboard, keyboard happens mostly via a touchscreen interface, but can also ...
s to reduce this risk – though this is still vulnerable to key loggers that take screenshots as data is entered. This risk can be mitigated with the use of a multi-factor verification device. Some password managers include a
password generator A random password generator is software program or hardware device that takes input from a random or pseudo-random number generator and automatically generates a password. Random passwords can be generated manually, using simple sources of random ...
. Generated passwords may be guessable if the password manager uses a weak
random number generator Random number generation is a process by which, often by means of a random number generator (RNG), a sequence of numbers or symbols that cannot be reasonably predicted better than by random chance is generated. This means that the particular out ...
instead of a cryptographically secure one. A strong password manager will include a limited number of false authentication entries allowed before the password manager is locked down and requires IT services to re-activate. This is the best way to protect against the brute-force attack. Password managers that do not prevent swapping their memory to hard drive make it possible to extract unencrypted passwords from the computer’s hard drive. Turning off swap can prevent this risk. Web-based password managers, which run inside the browser of the user, are particularly fraught with pitfalls. A detailed study using several password managers uncovered the following possible flaws inside web-based password managers: * Authorization flaws: Another possible problem is mistaking
authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...
with
authorization Authorization or authorisation (see spelling differences) is the function of specifying access rights/privileges to resources, which is related to general information security and computer security, and to access control in particular. More for ...
. The researcherWho? Ref neededfound that several web-based password managers had, at one point in time, such flaws. These issues were in particular present in password managers which allowed users to share credentials with other users. * Bookmarklet flaws: Web-based password managers commonly rely on
Bookmarklet A bookmarklet is a bookmark stored in a web browser that contains JavaScript commands that add new features to the browser. They are stored as the URL of a bookmark in a web browser or as a hyperlink on a web page. Bookmarklets are usually small ...
s for signing in users. However, if improperly implemented, a malicious website can abuse this to steal a user's password. The main cause of such vulnerabilities is that the
JavaScript JavaScript (), often abbreviated as JS, is a programming language that is one of the core technologies of the World Wide Web, alongside HTML and CSS. As of 2022, 98% of Website, websites use JavaScript on the Client (computing), client side ...
environment of a malicious website cannot be trusted. * User Interface flaws: Some password managers will ask the user to log in through an iframe. This can present a security risk because it trains the user to fill in their password while the URL displayed by the browser is not the one of the password manager. A phisher can abuse this by creating a fake iframe and capturing the user's credentials. A more secure approach may be to open a new tab where users can login to the password manager. * Web flaws: Classic web vulnerabilities can also be present in web-based password managers. In particular, XSS and
CSRF Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF (sometimes pronounced ''sea-surf'') or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitt ...
vulnerabilities may be exploited by hackers to obtain a user's password. Furthermore, password managers have the disadvantage that any potential hacker or malware just need to know one password to gain access to all of a user's passwords and that such managers have standardized locations and ways of storing passwords which can be exploited by malware.


Blocking of password managers

Various high-profile websites have attempted to block password managers, often backing down when publicly challenged. Reasons cited have included protecting against automated attacks, protecting against
phishing Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
, blocking
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depri ...
, or simply denying compatibility. The
Trusteer Trusteer is a Boston-based computer security division of IBM, responsible for a suite of security software. Founded by Mickey Boodaei and Rakesh K. Loonkar, in Israel in 2006, Trusteer was acquired in September 2013 by IBM for $1 billion. Trust ...
client security software from IBM features explicit options to block password managers. Such blocking has been criticized by
information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
professionals as making users less secure. The typical blocking implementation involves setting autocomplete='off' on the relevant password
web form A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. ...
. Consequently, this option is now ignored from
Internet Explorer 11 Internet Explorer 11 (IE11) is the eleventh, final, and now deprecated version of the Internet Explorer web browser. It was initially included in the release of Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 on October 17, 2013, and was ...
on

sites,
Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current and ...
38, Chrome 34, and in
Safari A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an importa ...
from about 7.0.2. A 2014 paper from researcher at the
Carnegie Mellon University Carnegie Mellon University (CMU) is a private research university in Pittsburgh, Pennsylvania. One of its predecessors was established in 1900 by Andrew Carnegie as the Carnegie Technical Schools; it became the Carnegie Institute of Technology ...
found that whilst browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the http version of https-saved passwords. Most managers did not protect against iframe and redirection based attacks and exposed additional passwords where
password synchronization Password synchronization is a process, usually supported by software such as password managers, through which a user maintains a single password across multiple IT systems. Provided that all the systems enforce mutually-compatible password standa ...
had been used between multiple devices.


See also

*
List of password managers The list below includes the names of notable password managers with dedicated Wikipedia articles. Summary information Features See also * Password manager * Password fatigue Password fatigue is the feeling experienced by many people who ...
*
Password fatigue Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automat ...
*
Password management There are several forms of software used to help users or organizations better manage passwords: * Intended for use by a single user: ** Password manager software is used by individuals to organize and encrypt many personal passwords using a singl ...
*
Security token A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples of security tokens incl ...
*
Smart card A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...
*
Cryptography Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or ''-logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adver ...


References


External links

* {{Password managers Password authentication Identity management