Increasingly, one of the most essential steps any individual can take to protect their devices and prevent their network from falling into the wrong hands is through the use of a password manager.
Password managers are invaluable tools which can drastically increase the cybersecurity of your organization and promote a culture of awareness when all users are required to implement them into their daily routine.
Essentially, a password manager allows you to store all passwords behind an encrypted service, then autofill them on sites which require password entry. These managers can even autogenerate complex passwords, making it much harder for cybercriminals to hack your accounts and cutting down on the dreaded “password” password.
These tools also eliminate the need to keep written passwords laying around or saved in unencrypted Word documents.
But as recent news shows, errors have begun to be found in even the top-rated password managers, raising a terrifying question — are password managers really safe?
Here’s what you need to know.
The Effectiveness of Password Managers
To begin with, it’s worth noting that password managers have been extraordinarily safe and made a large impact on organizations in a wide range of fields.
Their scoring system works as such:
- 0-39 security score: Poor
- 40-64 security score: Fair
- 65-89 security score: Good
- 90-100 security score: Exceptional
Below is a chart which shows the average security score of LastPass users broken down by company size.
You’ll notice that all of these fall into the “fair” category regardless of size, which may not exactly be a ringing endorsement for password managers.
However, if you take a look at the average score of all companies using LastPass and analyzed how it changed over the months — from when they first adopted it up to two years of using the service — the results are much more impressive:
The average growth shown above is significant for an organization of any size. With cybersecurity threats at an all-time high, bumping that score up by 18 points is a notable improvement.
While the LastPass study notes that far too many users are sharing passwords among colleagues (they note that on average six passwords are shared by an individual employee), they still go a long way to creating a more secure environment in organizations.
At least, that’s how it appeared until recently.
Recent Issues and Looming Threats
As previously mentioned, one of the main benefits of password managers is the encryption of your password data, which should protect your organization’s sensitive information from attackers.
And while it is important to note that currently, there is no immediate security risk to any password manager you might be using, a recently discovered design flaw might point to a future where these programs are less effective at protecting your data.
Here’s what happened.
A security company conducting an audit of some notable Windows versions of password managers (LastPass, KeePass, Dashlane and 1Password) found that these applications failed to completely erase essential data on a machine’s memory — most notably, the master password used to login to each manager.
What this means is that if an attacker ever had physical access to the machine — either by stealing the device outright or momentarily gaining access to it — they could still gain access to all these encrypted passwords.
Now, it’s important to note that none of these applications can be exploited remotely. What is concerning, however, is that password managers generally use their own “master password” that allows a user access to the vault of saved passwords.
Oftentimes these passwords are not the most complex since the user has to remember them outside of the manager, making them easier to crack. While that can still be tricky, this flaw found the master password saved in the machine’s memory, making it easier to find.
The researchers who uncovered this flaw wanted to make the point that these managers are still incredibly safe and that even if an attacker did find a master password in a device’s memory, they couldn’t even use it immediately. Even so, this is not great news.
A Culture of Cybersecurity
While experts foresee no looming threat to the most popular password managers, it’s hard to set this aside and ignore how much cyber threats have evolved in recent years.
So, should you still use and encourage employees to install a password manager?
These programs are still much safer than the alternative and as shown can really help your organization’s security score, especially when you are using a paid version of a password manager. These are designed for business use, and can give you more control over password management accounts, levels of access and the ability to audit password usage.
But they are not a means to an end in themselves.
A password manager is still just one step in creative a more consistent and meaningful culture of cybersecurity. Cyber threats are going to continue to evolve and your organization needs to keep up.
The improved security scores outlined in the LastPass study above are a step in the right direction, but there’s still so much room for improvement.
Trust your password manager, but don’t rely on it alone to keep your organization safe.