Is it safe to use password manager

The information portal for safe cell phone use

There are two important rules for good passwords: First of all, avoid using the same password multiple times. Otherwise, theft of a single database is enough to log into many other services on behalf of the victim.

In addition, passwords should be at least twelve characters long and consist of random strings such as "fSL * JF @ uA3Vn". Then they are difficult to crack.

Anyone who wants to observe these two rules quickly realizes that a password manager is necessary. Because nobody can remember many such strings - especially not one for each online account.

How does a password manager work?

Password managers are programs that relieve the user of two important tasks: They generate character strings from randomly composed characters and save them immediately.

The database in which the passwords are stored is also called the password safe. The passwords are stored there in encrypted form. The next time you log in, the program fetches the username and the secure password from the safe and fills them in automatically.

Password managers have been around for a long time. They used to work mainly as an extension of the web browser. Accordingly, they could only complete the registration process for websites.

On the mobile device, you not only log on to websites in the browser, but also in many apps. It is therefore advisable to use password managers for mobile devices that can enter login data in other apps as well as in the browser.

Which password managers are there?

There are a few solutions that can do this under the Android operating system. The best-known include LastPass from the US manufacturer LogMeIn Inc. (basic version free of charge) and 1Password from the Canadian manufacturer AgileBits Inc. (paid subscription model). But there are many others.

With Apple's iOS operating system, such extensive access to other apps is not easily possible. Here, app developers have to coordinate the login process with the password manager so that it can insert passwords into appropriately compatible apps.

Numerous popular providers such as Twitter, Zalando and Dropbox have set up such an adaptation for the iOS version of LastPass. The widespread manager 1Password is also compatible with many apps on iOS.

KeePass: Open source and non-commercial

Among the open source solutions, the password manager KeePass is the most widespread. KeePass is a joint project that the German programmer Dominik Reichl started in 2003. There are numerous versions of the program: For Android, for example, KeePassDroid or Keepass2Android, for iOS the MiniKeePass app. All KeePass derivatives are free.

Is an Open Source Product Safer? In general, it is desirable that the program code is freely accessible for review by independent experts (open source). Only in this way can experts convince themselves that the software has no back doors and that the encryption methods used have been incorporated into the software without errors.

Of course, this principle of multiple control only applies if proven experts actually examine the code for errors. The EU Commission has financed a thorough investigation, also known as an "audit", for KeePass. It was completed in late 2016 and did not find any critical security holes. However, only version 1.31 was tested and not the more recent version 2.34, which has fundamentally new functions.

Master password: It has to be secure

The "safe", ie the database in which all passwords are stored, is always stored in encrypted form. The master password serves as the key for this safe. If a thief gets to the database - for example by stealing the device - he still cannot read the passwords in the database.

But he can try to crack the master password. The quality of the master password determines how easy it is. If it is too short or too easy from the point of view of the cracking software, it may only last for minutes. The master password should be at least a twelve-digit password consisting of random special characters, letters and numbers.

More factors, more security

The protection of the safe can be further increased by using two-factor authentication. In addition to the well-known "master password" factor, a second factor must then be entered to unlock the safe.

This second factor can be an object, for example, a so-called yubikey, a type of key in the form of a USB stick. As long as the data thief does not have it, even a cracked master password does not give him access. Good password managers offer methods for two-factor authentication.

Local or in the cloud?

The password manager can either save the safe locally on the user's smartphone or computer or in the cloud, i.e. on a server on the Internet.

At first glance, it may seem reckless to save your entire password collection on a server on the Internet. However, this is exactly what is necessary in order to have the current passwords available on all end devices.

The master password should never leave the user's device, as is the case with LastPass, for example. Then the cloud service provider cannot read the passwords itself and the master password cannot be stolen from the server. Pleasant: With KeePass you have the choice of either storing your key file locally or in a cloud of your choice.

How secure are password managers?

Of course, such a password vault is an attractive target for data thieves. Reputable password manager providers are aware of this. The hurdles they put in the way of a data thief are correspondingly high.

The safes are - depending on the provider - encrypted several times with procedures that even professional password crackers only make slow progress with. At the moment, a normal PC needs about ten years with the standard settings of LastPass to crack a password with eight characters (four lowercase letters, two digits and two special characters). It looks similar with KeePass.

These figures come from Jens Steube, the developer of the well-known password cracking software hashcat, who regularly tests the security of passwords in various programs.

Nevertheless, security vulnerabilities in popular password managers have repeatedly been discovered in the past. Most recently in March 2017, through a study by Fraunhofer SIT.

Scientists found serious implementation errors in nine password managers for Android. Including several in LastPass and 1Password. The bugs have now been fixed. Whether there are any other errors in the apps cannot be clearly established, as the program code is not openly accessible.

However, there is still no known case in which these vulnerabilities were actually exploited. In this respect, the following applies: A password manager is definitely better than standard passwords or the same passwords for all accounts.

More on the topic at mobilsicherheit.de

#PasswordManager #passwords
Information has changed or do you have a hint for us on this subject?
Write to us: [email protected]