In November of last year, Loricca posted an article titled Lock the Doors: 3 Keys to Superior Password Management. In our article we discussed the specific anatomy of a secure password. Creating a strong and secure password is critical to maintaining both confidentiality and integrity of your secure data. Unfortunately, creating and maintaining multiple lengthy complex passwords can be a rather daunting task especially when you are trying to memorize so many variables. It is important to protect your password information and have it readily available when you need it. Keeping this sensitive information written down on a list or in a single spreadsheet, while it may help you keep track of multiple passwords, poses a serious security risk as it would not be difficult for prying eyes to obtain and access your login and password information. All of your hard work in creating and maintaining your strong and secure passwords could be completely negated simply by the process in which you manage this information. As a follow-up to Loricca’s article on creating an effective password, we now offer you information on management and storage of this critical information.
With the advancement of technology today, cloud computing and mobile devices, there are multiple available options to assist in password management. While each of these options listed below present convenience, there are always risk factors involved. Let’s take a look at some of the available password management alternatives available today.
Cloud or Web Based
A huge benefit to a web based service is the ability to access your information from any location or device. There are several web based options on the market today for your password management needs; one of the most popular web based password management solutions is called LastPass. While the encrypted database of passwords and sensitive information is stored on LastPass cloud servers, all of the encryption and decryption happens on your machine locally and only you have the key. As with any data stored in the cloud, there is an increased risk of exposure. In 2011 LastPass suffered what they called a “traffic anomaly.” Unable to determine what was actually compromised, LastPass immediately required users to change their master password. Those that were attempting to log in from IP address that was not recognized by their LastPass account were subject to further security requirements. LastPass did respond quickly to the breach and ensured customers they were protected as long as they were using a strong and secure master password. Subsequently, there were no reports of any password information exposed from this breach but the risk is always a factor on web based services.
Additionally, Lastpass offers the option to include additional authentication measures by use of a biometric fingerprint scanner or the YubiKey (a small usb device that emits a one -time use password on demand) to access your encrypted database thereby increasing your security exponentially.
The two main deterrents in using a web based service are the risk of exposure being greater on the cloud, and the possibility of the service being temporarily inaccessible or even going out of business. To mitigate these risks, if you do choose to go with a web based password management option, Loricca suggests the use of an additional authentication measure as well as backing up your database and encrypting it locally with a strong encryption such as TrueCrypt.
Most people working in technology today make use of some sort of portable device such as a smartphone or a tablet. There are some very compelling reasons why using your mobile device to manage your password information can be extremely convenient but it can also be extremely detrimental to your data security.
On one hand, the mobility of your smartphone is beyond compare. The ability to reach into your pocket and immediately have access to all of your important data is something most of us have grown accustomed to. Unfortunately without the proper measures taken, this can be almost as risky as carrying around your information on a piece of paper in your pocket.
RoboForm Everywhere and LastPass offer cross platform and mobile options that work just like their computer accessible cloud based services, so the same risks would apply with the added risk of having your mobile device stolen or misplacing it. A small silver lining if your device is stolen and you have your passwords stored on it, aside from the encryption offered by the management software; most mobile devices now offer the option to wipe all personal information remotely.
Security Tip: When you upgrade to a different mobile device or are no longer using one, do not forget to wipe all data and restore it to factory defaults.
Loricca offers Tips on Managing, Controlling and Securing Mobile Devices.
The auto-save feature is a method by which you, the user, can choose to save your passwords in your browser once you log into a particular site. The first time you log in to any website, your browser will ask if you would like to save your login information, prompting you to click yes or no. While this seems like a very convenient option, it is also about as secure as leaving your password scribbled on a sticky note attached to your monitor. In Google Chrome, you are able to simply view your saved passwords in plain text within the settings of the browser. Firefox will allow the same, unless you have set up a master password to encrypt your saved passwords; however this feature is not turned on by default. Internet Explorer and Safari will prompt you to authenticate with your system password before allowing you access to the saved password information. Those browsers that do use encryption to store your data (by use of a Master Password or System Authentication) offer a false sense of security as all of these basic encryption technologies have already been breached through software (Malware) designed by nefarious hackers and can be decrypted in a matter of moments.
Password management options such as Kaspersky Password Manager, RoboForm Desktop and KeePass Password Safe are all commonly used local storage options. KeePass is an open source project that has the benefit of being completely portable and can run on a USB device without being installed. Unfortunately this feature increases the risk of the information being lost or stolen. However; KeePass does support AES encryption as well as the ability to create a key file to be used in combination with the master password, adding a secondary authentication necessary to access the encrypted database.
RoboForm desktop is very similar to its cloud based alternative regarding features with the exception of storing the actual encrypted database on the web. RoboForm Desktop, as it sounds- stores all information on your local hard drive. RoboForm Desktop does have fingerprint authentication available, however the USB portable edition is a separate purchase. RoboForm does also offer an ‘Everywhere’ version that is similar to LastPass. LastPass is currently offered for Windows, MacOs, Linux, Blackberry, iOs, Android as well as Microsoft Surface while RoboForm is currently available for Windows, MacOs, Android and iOs.
RoboForm also offers an enterprise edition that is a client based alternative to Single Sign On (SSO). In this case, the AES encrypted passwords are stored on the user’s hard drives. RoboForm Enterprise also offers key logging mitigation as users log in using a virtual keyboard, and has the potential to reduce helpdesk calls because the password management is handled on each computer, not a SSO central server.
Choosing a strong and effective password management system is a decision that needs to be made paying close attention to the pros and cons of each option in relation to your needs.
To ensure your password strength and management practices are in line with corporate policy, procedure and compliance contact us for more information.