Tuesday, July 17, 2018

What is a "Password Manager" and How They Differ

Security, particularly online, is a high priority for everybody. To be secure on the Internet, every user should employ a strong, unique password for each website. Consider—according to this blog, by 2020 the average number of accounts per Internet user will be 207!

While a computer user could keep all the passwords they need in some secret notebook, the best approach is to utilize a software solution. A password manager keeps passwords and other private data, such as credit card information, on a computer or mobile devices. These managers store data in encrypted form, requiring only a single secret key to decipher the database. Password managers maintain the login information of a user's various online accounts and, if desired, auto-enter data into login forms. By using a password manager, a user protects his online accounts with unique passwords for each in case a website with weak security is hacked. Password managers oversee a list of site credentials so a user won't need to remember multiple passwords.

A cursory search online reveals a multitude of password managers with a variety of capabilities. They differ by how they encrypt data, how they store data and the features offered.

Password managers can be categorized by how they offer the user access to a password vault.

Below are three methods:
  1. Master password requirement (a criterion required by most password managers for a high level of security). These password managers require the user to enter a master password whenever a password for an online account is requested. This password serves to encrypt the password database. While secure, most find this method a nuisance; after all, it's annoying to type out a master password each time access is needed. Too, most people tend to shorten and simplify a master password, making the task of hackers easier when they attempt to break into a database.
  2. Master password (almost) never required—a method implemented in most web browsers. These are the easiest to use since these password managers remember and enter passwords automatically without an additional command from the user. While simple and easy, this type of password manager is not secure. Anybody who trespasses a user's computer can easily gain access to all auto-saved passwords stored by the browser. For this reason most (if not all), financial websites block the use of browser password managers. Some external password managers (like LastPass, for one), default to this mode without regard to the password settings of financial websites.
  3. Two-factor authentication password managers, which require users to enter both a password AND a confirmation sent to a smartphone via email/SMS or with the use of a hardware authentication device such as YubiKey. This type of encryption makes passwords more secure and, as usage of these password managers proliferates, the complexity of using two-factor authentication managers has increased as well.
A better alternative for Mac users — KeyReel Password Manager! This unique application offers both high security and convenience, securing a password database with up to three factors of authentication. But it doesn't require the user to enter a master password.

The three factors of authentication are:
  1. Phone proximity via Bluetooth 4.0. The localized wireless range of Bluetooth (and its secure transmission protocol) means that access to a user's passwords is limited to the space around the user and his smartphone.
  2. Phone confirmation—access to the KeyReel site occurs only after the user unlocks his phone and confirms the release of a password to the website.
  3. An additional six-digit PIN code is also available. Easy to enter, but when applied in conjunction with the other layers of KeyReel security, makes hacking even more difficult and costly.
The application of all three of these factors in various combinations offers outstanding password security, yet provides an unparalleled simplicity of use. Ergo, the KeyReel password manager is an optimal pairing of high security and convenience.

Password managers can also be defined by how they store data:

  1. Cloud password manager; this type can access passwords all over the world on different devices. But here's the rub—all passwords are stored online with the password manager company's server(s), given to them by their subscribers to safeguard. Don't get the wrong idea; these companies are cybersecurity experts and use best practices to handle passwords. However, just remember that perfect security doesn't exist. Since these companies store the passwords of millions of subscribers, their data centers are frequently attacked by hackers. (See this.) Cloud services have been compromised numbers of times in the past. Note that encrypted data on cloud servers may be subpoenaed by a court of law. Hence, if a user's master password isn't virtually impregnable, government intelligence services may crack the code through sheer brute computational force. One should keep that in mind when choosing a password.
  2. Local storage password managers, which utilize a user's computer as storage for passwords. Here, the user retains passwords on a single device. Sharing the service between separate computers can be problematic. One solution to this conundrum is the use of USB storage such as a flash drive, or again, cloud file storage like Dropbox. Yet usually a flash drive is inconvenient to use with a smartphone and users fret over misplacing the device or the hassle of backing up data.
  3. Portable password managers store data on devices (e.g., USB sticks, key chains, bracelets, etc.) carried on the person of the user. These also include password manager apps that administer passwords on smartphones and smartwatches. Often, these are the most convenient password managers, as storage on such devices is akin to having a specially encrypted password notebook. However, most of these specifically designed devices must be purchased separately at no small expense and the user is required to learn how to use and keep them along with a gaggle of other tech gadgets.
Password managers no doubt are handy contrivances, as most people keep their smartphones on their person virtually at all times. Hence, passwords are always accessible. The user has absolute control over his phone, assuring ownership of the data. Nowadays, next-gen smartphones are highly secure, with encrypted storage for secrets. Thus, losing phone data is much harder than losing a password notebook. However, with most such applications the user lacks the ability to share passwords between various devices. The need also exists to find storage somewhere for its data backup. Conventional choices include cloud storage or synchronizing a password manager service with a computer.

Consider this convenient choice that's easy to use and offers a high level of security: the KeyReel password manager. This unique solution allows the user to access passwords from a paired phone for computers via an encrypted Bluetooth channel, transforming the phone into a wireless access key (not unlike a building access card). This strategy allows the user to access the same password vault from any computer. It also permits the user to automatically store a backup encrypted with a strong key on the computer, or a USB stick attached to it. Since your passwords do not traverse the Internet and are not stored in the cloud, you are in charge of your online identity.

No comments:

Post a Comment