Security of Password Managers
At USENIX Security this year, there were two papers studying the security of password managers:
- David Silver, Suman Jana, and Dan Boneh, “Password Managers: Attacks and Defenses.”
- Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, “The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers.”
It’s interesting work, especially because it looks at security problems in something that is supposed to improve security.
I’ve long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack. The world got a visceral reminder of this earlier this week, when hackers posted iCloud photos from celebrity accounts. The attack didn’t exploit a flaw in iCloud; the attack exploited weak passwords.
Security is often a trade-off with convenience, and most password managers automatically fill in passwords on browser pages. This turns out to be a difficult thing to do securely, and opens up password managers to attack.
My own password manager, Password Safe, wasn’t mentioned in either of these papers. I specifically designed it not to automatically fill. I specifically designed it to be a standalone application. The fast way to transfer a password from Password Safe to a browser page is by using the operating system’s cut and paste commands.
I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords. And for the few passwords you should remember, my scheme for generating them is here.
EDITED TO ADD (9/12): The second paper was updated to include PasswordSafe. And this 2012 paper on password managers does include PasswordSafe.
Robert Oe • September 5, 2014 5:39 AM
One advantage with password manager that automatically fills in username/passwords is that it makes phishing so much more difficult since the password manager see the real URL and will not fill in anything on the fake page.