Password Managers

The number one recommendation from security professionals above all else is the use of a password manager.

There are four main items to consider in selecting a password management solution.

  1. There is a correlated property of security vs convenience. The more security you have the less convenience and vice-versa.
  2. What type of password database do you need (local, browser-based, or a combination)?
  3. Cross-platform compatibility (ability to use on Linux, Mac, Windows, iOS, and Android).
  4. Cost

Database type

  • A local (the database storing your passwords) solution is kept only on the computer where the software is installed. Local installations are typically designed for use by a single individual.
  • A browser-based solution is locally stored on the device and typically offsite on the provider’s servers as well.
  • A combination of the two could be using a local based solution for yourself and your team while using a browser based solution to share passwords with clients.

A typical browser-based password manager that most users would be familiar with is when entering information in an online form and the web browser asks if you would like to store the password for autofill later. With a local database the user takes the extra step to open the software from their device, enter the master password to unlock the database, and copy/paste the password into the form fields. The local database may appear like more of a hassle and that’s because it is; BUT it also provides much more security. Both local and browser-based applications should have their databases encrypted at all times with proven cryptographic algorithms. Period. If a solution says they have created their own custom crypto or algorithms run as far away as fast as you can.

Pros and Cons

  • A browser-based solution must have consistent access to the master password in order to transparently (to the user) decrypt the database, search for the correct content, and enter it into the autofill field(s). In the event of a breach, the attacker having control of the browser and master password would compromise the entirety of a user’s password database. When a device with a local database is compromised, all of the passwords should remain encrypted and unreadable. The local manager should prompt for the master password upon every use to decrypt the database meaning even if the password database is stolen it is not necessarily compromised if the master password wasn’t compromised as well and contains enough entropy (password strength).
  • Since a local password manager does not have direct access to the browser it isn’t vulnerable to attacks originating from the browser. An attack that uses a browser escape and gains access to your entire computer will obviously have access to the local password manager but still not the passwords themselves.
  • With a local manager the user must be concerned solely with their own security (attack surface, updates, et cetera). With a browser-based manager it’s possible for the company to become breached and have its customer’s password databases stolen (and has happened). A good company will keep strongly encrypted copies of its customer’s databases as opposed to in plain text so in the event of a breach the attacker only gains access to the encrypted databases. This however does not reduce the increased risk of the database being stolen in the first place.
  • Most local managers are designed for use with a single user and hence do not scale well for larger teams or use in an enterprise environment.
  • Many browser-based solutions offer the ability to easily share passwords with other individuals.

Recommendations

  • Local password manager – KeePass
    • Free and Open Source
    • Cross-platform
    • Cost is $0 and you will never pay unless you choose to donate
    • Can enable Two-Factor Authentication via plugins
    • Increased security due to being a local only database (it can be enhanced with browser functionality via plugins but if that is the main desire I would recommend another solution).
  • Browser-based password manager – LastPass (affiliate link)
    • Can enable Two-Factor Authentication
    • Easy to share passwords with others
    • Private keys used for encryption are on the local device only meaning LastPass cannot decrypt the data stored on its severs.
    • The company has demonstrated numerous times it is extremely diligent about fixing reported vulnerabilities and security flaws in the fastest manner possible.
    • Cost varies with a free tier for a single user and paid tiers ranging from $3-8/user/month for family, small business, and enterprises with additional features.
1-3 users with new passwords added somewhat infrequently
  • I recommend a local KeePass installation with a combined syncing/backup solution such as an Rsync script, Syncthing or Sync.
  • This type of solution allows easy versioning in case of a mistake/corruption somewhere along the way and can quickly provide a complete restorable database of your passwords.
  • This solution is 100% FREE
  • Cross-platform
4+ users and business/enterprise WITH EXCEPTION for small teams
  • Although the above solution will work for larger teams, it’s much more likely to run into conflicts.
  • For this category, LastPass or another browser-based manager is really the optimal solution. I’ve listed some of the reasons why above so I won’t repeat them here.
  • The ability to easily share passwords with your team and others, Multi-Factor Auth, and a slew of other features are what make these solutions the business and enterprise pick.
Small teams
  • For small teams I recommend combining both a local and browser-based solution.
  • Let’s take the example of a small 3 person marketing company who builds and maintains websites for others.
    • The 3 people on the team should utilize a local manager such as KeePass that is automatically shared and updated between them. This database should be used to store the passwords vital to the business itself and ONLY the passwords for its clients that would be needed for recovery.
    • For all work regarding a client that may need to be shared such as website logins, social media, and so on should be utilized with the browser-based manager.
  • There are two main reasons for creating a solution this solution that are extremely simple.
    1. The local database and syncing solution provides a local redundant copy of the business’ vital passwords on each device in addition to any other backup solutions in place. If a device experiences critical failure, the ability to retrieve the database from another device to get back up and running becomes minimal.
    2. In the event of when (not IF, WHEN) a breach occurs at either the marketing company or the browser-based password management company, the other party remains minimally affected. When the browser-based company is breached and the databases stolen, the marketing company’s clients could potentially be compromised but the marketing company itself is protected since its passwords were never stored in that database. On the reverse side, the clients are mostly protected if the marketing company’s local database is stolen. This could be averted entirely by not having any client’s critical passwords in the company’s local database but the reason I recommend storing critical client passwords is in the event of a browser-based company going out of business, becoming the target of a Dedicated Denial of Service (DDoS), or some another issue preventing the retrieval of a client’s most valuable passwords.