Passwords managers might not be at the top of your business toolkit wishlist, but when you consider the facts of how many data breaches start with weak, recycled passwords, you might begin to change your mind. I caught up with Jay Lloyd, Lead Evangelist and Data Protection Officer at Trustpage to discuss password managers, the future of passwords, and what goes into finding the right solution for your business.
Q: Why is a password manager important, and why should everyone have one (individuals and companies)?
A: Over 80% of data breaches are caused by weak passwords, most often through a phishing attack or an employee having it written down. Even big tech companies face this danger. Recently at Ubiquiti, for example, a publicly-traded company that builds routers and security cameras, an employee's password was written down, which led to hackers gaining access to company servers. In many cases, people use the same password for multiple accounts, opening the door for hackers to get into multiple areas of a company. All of this is to say that good password security can help prevent public embarrassment and any clean-up costs associated with recovering from attacks. On a personal level, it's not all that different. We may not all be CEOs of major companies, but many of us work for major companies. When we use the same passwords across personal and work accounts, we start to put everyone's security at risk. Using a password manager can minimize that risk by making it easier to use more complex passwords that you don't need to remember, and using different passwords for each account. We love to compromise as humans, but our security deserves better.
Q: Even some password managers have been hacked over the years? Why are they worth trusting?
A: It's important, in this case, to understand how a password manager is actually storing your information. One of the best methods is a "zero-knowledge" environment, which prevents the password manager from seeing the data you've stored with them. Your password generated by the manager is stored locally on your device (laptop or phone) in these situations. Then, encrypted keys used to validate your passwords are stored on the servers of the password manager. In a zero-knowledge environment, if your password manager falls victim to a data breach, all hackers would get would be encrypted keys, with no way of knowing what the password is, or which account it's even for.
Q: Not all password managers are made in the same way. What are some of the ways they differ, and how can consumers find those details for themselves?
A: There certainly are a lot of similarities these days. AES-256 is a commonly-used encryption method and one that is pretty strong. Aside from that, much of picking a password manager comes down to trust: Which one has the most transparency regarding how their business and technology operate? Which one has the strongest track record of not being hacked themselves? It's important to understand not only what a business is offering as its product, but how the business itself operates behind the scenes. One of many ways that Trustpage would help in this particular example is by outlining the full scope of a password manager's security posture, from whether they're GDPR compliant, to which types of servers they use, and so much more that ultimately tells the full story of how trustworthy a company can be.
Q: Is there a password manager that stands out for Trustpage so far? Why?
A: For me, it's Keeper. One of the things that set them apart is the emphasis their website and product places on their security features instead of on marketing language or product features. They're very thorough with their explanations of how they go about securely managing user data, which I find very reassuring. It's not always about flashy branding, especially in a situation like this.
Q: Did you use Trustpage to research password managers?
A: Yes. I used a product comparison tool we're working on to compare Keeper, LastPass, and OnePassword. We're designing it as a way for consumers to find the most secure software for their particular needs. The interesting thing about that comparison is that they were all essentially identical in terms of their security posture. And so that's how trust works its way into so many purchasing decisions: use a tool like Trustpage to perform your diligence, then couple that with your own research to make a decision.
Q: What do you think comes next? No passwords?
A: Long term, it will be about getting to a passwordless environment, which uses SSO and SAML to authenticate users across different services. Many of us already use this today when we choose to "Sign in with Google" or other companies that offer such functionality. A major benefit of this is that all data flows through to one endpoint, instead of having countless credentials to countless websites with questionable security. Furthermore, by pairing SSO with biometric authentication that we all now have with things like Face ID, we may never have to come up with passwords again. That might be a bold claim, but only time will tell. Now, there are some present-day adoption challenges of SSO and SAML. For example, Heroku and Github, both services we use at Trustpage, require premium tier plans for SAML and SSO functionality, making increased security a financial decision for some users of those platforms. We did opt to use those plans for our accounts as we feel it's a necessity. At Trustpage, we believe trust and security should be available to everyone, which is why we've committed to always offering a free plan of our product that comes with SSO for every user.
Q: Which password manager do you use for your personal logins?
A: Personally, it's the Apple Keychain. But I will say that I'm looking into a few different options for myself. I've been thinking about how to best share logins with my wife or other family members in the event that I'm unable to access them myself, and they need them in an emergency. Of course, many of our financial accounts allow for the naming of beneficiaries. Still, beyond that, and even in that case, it would make sense to easily share accounts using a password manager. Some password managers do have sharing functionality today, but it requires lots of proactive effort. So a really seamless sharing interface is something I'd consider when transitioning to a different platform.
Q: What about 2FA? Use it or not?
A: It's always in your best interest to enable two-factor authentication (2FA). That's your first line of defense in the event your login credentials are exposed. I would also stress that you choose a 2FA method that is not SMS-based, as SMS has proven itself time and again, especially more recently, to be rather weak. Use an on-device token-based authenticator app like Duo or Authy that links your account to the device where that authenticator app was installed. Of course, this method has a few issues of its own too, particularly when you switch to a new phone as you'll have to migrate your authentication codes to that new device. Going back to the original issue of easy, recycled passwords being compromises...SMS-based authentication is a compromise. It's easier than authenticator apps, but it isn't too safe.
Q: Weak passwords aside, what's the next biggest threat?
A: With 135 million attempts made every day, phishing is definitely the next biggest threat, which is almost always designed to get someone's password from them. It usually takes the form of an email or text message that looks to be from a legitimate or familiar source when it is in fact not. A victim would click on a link and be directed to a website that looks trustworthy, then enters their information to follow the instructions in the phishing email or text, and then suddenly their credentials are in the wrong hands. Of course, the first thing to do if you think you may have been the victim of a phishing attack is to change your password, especially if the one that was leaked is used for multiple accounts on different websites. Many password managers are now beginning to alert their users of passwords being leaked, whether through phishing or other means, making it easier for users to know which passwords need immediate changing. Phishing attacks can seek information other than passwords too, so it's always important to be mindful of the authenticity of whichever website you're interacting with or who you choose to provide your information.
Q: Do you have the same passwords on any sites?
A: I do—I think we're all bad at this to an extent. It's hard to manage it all. That's a given. If you find yourself using the same passwords across multiple sites, my first recommendation would be to decide which websites are the highest priority or most valuable and change those passwords first. Though, ideally, any password manager should be able to alert you of all the duplicate passwords you're using, and which accounts they're being used for. It can take a lot to get back on track when we realize how many websites we've signed up for, but it's well worth it in the end.
Q: Password managers aside, what else goes into your ideal toolkit?
A: For software environments, I would say that configuration is key. What I mean by that is when your company uses a multitude of different platforms, passwords come into play for accessing those different platforms. There will often be multiple accounts for the many employees within your company. We're starting to see many other tools being designed for this exact use case, namely HashiCorp Vault, which focuses on access control for software developers, handling more than just passwords alone, but also things like APIs and tokens.
Q: Any final words of wisdom?
A: I would say that just because you use a password manager doesn't mean you are fully protected. Things can happen, and even your password manager needs a master password for your account. Where do you store that? Passwords are a messy thing. The best things we can do are to be smart about managing them and constantly think of new ways to improve the process.