In our last article we briefly discussed password manager apps. Frequently we are asked to assist in resetting a client’s password because they have forgotten a login password for one account or another. This month we will take a look at browser saved passwords vs. dedicated password managers. We will cover the basics and the vulnerabilities that exist if you consider using a password manager.
A password manager is a service that helps you generate and store long, unique passwords for your online accounts. They can also be used to store PINs, credit card numbers, CVV codes and answers to security questions. The best password managers can also generate and store passkeys for all your accounts. They will let you know if your existing passwords are weak, reused or have shown up in a data breach. They all use some sort of encryption process to protect your information in one secure place. This encryption works by scrambling your data into unreadable code that can only be unlocked with your master password. Service names include NordPass, LastPass, ProtonPass, RoboForm, Keeper, 1Password, Dashlane and Bitwarden. There are free options but expect to pay a subscription fee for extra security.
Most major web browsers, Chrome, Safari, Firefox, and Edge, include built-in password managers (found under settings) that allow users to save and autofill passwords for their accounts. The features and security levels can vary significantly depending on the browser. When turned on, your browser will ask you if you want to save your password the first time you enter login details on a particular website. If you choose to save a password, your browser will record your password and will automatically fill in the credentials when you visit the same page. Web browsers typically store passwords locally on your device, although some browsers offer a syncing feature that can upload them to the cloud for access across multiple devices. Password managers integrated into the browsers are convenient and the functions are free of charge. The biggest disadvantage of local browser-based password managers is their lack of flexibility. If you switch between browsers, your password database for one is not available for another. Saving passwords in the browser is convenient but it can be risky without proper security and backup precautions.
Manufacturers of external password managers offer extensions for all browsers in one program. The data is synchronized to ensure that your data is up-to date everywhere provided you have an Internet connection. Password managers are generally considered reliable and secure, but there is always the potential risk of data breaches. Recent reports also warn of a vulnerability flaw called clickjacking. Hackers are hijacking user clicks for malicious purposes. Major password managers have issued patches to address clickjacking flaws but not all of them have. Criminals use various techniques to trick you into visiting a counterfeit web page even though it looks legitimate. They also tempt you to click on a pop-up login that is malicious. Malicious infostealer software can steal files and decrypt them easily and this includes data from password managers.
Not all security experts believe you should use a password manager. They go on to suggest that passwords to financial accounts should be kept offline for maximum safety. LastPass suffered a breach back in 2022 where encrypted and unencrypted data was stolen. Employees at LastPass were targeted by deep-fake audio calls impersonating their CEO. Hackers launched waves of malicious messages impersonating this password manager. Proceed with caution. There are fake apps pretending to be legitimate password providers!
The Bottom Line: Look for well-known, vetted applications. If you use a password manager on your web browser, don’t share your devices. Always turn on 2FA and regularly update your software. Do not use a password manager on a public computer. Anyone who shares your laptop, tablet or smartphone can open a browser and see stored passwords, or open a service and have your account automatically logged in. Use caution with unknown or unexpected links even if they appear to lead to a legitimate website. Two Techs – your locally owned computer support company. Find us on the web at www.twotechs.com or email us at: support@twotechs.com or call 352-200-2365. USF, MIS, MCP, A+, Network+ & CISSP (References used; pcworld, Consumer reports, Wikipedia, ZDNet, LastPass, TechRadar, FBI)