What Journalists Need to Know About Password Managers

by June 13, 2018
In the wake of database breaches, the debate on Social Security numbers is heating up. Here's how to report on it. (Image by "ComMkt" via Pixabay, CCO Creative Commons)

Despite its relatively low rate of adoption, there’s still a big market for password management software, and there’s no shortage of companies wanting to throw their hat into the ring. (Image by “ComMkt” via Pixabay, CCO Creative Commons)

Password managers are an incredibly valuable tool for generating and storing complex passwords. They allow users to create unique words, phrases, or combinations of letters, numbers, and symbols, for each of their password-protected accounts. Some of the more popular, time-tested password managers include 1Password, LastPass, Dashlane, and KeePass.

Even in this age of security breaches, people tend to reuse easily guessed passwords for multiple accounts, which can put their other accounts at risk after a password from a single account is dumped. According to the Pew Research Center, 84 percent of survey respondents indicated that they primarily keep track of their passwords by memorizing them, or by writing them down. This typically limits the complexity of those passwords and makes them much easier to crack.

Even those who have experienced a personal data theft or breach themselves tend to avoid password managers—only 15 percent said they use password management software for some of their passwords, and just 4 percent said they rely on password managers the most.

Despite its relatively low rate of adoption, there’s still a big market for password management software, and there’s no shortage of companies wanting to throw their hat into the ring. Many of these technologies boast that they plan on “killing passwords,” but that’s typically a bit of a misnomer. The majority of these companies don’t plan on getting rid of passwords, but rather generating, storing, and even automatically entering passwords to help manage them for users.

Many companies that claim to want to eliminate passwords are, in fact, planning on bolstering passwords rather than eliminating them altogether. Typically, this involves asking readers for multiple forms of authentication—not just something they know (like a master password) but also something they have (like a FIDO/U2F key or a specially generated code through an app like Google Authenticator) and something they are (think fingerprints, iris scans or other types of biometrics).

Some companies might be hoping to replace passwords entirely with biometrics, but biometrics do have their share of limitations. Usability is one of them: users of fingerprint readers on mobile devices, for example, will point out that they easily alluded by sweat, water, or gloves.

In addition to the user experience and relative convenience or inconvenience of a tool, journalists may want to dig into false match rates and false reject rates for insight and context on new technologies. Security researchers have managed to bypass iris-based authentication in certain smartphones, and to copy fingerprints from photographs, one of several reasons to be skeptical of the theory that biometric-dependent tools will render passwords obsolete.

That said, the WebAuthn (web authentication) standard, which allows browsers to expose USB, Bluetooth or NFC hardware authentication devices to websites, recently reached the “Candidate Recommendation” stage in the web standards process. Adoption rates remain to be seen.

Web authentication could prevent common types of attacks, and it’s worth noting that passwords themselves suffer security breaches quite regularly. As mentioned, easy passwords can be quickly cracked, and password managers have battled bugs, too. (Several even offer rewards to ethical hackers who find bugs before attackers do.)

Compromised usernames and passwords that are dumped online often create a ripple effect as hackers run leaked login names and passwords to check for password reuse on accounts that weren’t even breached. This is where multi-factor authentication comes in, since attackers need to access both passwords and, say, hardware or software tokens, which often thwarts their attempts. But while multi-factor authentication can make things more difficult for attackers, it’s not an entirely foolproof solution either. A lot of websites still rely on SMS codes for two-factor authentication, in spite of the fact that this puts the messages at risk of re-routing and other problems.

In general, password cracking is constantly evolving. Reporters should view password management software and tools marketing themselves as next-generation solutions with skepticism, and dig in deeper to see how these new technologies will address any drawbacks that have been documented and exposed.