In KnowBe4’s new Password Policy ebook, What Your Password Policy Should Be, we recommend that all users use a password manager to create and use perfectly random passwords. A perfectly random 12-character or longer password is impervious to all known password guessing and cracking attacks. A human-created password has to be 20 characters or longer to get the same protection. Humans do not like creating or using very long (and sometimes also complex) passwords, so we recommend using a trusted password manager program instead.
A common question is if password managers are worth the risk of using them.
The answer, in our opinion, is yes. We believe that the increase in risks a person will get from using a password manager is offset by all the advantages, which decrease and thoroughly offset the risks from the disadvantages.
Let’s look at the risks and advantages of using a password manager. They can be summed up as:
- User must obtain and install password manager
- User must learn how to use password manager
- It may take a user longer to create or input a password using a password manager (but not always true)
- Subject to attacks
- Password managers do not work with all programs or devices
- If access to the password manager cannot be done (e.g., corruption, lost login access, etc.), the user loses all access to all login information contained therein at once
- If attacker compromises the password manager, the attacker can possibly access and obtain all of the user’s passwords (and sites they belong to) at once
It is the last issue that presents the biggest risk in most concerned user’s minds -- single point of failure.
- Creates and allows the use of perfectly random passwords
- Creates and allows the far easier use of different passwords for every site and service
- Can be used to prevent password phishing
- Can be used to simulate some MFA solutions so users do not need separate MFA programs or tokens
- Can be shared among devices so passwords are where the user needs to use them
- Passwords can be more easily and securely backed up
- All passwords may be protected by MFA login requirement to password manager
- May warn user of compromised passwords that the user was not otherwise aware of
- Will warn user of identical passwords used between different sites and services
- Can be shared with trusted person(s) in times of need, when original user is temporarily or permanently incapacitated or unavailable
It is a very real risk that someone’s password manager could get compromised, and from that compromise, all of the user’s passwords to all stored sites and services are stolen very quickly at once. That is a huge risk that must be measured and weighed by the admins or users who are using password managers.
Weighing the Risks
Here are the offsetting issues in my mind against that risk. First, in order to compromise a user’s password manager program, MOST of the time, the attacker has to gain access to the user’s device that has the password manager running and access it while open or manipulate its configuration so that they can easily steal all the passwords. If the attacker has access to the user’s device, it is pretty much game over already. The hacker (or their malware program) can get some or all of the passwords using a variety of other methods, including simply keylogging them as the user types them in or uses them.
There are also attacks which attempt to exploit software vulnerabilities in the password manager program, but as long as the vendor quickly patches known flaws and the user applies those patches quickly (most password manager programs self-update), it is a fleeting, more minor problem. Sometimes the user’s passwords are also stored in the password manager vendor’s cloud network, and if compromised, an attacker can get access to all passwords stored there. Again, it is a risk, but most password manager vendors attempt to keep their customer “password vaults” in a highly secure part of their network.
So, to me, the main risk is that of an attacker gaining access to a user’s device, getting access to the password manager, and then stealing all the passwords. It is a real risk. I have heard of it happening, but right now, it is not a super popular attack. In the future, if password managers become super popular and everyone is using them, it might become a popular attack. But even if it were a popular attack, I think any time an attacker or their malware creation has access to a user’s desktop, it is pretty much game over. They can do anything. The fact that they decided to attack your password manager and steal your passwords is only one of your big problems.
Note: Using separate phishing-resistant MFA can help avoid that situation, or using “split keys” where the user must type in some knowledge-based secret that is not stored in the password manager may be a possible solution.
Why Everyone Should Use a Password Manager for Their Passwords
Despite this big risk, I think everyone should use a password manager for their passwords (if phishing-resistant MFA cannot be used). This is because the two biggest risks to passwords (after social engineering theft) is from passwords stolen from a site or service that the user uses and weak passwords that can be guessed and hacked. According to the National Institute of Standards and Technology (NIST) and other password authorities, the biggest risk of passwords is password reuse across non-related websites and services and users creating “password patterns”, which can be predicted by hackers.
The average user has four to seven passwords that they use across over a 170 sites and services. Those are a lot of identical passwords being used where they should not be. The problem is that once a hacker compromises one or a few of your websites (which you often are not even aware of), the hacker gets your password and then uses them across your other sites and services. One or a few compromises leads quickly to a whole bunch of more compromises. This is considered they major password risk after social engineering your password. And password managers get rid of this risk.
Password managers help users to more easily create and use different, completely unrelated passwords for every site and service. When you use a password manager, you may not even know the password that is used. This gets rid of one of the biggest password risks, and for this alone, password managers should be used. But there is more.
Password managers create perfectly random passwords. A perfectly random 12-character or longer password cannot be guessed at or hash cracked by any known method. And those perfectly random, secure passwords can be different for every website and service.
Social Engineering is the Biggest Risk
The biggest risk of any password is the user being social engineered out of it. Password theft from social engineering is involved in about half of all successful password attacks. Most password managers allow you to log into your site or service from within the password manager and the password manager will only take you to the true, legitimate site or service. This prevents the most common type of password social engineering attack, where the attacker sends you a social engineering email containing a rogue URL link, which tries to trick you into revealing your legitimate credentials to a bogus, fake website.
So, in review on the benefits of password managers, they mitigate the biggest password attacks (e.g., social engineering, guessing/cracking and reuse). Any password expert would tell you those three types of password attacks present the majority of password risks. And for that reason, everyone should use a password manager, or at least strongly weigh it against the big risk of a single-point-of-failure.
It is up to you whether you put your faith, or the faith of your users, into a password manager. Try to get them moved over to phishing-resistant MFA, if you can, first. But if the site or service will not work with phishing-resistant MFA, consider using a password manager. They are becoming more recommended by more password experts every day, including KnowBe4’s password attack expert defenders.