Password Managers

Demystifying Cyber: Password Managers

In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.

Tom Pioreck, CyberMaxx’s CISO, will be diving into all things password managers. In this episode of “Demystifying Cyber,” we’ll unlock the mystery and clear the confusion surrounding password managers.

For your convenience, we’ve included a transcript of the 16-minute episode below. Feel free to watch the video on YouTube.

Transcript

Password managers, or password vaults, are regularly mentioned by security professionals as a critical tool for securing our accounts. But what are they? How do they ease the burden and confusion for managing our accounts? How do they help us follow current “best practices” for our passwords? And is a digital vault really the only “secure” method? Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode, we’ll unlock the mystery and clear the confusion around Password Managers.

The famed author, Arthur C. Clarke had three laws when it came to science fiction, the third law is, “any sufficiently advanced technology is indistinguishable from magic.” We’re here to peel back the curtain and show how the “tricks” in cyber are done, so we can all have a better understanding. This, is “Demystifying Cyber.”

It’s probably no surprise to anyone that the average person is responsible for managing over 100 accounts, when we consider what we manage and maintain for work and home. That’s an awful lot of identities to remember, enough to make Jason Bourne confused. Add to that the latest and greatest “best practice” recommendations for credential creation. Create a unique password per account, with each password having a not so insignificant number of characters, at least 15 but better to get into the 20s, usually requiring a complexity component, that’s when we’re told the password needs to contain uppercase, lowercase, numbers, symbols, but not all symbols, only these six or seven, which change depending on the platform. Oh, and don’t use passwords, use passphrases, but make sure those are random words too, nothing personal, like “I like turtles” or anything. Random, everything completely random. Then, don’t forget a single one. It’s total chaos, anarchy, dogs and cats living together- mass hysteria! And some security practices even recommend varying your username per platform, not just going with the same email address as an account name. That one email address that you’ve used to sign up for almost all those accounts. None of this takes into account that human brains aren’t designed to function this way.

And a lot of those accounts, they want us to set up “security questions,” questions that only we should know the answer to, in order to verify our identity to gain access to the account when, inevitably, we forget which of the hundreds of variations of “YankeesRule2010” we used, or act as some kind of weak MFA process (check out our episode on MFA, multifactor authentication, not so shameless plug). The solution to that, according to privacy paranoid security wonks such as yours truly, is to vary those answers too. Make ‘em up. Lie. See, the bank, credit card company, gambling site, gamer site, whatever, doesn’t actually know your mother’s maiden name, or the street you grew up on, or who your favorite elementary school teacher was, they just want to have a question to verify you against, so they’ll accept whatever answer you give them. (Let’s put aside the fact that most of the real answers are so easily discoverable thanks to social media, it’s trivial to bypass them.)

So, with all that going on, how is one person supposed to keep all that straight in their head? It’s not like you don’t have a great variety of info rattling around the ol’ gray matter and there’s only so much capacity. If you’re going to remember more, then something is likely to get pushed out. I don’t know about you, but I don’t think I could get away with forgetting an anniversary or birthday with the explanation, “Look, I needed a login for the LEGO site to open an account and get VIP points, once that went in the old cranium, something less critical had to go.” Luckily, there is a solution that covers almost the entire conundrum in its entirety. Password managers.

Password managers, also known as password vaults, allow you to manage all the login and account information and data we just covered, in a single location. In fact, given that there’s more than passwords, sorry, passphrases, that they help you with, I argue that we should really refer to them as credential managers or identity managers. But I also didn’t hate New Coke as a kid, so take that idea with the requisite grain of salt. To keep things simple, we’ll just refer to them as password managers in this episode, but remember, they can do a lot more than help you just manage the passwords.

Sounds great, dude, so what is it? I’m glad you asked. Password managers are applications that allow you to generate random passwords or passphrases, on demand, and save them to what is typically called your vault. The random generator component can also simply be copied and pasted, which is where we’re able to utilize them to generate random answers to those ridiculous security questions. We all know those, you enter username and password, and you get the computer version of, “none can pass by me, unless you answer my questions three.” You can use the same random generator utility to create those unique usernames, provided that the account you’re signing up for isn’t forcing you to use an email address (and seriously, if your company has decided to force email addresses as usernames, stop it. Like eating other people’s lunches, stop it.) There’s also usually a notes field, which means you could save the security question and your random answer to the same entry as the account itself, we’ll cover all the eggs in one basket thing later. What’s more, the password manager will connect the URL, that’s the web address, for the site where you’re connecting the account as being associated with that account, and only prompt to fill it in automatically, oh, yeah, a lot of them will do that with a nice browser plug-in, so you don’t even really need to know if you’ve already created an account for said site, the password manager will just offer to enter the proper username and password combo. So, if you encounter a malicious, imposter site that looks like the web site you have an account on, the password manager wouldn’t find a match to the URL and wouldn’t offer to input your real credentials, thus adding a layer of protection when it comes to a component of many phishing attacks. Something I know everyone in my company is going to receive at some point. And as a business, that extra layer of defense boosts security without impacting productivity. You’re now adding a layer of protection with URL recognition that mitigates when someone clicks on a malicious link and takes them to a login impersonation site.

But wait, there’s more! Do you have personal Wi-Fi at home or at the office? Sure, you do, we all do. Did you know you should create a custom name for the wireless network and change its password as a best practice? But again, you don’t want to create something simple? That’s right, the password manager and its random generator can help you here too!! And many password managers have a simple “sharing” feature, where you can select certain individuals to share specific accounts with (yes, you should do this sparingly) and you can just provide access to that folder to the others living in your house. This is usually part of their family plans. For a business? I can have the Wi-Fi for the office changed whenever necessary, simply updating it in a company-wide share and just send a message to everyone that the password is updated in the folder. Personally, I prefer to enter the creds into each device or just share the password one-time verbally, but my family already knows I’m paranoid and nuts, but they love me, so they humor me. (There’s a lot of nodding to me, then I’m pretty sure I’ve detected a lot of shared eye rolling when I look away, but again, I’m a paranoid kind of guy.) But to take that same one-to-one communication of the password change within a company? Yeah, no thanks.

That’s a lot of good for one solution to provide, isn’t it? Granted, a lot of that convenience comes from it being a technology-based solution, and yes, there are risks which we’ll get to later, but let’s talk “digital.” There was a time, quite a few years ago, when a lot security folks, and I’ll admit that I was one of them, would see physical password diary books for sale in a bookstore (I know, right, I go to actual, physical bookstores, just to look around, and sometimes, crazy as it sounds, buy physical books. God, I feel old.) We were equating writing something into a physical record book with leaving your password on a Post-It note at your desk in the office. Both were about writing something down in a physical location, so both had to be bad, right? We were wrong and close-minded. Yes, leaving passwords written down around your desk at work is a bad idea. There’s too much uncontrolled and random access there for you to presume that no one is ever going to see that handwritten note. But these password diaries were sold as something for you to keep at home or carry with you in a bag (though I don’t like that part). Do they have the random generator? No, of course not.

However, you can still create random passphrases when you’re at home and using a physical notebook. Just pick up a couple of random books or magazines you have laying around the house, really anything with text, pick no less than one word from three of them at least, and string them together in your little notebook. Bingo, bango, you’ve got a random passphrase. Same for creating a random answer to a security question, Wi-Fi password, security phrase for your alarm company.

What you don’t get with the physical notebook that you do get with its digital counterpart is that URL recognition, so you need to be more mindful when going to websites and entering in the credentials from your book. So why did so many of us acknowledge the error of our ways and come to appreciate the Prequels- sorry, I meant, physical password books. It’s all about threat modeling (which is a whole topic on its own). Basically, you need to look at the entirety of what the threat is that will realize the risk you’re protecting against. The people who prefer the physical notebooks are likely not technically inclined, which also likely means they’re only using their passwords on their home computer at their home. So, the only way for their written passwords to be discovered is if someone breaks into their home, rummages through the desk, and finds the notebook. Not an impossible scenario, but I argue if that were to occur, you’d have a lot more concerns than just that one notebook. It’s the same reasoning I don’t cover my webcam *gasp*

I know! Sacriliege. But here’s why. If a threat actor is watching me through that webcam, in my view, I have bigger problems. That means they’ve somehow compromised my computer to gain control and access the webcam. That’s a much bigger issue for me than someone seeing my regularly confused face as I look at my screen.

The long and the short of it is that the paper version of these managers got a bad rap, and a lot of security folks are to blame. Now, leaving passwords written down around your desk is still a very bad practice but it’s not the same as a book at your home, locked away in your desk. Having a spreadsheet saved with our credentials also isn’t good because once the computer is compromised, our passwords are gone too.

Now, for all of you yelling at the device you’re seeing or hearing this through, let’s address the “all your eggs in one basket” question. Yes. Yes, if you do this, yes, you are putting all of your eggs in one basket. And given today’s prices, we’re hesitant to risk all of them in one location. I get it. How’s it any different than ye olde spreadsheet? Well, the password manager will sync across devices. It’ll also identify the right URL according to what you’ve set for the account. It is more likely for your computer to be compromised than the vendor’s vault system, though, if we’re being transparent, there have been a couple of hiccups over the years. But we have MFA to apply to the account. And it allows us to quickly change our master password, then go account by account to change those. Or you can get a little creative.

Let’s say you don’t want to put your faith and trust entirely in the credential vault, what are some things you can do additionally? Two quick examples of practices that I know a few people follow.

One, have a custom suffix you add to the generated password saved in your vault that only you know. It’s not the same as using the same password across all accounts, we’re just manually adding a few characters at the end of that randomly generated password. The other method is having two password managers and using them in tandem. Huh? Yup, two of them. You have Vault A and Vault B. They don’t know about each other, but you do. As far as the vaults are concerned, they’re the only one. A strong method for improving password security, lousy method for managing personal relationships. You store the first half of a password in Vault A and the second half in Vault B. Sure, it’s double the copying for when it’s time to login but this method does provide that extra layer some folks are looking to have. Again, the level of complexity and extreme all comes down to your personal threat model.

I think we can all agree that the number of accounts we’re going to need to manage is only going to increase and not insignificantly. The generations after us are only going to have it worse. I think password managers are a great tool and they’re relatively simple. There are more than a few “normies” that I’ve shown them to, helped them set up and use them, and they haven’t looked back since. And the younger generation are extremely tech-inclined, so starting them early shouldn’t be an issue at all. Let them learn and remember safe browsing habits, how to maintain privacy online, and not have to keep all those ridiculous passwords in their heads like so many of us struggled with.

Are passwords the best solution for securing accounts? Almost all signs point to “no,” but they are the most prevalent. So, we’re not doing ourselves justice by scoffing at them, and telling folks to move on to passwordless, passkeys, or whatever the new hotness is, that’s even more technical.

So, in the meantime, for ease and convenience, we have password managers. They’re simple and effective. And hopefully today, we’ve “unlocked” their secrets for you. See what I did there?

Until next time.