Why your password manager is vulnerable
By Patrick Tardif, Founder, PasswordWrench Inc.
According to 87% of 517 IT security professionals who attended the RSA Conference 2019, the world is currently in the middle of a cyber war. (Source)
With all the endless cybersecurity concerns out there today, employees remain the weakest link in the cybersecurity chain when it comes to poor password security behavior and management. The normal user asks regularly – can I get away using my current set of passwords? How many passwords should I remember to keep the threshold crossed? Is it important to remember my passwords through memorization or is it really safe to let a third party system do it for me? Is it better to use something else and eliminate passwords altogether? For IT and cybersecurity management, this tussle between convenience and security is endless.
As a best practice, all users should use a different password for every system. For the average user, this is not an easy practice to realize, but it’s worth explaining the reasons and probability behind this recommendation.
If you use the same password for 2 different sites, there is a risk that one of these two sites gets hacked and hackers gain access to the database where the passwords reside. In this situation, your password has now been compromised, and bad actors can try to authenticate to your second website using the compromised password. And they are too-often successful. The hackers continue to get better, and the size and number of databases of compromised passwords that are sold and shared keep increasing.
When any site you’ve used is compromised, it’s obviously recommended that you replace your passwords – although many people still do not. Users frequently dismiss this, thinking that they can just replace it after a breach, and thus don’t worry much until then. But understandably, breaches of trust aren’t news items that most companies willingly want to share, as has been witnessed by how long it takes many breached companies to come clean about being hacked. And of course many never let anyone outside the company know. Realistically, the chances that you are even made aware of a breach are low. So the bottom line remains – use a different password for every system.
But using a different password for every system is challenging. In average, a user has approximately thirty major passwords to manage and it’s not easy to remember that many, let alone try any sort of updating. And every site is rule-happy now and has its own password requirements. Some require a lower case, upper-case alpha characters, some require symbols while others don’t allow certain or any symbols. That raises the difficulty-level of remembering any passwords to nearly impossible.
You can write down all your passwords on a piece of paper – and we have met many cybersecurity experts who do just this – or maintain them in a spreadsheet or other digital file, but then you have to figure out a way to bring that piece of paper or that spreadsheet everywhere you go. If you lose that sheet of paper or forget it somewhere, you are potentially exposing all your passwords and then would be forced to reset all of them. If you use an electronic file, you have to synchronize that document with your smartphone, laptop, and desktop, and they’re not necessarily even secured.
All this trouble is only for managing your own passwords. Factor into these equations, as real life is bound to, more problems that arise when you need to, for example, share a password. Then when someone on your team or a family wants to modify that shared password, how do you maintain that password? Or how do you share the new one – across unencrypted networks such as SMS or email? That’s no easy to do this in a way that is safe and secure.
So why bother even using passwords? What about eliminating them completely? The great rush to find new technologies and attempts to eliminate passwords is upon us. While many of these technologies are potentially good 2-Factor Authenticator options, to completely eliminate passwords is ludicrous for the foreseeable future. First, there are over 300 billion passwords that need to be managed today. Second, there are important reasons why passwords are key and should not go away. The first and most important reason is that a password is something that establishes a direct relationship between the user and a system. Anything else including a 2FA or MFA requires reliance on a third-party system outside the realm of this intimate, direct relationship. When you introduce a third party into the equation, new risks exponentially arise. These include but are not limited to the well-documented error pronation of false positives or false negatives that can cause you to lose control of your own authentication process. A good 2FA is there as a supporting method to help protect against passwords being compromised.
With all these difficulties and the prevalent need to manage passwords properly and safely, it’s important for any users and organizations to use a tool that helps do so. If you are a risk assessor or a Chief Information Security Officer, you are all too aware of the risks of using a password manager. The convenience of having end users entering their login credentials into a password manager and thus by knowing the users’ passwords auto-logging them into systems is just that – convenient. But it’s hardly safe because, in order to do that, password managers must know your passwords. That goes against the bottom line principle of cyber security – the moment that anyone or any other system or tool knows your passwords, your passwords are already compromised. The main reason to use a tool is to help you secure your passwords, and the tools that exist are in fact doing the opposite, as we have seen time and again through security breaches of password managers, which are always prime targets for hackers.
At least this was all true until now. Today, there is at least one password manager that exists to help people manage passwords safely without compromising passwords – PasswordWrench.
PasswordWrench is not a conventional password manager that stores your login and passwords but instead provides easy to use tools to help users re-construct passwords using hints. The only data recorded into the PasswordWrench database is the hint, not the password. The system provides a Password Card to the user wherein a random grid of characters are displayed. The user simply decides the pattern or the location of their passwords on the Password Card. A user can decide to pick the row 1 of characters on the card, for example, and write down the hint to be “row 1”(Note: we do not recommend this as a best practice but even this is more reliable than storing your login and password directly). When the user returns to the system and reconstructs the password, the hint is presented in a password builder toolbox where the user can easily re-build the password with a simple click.
Depending on the security level that the user wants to achieve, the password can be rebuilt, or the user can opt to use the grid as only a reference, as if the password was written on a piece of paper, only much safer. The password can be then entered separately from the password manager. There are plenty of other security bells & whistles provided for convenience, including the ability to create sophisticated passwords that meet any site requirements. This tool is ideal for security professionals and enterprises that want to provide an easy way to manage passwords across their company while keeping security at the forefront.
That’s the reason why we founded PasswordWrench. There is a need for a serious but easy-to-use tool that helps enterprises manage passwords without forcing any user to compromise their passwords.
About the Author
Patrick Tardif is the founder of PasswordWrench. He is a software developer and architect with more than 20 years’ experience. The past decade he has focused on the cybersecurity sector, implementing authentication and authorization frameworks for mid-size and large companies alike. He is a long-time proponent of Zero Trust Policy being applied across all things technical and knew existing password management systems were prioritizing convenience over security. He founded PasswordWrench to remove password management vulnerabilities, so users retain full control over their passwords without losing convenience. Patrick Tardif can be reached online at (firstname.lastname@example.org, https://twitter.com/passwordwrench , https://www.linkedin.com/company/passwordwrench/) and at our company website https://www.passwordwrench.com