Passwords, one of the earliest forms of online security, are crucial to securing accounts, applications, devices, and data. Despite the various challenges they pose, they are unlikely to become obsolete any time soon. The main problem with passwords is their number and frequency of use. Because people need to access different websites and apps every day, people often have to remember more than dozens of passwords, leading to password fatigue.
To overcome these challenges, password managers have proven to be a viable solution. These software applications create complex passwords and store them in an encrypted database that can be accessed through a single master password. Some of the leading password managers come in different forms and are standalone applications, while others are integrated with operating systems or are browser-based. In the Bitwarden Password Decisions 2023 Surveywas recognized by 84% of respondents as the solution for managing passwords at work.
The dual sides of password managers
Password managers are advanced applications designed to store an extensive database of a user’s passwords, making the challenging task of remembering complex login details a thing of the past. The primary key to this vault is a single master password. Once entered, users gain access to all their passwords within the manager.
Many of these tools have automatic password generators that generate complex login credentials on request. They offer the benefit of autofill capability, which eliminates the manual chore of copying login credentials – a benefit that is especially valuable to mobile device users.
However, given the potential vulnerabilities of the hosting servers, using online password managers comes with its own risks. Therefore, these tools significantly increase security standards, but do not provide absolute invulnerability.
CTO and co-founder, Jscrambler
The pitfalls of automatic autofill
Although designed to increase security, password managers’ autofill functionalities can inadvertently place login credentials on questionable or malicious websites.
Cybercriminals trick these administrators by skillfully manipulating website components or creating convincing phishing sites. This becomes a bigger problem when users don’t do the due diligence to determine the site’s authenticity and instead rely too heavily on the autocomplete feature. Such negligence can inadvertently hand over their credentials to opponents, leading to potential account breaches.
Additionally, Google’s January advisory revealed that several password managers were prone to accidentally autofilling login credentials on untrusted pages, posing a tangible risk of account breaches to users.
Specifically, Safari browsers and extensions, such as Bitwarden and DashLane, were identified as potentially autofilling credentials in forms embedded in iFrames in a sandbox. Fortunately, these shortcomings were resolved when the advice was published.
Understanding password managers
In light of these revelations, our security research team conducted extensive testing on common browsers and password managers, evaluating their responses to co-origin and cross-origin iFrames, especially those without a sandbox.
Our observations highlighted the robust security policies of Chrome and Firefox: no auto-fill login credentials were offered nor was this option offered. In contrast, the Edge browser automatically filled in the username or email address field, although the password field was left untouched.
For password managers, Passbolt and 1Password emerged as security leaders, moving away from autofill and offering the option to users. While BitWarden and LastPass take a different approach, they provide users with a precautionary notification when login credentials may be forwarded to a different domain. This central prompt allows users to autofill or decline, even in cross-origin iFrames without a sandbox.
Secure password management depends not only on users choosing strong passwords, but also on being careful when choosing a password manager and using its features. We strongly recommend that users disable all autofill features and manually activate the feature only if users are confident that the presented form is legitimate and needs to be completed.
Best practices for a robust password
Password security is of paramount importance, not only for individual users, but also for the broader integrity of databases. While protection mechanisms can mitigate some user errors, individuals remain particularly vulnerable when they use weak passwords. What is a robust password?
1. Use alphanumeric characters: While recent studies suggest that simply adding upper and lower case letters won’t dramatically increase password strength, including them, even marginally, can strengthen defenses.
2. Embrace Length: One of the most effective strategies is to lengthen your password. Extended character sets significantly challenge recovery efforts. Familiarize yourself with the latest methods that advocate extended passwords.
3. Integrate symbols: Current research underlines the effectiveness of symbols. Including them turns out to be more powerful than switching between uppercase and lowercase letters.
4. Prioritize unpredictability: Coming up with unconventional passwords is key. Avoid the temptation of dictionary words or predictable sequences. Strive for originality and confuse potential invaders.
What should you look for in a business password manager?
When security administrators consider password management solutions for their business, there are a few key aspects to consider. Of course, the right choice can be crucial for companies of all sizes. Unlike consumer versions, business password managers allow setting and enforcing password policies (length, complexity, change frequency, etc.). Additionally, they often have a feature that analyzes passwords for potential vulnerability according to current security trends.
While MFA and strong encryption are no longer solely the domain of enterprise password managers, these are the key elements to analyze before making a choice. A growing trend is the integration of behavioral analytics, powered by machine learning and analytics, which allows administrators to identify and address risky user behavior.
Today’s enterprise password managers are becoming increasingly sophisticated, but many still lack the tools to develop effective password compliance programs. However, this functionality is expected to become more common, increasing the ability of security teams to effectively enforce and manage password security.
By adhering to these principles, users can significantly reduce their vulnerability in the digital sphere. Password management services require a two-way relationship. It is important that we do not rely solely on this advanced technology, but instead remain judicious and proactive in our online behavior. Despite being formidable allies in online security, they are not without their intricacies. Understanding the nuances and potential dangers associated with autofill features is critical to protecting users. We advocate a more cautious approach: disable the automatic autofill feature and opt for a manual trigger instead. Users should activate autofill only if they are confident in the authenticity of the form.
We have listed the best business password managers.