Heartbleed: A Password Manager Reality Check
(Click image for larger view and slideshow.)
Should the OpenSSL Heartbleed bug serve as a wake-up call for people not using a password management application or service to manage their passwords? Consider who are at the greatest risk of having their passwords stolen by Heartbleed-targeting hackers: People who reuse their passwords across multiple sites. That’s because an attacker only needs to hack into one site — say, a social network — to obtain a password that works across multiple sites, such as your banking website.
Faced with that reality, some users have opted to tap a purpose-built security tool for generating and storing strong passwords. “If you don’t use a password manager, you will end up using the same password on multiple sites. That password, becomes a ‘basket’ in which your security for all of the sites you use it for are stored,” said David Chartier at AgileBits, which develops 1Password, via email. “So if you use the same password on Amazon, eBay, Facebook, MyCatPictures, and others, then all of those sites are in the same basket. And that basket is extremely fragile. A breach of one of those sites is a breach for all.”
[Looking to supplement your security defenses? Read How A Little Obscurity Can Bolster Security.]
Here are some facts to consider if you’re wondering whether one of the many different password managers that are available is right for you or your organization:
1. Your own “password manager” might be lacking
When weighing password managers, the first question should be: What are you doing now? How many people have a Word document — perhaps named “passwords.docx” — tracking all of their passwords? If so, watch out for malware infections. Harvesting files with interesting-sounding words is child’s play for hackers.
2. Security experts swear by password managers
Consider leading information security experts’ opinions about password managers. For example, to manage the challenge of safely storing strong, long, and unique passwords, while keeping them easily at hand, Bruce Schneier long ago built and released his own password management application, which is now an ongoing, open-source Windows — and soon, Linux — project. Like other password managers, it requires users to enter a master password, which then unlocks the password safe.
One of the upsides of using password managers is practicality: Many different passwords can be securely stored in one place. Some password management tools, furthermore, will even store website URLs and automatically populate website username and password fields, thus creating both a more secure and more automated log-in process.
“I can’t imagine life without a password manager,” said Sean Sullivan, security advisor at F-Secure Labs, via email. “I have far too many sites to manage otherwise.”
3. A password manager: single point of password failure?
On the other hand, some would-be users worry about gathering all of their passwords in a single place, even if that repository itself gets encrypted and protected by a master password. “I’ve started using two-step authentication, but was avoiding the password generator/keeper programs because those seem like they could be a huge problem if they get hacked,” one DarkReading reader recently emailed. “Do you have an expert opinion?”
“This is a great question,” AgileBits’ Chartier says. “Regarding two-step authentication, let me ask in return how many different sites and services do you plan to use it for? Two, three, one hundred? My guess is that you will
Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter.
View Full Bio
Article source: http://www.darkreading.com/endpoint/heartbleed-a-password-manager-reality-check/d/d-id/1204549?_mc=RSS_DR_EDT