8/5/2023 0 Comments Password manager pro trainingSo, to me, the main risk is that of an attacker gaining access to a user’s device, getting access to the password manager, and then stealing all the passwords. Again, it is a risk, but most password manager vendors attempt to keep their customer “password vaults” in a highly secure part of their network. Sometimes the user’s passwords are also stored in the password manager vendor’s cloud network, and if compromised, an attacker can get access to all passwords stored there. There are also attacks which attempt to exploit software vulnerabilities in the password manager program, but as long as the vendor quickly patches known flaws and the user applies those patches quickly (most password manager programs self-update), it is a fleeting, more minor problem. The hacker (or their malware program) can get some or all of the passwords using a variety of other methods, including simply keylogging them as the user types them in or uses them. If the attacker has access to the user’s device, it is pretty much game over already. First, in order to compromise a user’s password manager program, MOST of the time, the attacker has to gain access to the user’s device that has the password manager running and access it while open or manipulate its configuration so that they can easily steal all the passwords. Here are the offsetting issues in my mind against that risk. That is a huge risk that must be measured and weighed by the admins or users who are using password managers. It is a very real risk that someone’s password manager could get compromised, and from that compromise, all of the user’s passwords to all stored sites and services are stolen very quickly at once. Can be shared with trusted person(s) in times of need, when original user is temporarily or permanently incapacitated or unavailable.Will warn user of identical passwords used between different sites and services.May warn user of compromised passwords that the user was not otherwise aware of.All passwords may be protected by MFA login requirement to password manager.Passwords can be more easily and securely backed up.Can be shared among devices so passwords are where the user needs to use them.Can be used to simulate some MFA solutions so users do not need separate MFA programs or tokens.Can be used to prevent password phishing.Creates and allows the far easier use of different passwords for every site and service.Creates and allows the use of perfectly random passwords.It is the last issue that presents the biggest risk in most concerned user’s minds - single point of failure. If attacker compromises the password manager, the attacker can possibly access and obtain all of the user’s passwords (and sites they belong to) at once.If access to the password manager cannot be done (e.g., corruption, lost login access, etc.), the user loses all access to all login information contained therein at once. Password managers do not work with all programs or devices.It may take a user longer to create or input a password using a password manager (but not always true).User must learn how to use password manager.User must obtain and install password manager.Let’s look at the risks and advantages of using a password manager. We believe that the increase in risks a person will get from using a password manager is offset by all the advantages, which decrease and thoroughly offset the risks from the disadvantages. Humans do not like creating or using very long (and sometimes also complex) passwords, so we recommend using a trusted password manager program instead.Ī common question is if password managers are worth the risk of using them. A human-created password has to be 20 characters or longer to get the same protection. A perfectly random 12-character or longer password is impervious to all known password guessing and cracking attacks. In KnowBe4’s new Password Policy ebook, What Your Password Policy Should Be, we recommend that all users use a password manager to create and use perfectly random passwords.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |