We’ve all got a long list of credentials to remember: work email, personal email, social media accounts, online banking information… the list of different usernames and passwords goes on. Where do you keep your passwords – locally or in the cloud? And which is safer? With all the password management applications out there, this is an important issue to consider. After all, what good is a highly secure password program if you aren’t able to access your data where and when you require? This article takes a look at password management locally as well as in the cloud.
Password Managers: Local vs. Cloud
Password management applications enable users to automatically log into websites, as they secure and manage all user IDs and passwords across various accounts. This can be incredibly convenient in organizing your digital life. However, local password managers just save user data in an encrypted file and store that on one computer.
The reality is that most of us have a desktop at work, another machine at home, perhaps a tablet in the living room, and a smartphone in our coat pocket. Every single one of these devices requires secure access, no matter if it’s online or offline.
Most password managers store your login information and include a password generation feature that will churn out long strings of gibberish for you to use and store. This information is encrypted and only accessible through a master password that you set.
New password managers are able to offer secure online access to passwords in the cloud, offering a single synchronized local copy of your password database on each and every computer and mobile device, despite differences in operating systems, browsers or mobile platforms. This means that you don’t have to manually update several work, home or mobile databases each time you want to change the credentials of an account. It also means that you won’t need to fret if the cloud-based password database goes down, or if the vendor disappears.
Dangers of using a password manager…
While using password managing applications appears to be a convenient and easy way to securely access your various accounts and services, there are a number of things to consider. First off, a master password may seem like a great way to organize everything, but protecting a number of accounts through a single set of credentials can be very risky. If you do decide to use a password manager, be sure to set a long, highly secure master password.
Another issue is the storage location of your password database. If you store your passwords on your local computer, you can be sure you have complete control over the encryption of login data. Should you decide to make a hundred nested TrueCrypt volumes, with three layers of 256-bit AES encryption each, and save your passwords inside, it would be totally possible! Unreasonable and inconvenient, sure, but possible.
The majority of cloud-based password managers use a single layer of 256-bit AES encryption. This means that if someone stole your data from the servers, it would take a very long time (we’re talking in the thousands of years) to crack the encryption. If someone really wants to access your data, it’d be better for them to try to get the master password itself.
Recently, there have been some impressive secondary features offered in cloud-based password managers. For instance, LastPass offers grid multifactor authentication, requiring users to print out a physical chart of numbers and letters and then entering corresponding digits along with the master password at login. Without referencing the physical chart, no one can log in.
Criteria for selecting a password manager
Whether you’re using a local password manager, or a cloud-based application, it’s important to consider the following criteria:
- Security must be unquestionable (i.e. master password, AES).
- It should be as simple as possible to start using the password manager, without having to compromise on security.
- It must be easy to securely auto-fill usernames and passwords in the more popular browsers.
- It must be easy to capture new login information and associate with one specific site.
- Passwords should be synced and easily accessible on all the desktop and mobile platforms that you use. Storing your passwords on a phone is more secure than carrying around a printed list of your passwords, as long as it is being protected by a master password.
Depending on your specific requirements, you may also want to consider looking for additional features, including automatic form filling, secure notes, multiple identities, easy import/export, password generation and USB key support. There are also extra security features to think about, such as virtual keyboards, two-factor authentication and one-time passwords.
Password manager applications secure and manage all user IDs and passwords across various accounts, enabling users to automatically log into websites. Most password managers store your login information and include a password generation feature that will churn out long strings of gibberish passwords. These management applications can store your password database on your local machine, or in the cloud. This article takes a look at the security risks inherent to password management applications and recommends criteria for anyone looking to use a password manager in the future.
CCSK Exam Preparation
In preparation for the Certificate of Cloud Security Knowledge (CCSK), a security professional should be comfortable with topics related to this post, including:
- Encryption practices (Domain 11)
- Identity federation and authorization (Domain 12)