Schedule a Demo of GateKeeper Enterprise or call 240-547-5446

GATEKEEPER BLOG

Password_reuse_GateKeeper_security_compliance_proximity_authentication_2fa_mfa

Powerful Password Manager Advantages and Disadvantages to Watch Out For

BY UNTETHERED LABS

A password manager is a digital tool that securely stores and manages login (username, password, and more) credentials and other details. Some of the features a password manager may include the following:

  • store passwords for various websites
  • detect websites in a browser and automatically fill in saved passwords in form fields
  • capture and save passwords entered in to new websites
  • auto-fill passwords so users don’t have to remember them
  • random secure password generator
  • password strength and/or complexity reports
  • multi-factor authentication (MFA)
  • credential backups
  • Password encryption / obfuscation
  • single sign on (SSO)
  • role-based permissions for elevated authorization levels
  • password management such as password synchronization
  • password change scheduler
  • username and password import / export capability

Password managers come in multiple forms including web-based, desktop-based, or token-based. These password management mechanisms have different advantages and disadvantages with regards to convenience and security. For many IT managers, choosing the right password manager depends on knowing the risk factors and features offered by each.

Web-Based Password Manager

Web passwords managers are the most mobile, but may also be the most vulnerable.

The advantages of web-based password managers over others are primarily portability (they can generally be used on any computer with Internet connection) and a reduced risk of losing passwords through theft from or damage to a single PC. This same risk is still present for the server that is used to store the users passwords on. Additionally most commercial web-based password solutions offer integration with multiple browsers – Chrome, Firefox, Opera, Edge, and others. This enhances the usability of the same web-based password manager tool according to the user’s preferences.

The major risk consideration of online password managers are the security mechanisms in place for the hosting site. With a rapid increase in the use of web-based password management tools, companies offering these solutions are routinely targets of cyber attacks themselves. Another risk factor is the master password set up for each employed user to log in to the password manager itself. A simple master password would increase the risk for the user since now all their passwords could be exposed if the master password is compromised. Some web-based password managers also offer multi-factor authentication in addition to the master password to increase the security of the stored passwords for a user. Organizations utilizing web-based password managers should enforce multi-factor authentication in place of a master password for all users.

Desktop-Based Password Manager

Passwords aren’t sent over the Internet so this method is the most secure.

With password managers implemented as desktop applications, the risk of losing passwords on account of the solution providers’ servers being compromised is eliminated. The storage of passwords is now on the individual’s computers instead of a common server, thereby reducing the threat footprint significantly. Additionally, the password managers can be used even when the computer is not connected to the Internet – a big advantage for professionals in certain industries where Internet connection is not always available.

The downside to using desktop-based password managers is that the passwords are not shared between each computer the employee uses. Furthermore, the desktop password management software has to be installed on each computer (more setup required for IT). Passwords may not be available when you try to log in from a new computer or location for the first time. But once set up, these password managers can be very effective for logging in with reduced effort.

Token-Based Password Manager

Users don’t have to worry about remembering any passwords, just carry another key.

Physical tokens like USB keys, key fobs, smart cards, and phone apps can also be used as password managers. Passwords are encrypted and stored on physical electronic devices instead of on a computer or a server. The biggest advantage is the physical tokens are not directly exposed to the Internet, hence the probability of them being hacked is greatly reduced. To protect from unauthorized reading of data/exposure, the credential data stored is normally encrypted. This method may still require software installation on each workstation.

One of the leading risks with a token-based password management system is that the password is on the token device itself. Tokens that store the password are at additional risks for credential theft such as man-in-the-middle attacks, spoofing attacks, and million message attacks.

OTP and MFA (multifactor authentication) are usually offered as features along with the token. The other factors could be something you know (password/passphrase/PIN), something you are (biometric fingerprint, facial/voice recognition, retinal/vein/hand scan), and/or something you do (walking signature, signing signature).

Hybrid Password Manager

Combination of multiple web, desktop, and token-based password managers.

Hybrid password managers are a combination of web, desktop, and token-based password managers utilizing the benefits of each to meet the various needs of IT managers and their users. Offerings can include a password manager that utilizes a token as a factor but stores the secure password on the computer itself so that there is no over-the-air transfer at risk of being spoofed. A software will be required to be installed on each computer, but this can easily be done by the IT admin from a central admin console.

Combining the various types of password managers into a unified solution allows the IT admin to reduce the risks associated with each type while taking advantage of the inherent security enhancements of each. For example, using a token to authenticate the user onto a password manager allows the end user to not be dependent on a master password. But by not storing the passwords on the token itself, it reduces the risk of losing passwords if the token is lost. By combining desktop and web-based password managers, a hybrid solution can allow for passwords to be accessed even when the network is not available, but at the same time be able to access passwords on every computer the user logs into by synchronizing them through the common password server.

Summary

Regardless of the password manager, most are designed to provide several fundamental benefits to its users. Some password vaults work across multiple platforms while others are best fit for those strictly utilizing a single platform for most of their needs. To recap, password managers generally offer the following advantages for an organization.

  • Reducing helpdesk calls for forgotten passwords
  • No more downtime from being locked out as often
  • Fewer passwords to memorize and manage
  • Relieving password fatigue / stress (“password chaos”)
  • Credentials are more easily manageable
  • Lowers the overall risks of credential exposure

Every type of password manager has its advantages and are built for particular needs. Choosing the right password manager to best fit with the organization’s workflow will require great consideration of new viruses/malware, security posture, macro-risk factors, compliance mandates, and more. When used properly, password managers are a great tool for building and maintaining a secure digital posture.

About GateKeeper Proximity

Automating security culture across the world, the GateKeeper password manager enhances compliance and cybersecurity through mass automated authentication. Through efficient wireless authentication, GateKeeper protects networks from internal breaches and confidential data exposure with patented solutions that include two-factor authentication, centralized password management, and comprehensive auditing, all designed to reduce support time and costs while enhancing security and compliance. Passwordless proximity passwords. For more information, please visit gkaccess.com or email info@gkaccess.com.

See GateKeeper proximity access control in action.

Take a self-guided tour of how your proximity-based access control can work.

Pin It on Pinterest