Password Manager Security Practices

Consumers and professionals have several passwords that they need to keep track of. If you try to apply good password hygiene practices, you should be doing the following:

• Using long passwords or passphrases that are complex and combine upper and lower characters, numbers, and special characters. The longer, the better.
• Don’t reuse passwords. Every login should have a unique password.

The challenge with this is remembering all those long, complex passwords. Recording passwords in a document or note that you have hidden on your computer or phone or in the cloud somewhere is a very, very bad idea, even if you have applied some sort of “manual encryption” by obfuscating the passwords by mixing them up with some word or phrase or method that only you know. Don’t kid yourself if you think you can outsmart cybercriminals with manual obfuscation.

You can always write down your passwords in a physical notebook; but how secure is that notebook? Are you sure you wrote down 0 and not O, 1 and not l, S and not 5? Is that an upper-cased J or a lower-cased j? What if the notebook is lost, damaged by fire or water, or stolen? Recovering lost passwords is frustrating, time-consuming, and may sometimes be impossible. Not to mention that manually typing in a long complex password using a physical notepad is frustrating.

Enter the password manager: Software developed from the ground up to securely store all your passwords. Several provide a method of automatically filling in usernames and passwords on web applications, which is convenient. All you need to remember is a master password. Sounds great, right?

Initially, password managers were understandably met with considerable skepticism. Eventually, however, the security community accepted that using a reputable password manager enabled users to have long, unique, complex passwords, and mitigates the need to record passwords insecurely, which reduces risk overall when the password manager is used properly. However, using a password manager introduces risks. It would be very concerning if your password manager “vault” was compromised by an attacker. Security practices should be considered to mitigate the risks introduced by using a password manager:

• Use a complex password manager master password. This master password may be used for more than just securing access to your password manager dashboard. The password manager password may also be used to encrypt the password vault itself. If an attacker gains access to an encrypted password vault (say, the password manager developer is breached), the attacker may be able to use a compromised password manager password as a tool to decrypt an offline copy of the password vault and gain access to all passwords in the password vault. Again, a longer, more complex password is better, but you really cannot forget the master password. Don’t record the password manager master password electronically anywhere, just memorize this one password, or print it and lock it somewhere secure like a lockbox or a safe).
• Enabling multi-factor authentication (MFA) for your password manager master password is an absolute must. Now, enabling MFA for your password manager only protects access to your password manager dashboard; it does not strengthen the encryption of the password vault. I highly recommend having two secure methods of MFA, in case your primary MFA method is unavailable (e.g., your phone dies or your primary MFA app is uninstalled or corrupted). If you are presented with recovery codes when setting up MFA, store those codes somewhere secure, but not in the password manager (e.g., print them and keep them locked up). It may be impossible or nearly impossible to try to convince a software company to disable MFA if you lost your MFA method.
• For every password in your password manager, enable MFA where possible. Carefully consider whether you want to add any passwords for accounts that do not have MFA enabled. What if the password manager developer is breached? (Side note: Cisco Duo offers a free tier for up to 10 personal users.)

Let’s say your read or hear in the news that your password manager developer is breached. You should consider doing the following as quickly as possible. Be warned that these steps will likely not be pleasant to do, but may be necessary to protect the accounts in your password manager:

• Change your password manager master password. Again, make the password manager master password long and complex, don’t record it, and don’t forget it. Be sure of your typing accuracy when you change the password manager master password. This step alone is not necessarily sufficient if an attacker has gained access to your password vault, since (as mentioned above) your previous master password may have been used to encrypt the password vault. What changing the master password does do is control access to the password manager user interface, which is very important!
• Change the password of every account in your password manager. Yes, this can be a very long, tedious, and nerve-wracking task, and may take several days to complete. Triage, and change the password for critical accounts first. Be very careful, keep track of your old password until you test the new password for every account in the password manager. Add a note to every entry that states the date when you changed the password.
• Be extra vigilant of unexpected MFA notifications for any application, including the password manager. This could very well indicate that the password was compromised. If you get an MFA notification for an application when you did not log into that application, you should immediately change the password for that application.

Think twice before leveraging browser-based password managers. Stand-alone password managers are developed from the ground up to secure passwords. Browser-based passwords often lack the security practices that stand-alone password managers offer. When it comes to passwords, lean towards security rather than convenience.

Network Solutions, Inc does not endorse a particular password manager software. Using a password manager means accepting the risks that it poses. If you choose to use a password manager, choose one with a good reputation. If you currently have a password manager, consider its reputation before continuing to use it. Switching password managers is often not as difficult as it seems. Most password managers offer a free tier. Paid tiers are frequently very affordable. Consider the features that a paid tier offers. Also, consider that a paid tier supports the developer’s efforts to maintain a secure solution.