Here at Naked Security, we’ve been banging the drum for password managers for a long while now, and there are a number of strong examples out there in the marketplace.
For people who care deeply about privacy and security, deciding which password manager to use means making decisions about password storage, reputation, browser integration, credential sharing options, whether you want cloud-based or local password vaults, and cost.
For many though, it’s still a question of why bother at all?
Convincing people who aren’t as security-focussed as you to use any kind of password manager at all can be difficult because it adds extra complexity to something many already regard as a hassle.
That said, two juggernauts have recently entered the scene, and they will likely help password managers become more mainstream: Apple’s iCloud Keychain and Google’s Smart Lock.
Both are built-in and on by default, which could make it easier for users to make the switch to using a password manager.
Integrated password managers
The whole point of password managers is to remove the burden of having to remember umpteen passwords. Ideally, with that burden taken from us, we’ll be more likely to use different passwords for each of the websites and apps we use instead of reusing the same one (I’m looking at you passw0rd1
) or making weak iterations of the same password (passw0rd2
,passw0rd3
…).
In their current state, these password managers do exactly what you’d expect. They capture passwords that you enter on one device or website, store them in an encrypted form in the cloud and then automatically fill in your credentials the next time you need them, so you don’t have to remember them.
Your stored credentials are tied to a central identifying account with each service. If you’re logged in to your Google or iCloud account on multiple devices or browsers, any of those devices can access your credentials, no matter where you first entered them.
So an iPhone or Android user can enter their credentials into a web form on their smartphone, and then log in to that same website using the Safari or Chrome browser on their laptop, without having to remember the password, if they’re logged in to the same iCloud or Google account on both devices.
It should be noted that Apple’s iCloud Keychain can also store credit card information, and many third-party password managers do as well.
Both iCloud Keychain and Smart Lock are turned on automatically, helpfully prompting users to save their username and password for later in much the same way that browsers have been offering to do for us years, only now these credentials aren’t just stored locally, or in plain text. (No more getting stuck with an old password on a browser you haven’t used in a while, as credentials will sync to use the latest version.)
Where 3rd party managers win
Smart Lock and iCloud Keychain still have room to grow, of course. They are mostly without bells and whistles at the moment – they encrypt, transmit, and then store your passwords centrally in the cloud and allow you to lock down your password manager account with a master password and/or biometric security. Pretty standard.
Smart Lock doesn’t generate passwords for you – though iCloud can – so, Google users, the burden is still on you to think up a strong password, and undoubtedly this means a lot of people won’t. Smart Lock will just fill up with multiple copies of passw0rd1
instead of a collection of strong, rare passwords.
Where 3rd party managers lose
One area where both Google and Apple have a number of third-party password managers beat is storing credentials for smartphone apps – there are third-party password managers that do support storing app credentials, but not all of them do just yet. As of Apple iOS 11, iCloud Keychain supports app sign-ins with AutoFill.
iOS 11 users can save credentials not just for web-based forms, but even for stand-alone apps. These credentials are saved to the iCloud Keychain, and when the user logs back into the app in the future, they’ll be presented with the option to have AutoFill automatically enter their credentials and log in.
Similarly, Google notes that Smart Lock can fill in credentials for some apps, but not all.
Those of us who use third-party password managers have a few more steps to take if the app doesn’t already support grabbing credentials from password managers (switch apps, log in to password manager, copy/paste the credentials).
It remains to be seen if Apple or Google will make pulling credentials from third-party password managers easier, or if they will leave that up to individual app developers to support as they do now.
How do I enable or disable these password managers?
If you’re using a recently updated Apple or Google smartphone, unless you’ve taken steps to disable your password manager it’s likely already active and working for you. But if you want to make sure the service is enabled, or if you want to disable it, here’s how:
- Google’s Password Vault: go to passwords.google.com, sign in and disable Google Smart Lock.
- Apple’s iCloud Keychain: log in to your iCloud account on a Mac or iPhone, and check the iCloud options in Settings and select the “Keychain” option.
As these services come with your phone they’ll be an easy choice for many who may have bristled at the idea of using a password manager previously. And for those of us who want to see more people moving to password managers, no matter how imperfect, this is absolutely a good thing.
Peta
If you are using apple products personally and pc products at work would you recommend google password vault ?
Laurence Marks
> or making weak iterations of the same password (passw0rd2,passw0rd3…).
The typical process seems to be to acquire a list of email addresses/passwords that were stored in plain text or easily cracked (Adobe, for example) and then write scripts to see which ones work on other sites that use email addresses as user-names (Woot, for example). A minor change like passw0rd1–>passw0rd2 foils this attack.
Now, if it were a public figure like Sarah Palin or Donald Trump, it would be worthwhile to analyze the way the password was formed and to start trying alternatives. But for an unknown the script drops the address/password and makes no further attempts. They are only looking for the really low-hanging fruit.
Paul Ducklin
Password crackers generally have built-in features to “try common variants of the initial string”. In other words, they turn a pure dictionary attack into what you might call a “selective brute force” attack. Since this sort of attack can be automated, it doesn’t really matter whether you are John Q Citizen or Donald J Trump.
Nobody_Holme
However, where passwords from a mass breach are concerned, only a very basic set of variations will ever get tested (avoiding getting the target account locked for flooding is important, after all). While password1 won’t help, p@sswerd159 on one site and pAssworm160 on another is plenty of entropy.
For the average person’s non-critical accounts, PassWordSophostry or PassWordAmerzun would be damn close to bulletproof, and child’s play to remember without a password manager.
I do recognize the weakness of this approach, but it evades at least part of the single point failure a password manager creates.
I’m not getting started on sites who enforce maximum password lengths however… (looking at you, Virgin Media)
WaltFrench
It is SMART to understand where risks are more and less, and this comment appears to match the known exploits.
It is *NOT* smart to assume that once a black hat type has your userid & password, maybe some address or other info such as security questions, that they will stop when they don’t get an exact match. If your scheme is something like HD1234HD for Home Depot and LI1234LI for your LinkedIn account (both of those sites’ user databases have been hacked & published), it’s not that big a leap to try FB1234FB for your Facebook.com account. And GM1234GM for the Gmail account that, once guessed, can be used to RESET passwords for your financial accounts.
I’ve been online a long time. Fully a dozen sites that had my primary email & a unique password have now been compromised. You shouldn’t presume that hackers, who were both devious & clever enough to compromise databases with hundreds of millions of IDs, won’t ever learn to put 2+2 together and cause you grief.
Wilbur
I am not a Cloud fan so I keep iCloud disabled on my iPhone, but it is my understanding user data stored on iCloud is encrypted using Apple’s key, not the user’s key. So are the Keychain passwords stored on iCloud stored encrypted with Apple’s key, and are therefore accessible by the government with the proper judicial rubber-stamp?
Paul Ducklin
As far as I can see you are incorrect. According to Apple, data stored in iCloud (including passwords) is encrypted with key material that comes from you and your device, and so “…only you can access your information, and only on devices where you’re signed in to iCloud. No one else, not even Apple, can access end-to-end encrypted information.”
https://support.apple.com/en-gb/HT202303
Bob Stromberg
I use macOS, iOS, and Windows devices, and I use the Chrome, Firefox, and Safari browsers. Do Apple’s Keychain and Google’s Smart Lock work in all these environments?
El. Mich.
Storing _my_ credentials somewhere “in the cloud” and not only on devices completely controlled by myself surely seems to be one the most stupid decisions one can decide on. At least after all the revelations regarding IT security of the last years and all we know after Mr. Edward Snowdens disclosures … OMG! How can anyone only slightly having to do with IT security on any kind of professional level recommend something that dangerous like giving away all your credentials. If they are ever hacked there’s absolutely no way You can get them “back”: Once “in the cloud”, always in the cloud!
Paul Ducklin
It is possible to store data on someone else’s computer securely (in the same way that it is possible to store backup disks securely at a friend’s house) if you get the cryptography correct. Simply put, you can arrange the system so that the person storing the data has no way to decrypt it, because they never receive copies of the decryption keys.
Indeed, it’s in the interests of the company offering in-cloud storage to run things that way – it means that they can simply shrug when faced with a search warrant, because they can show technically that decryption is out of their hands. Here’s a famous (or perhaps infamous) story along those very lines:
https://nakedsecurity.sophos.com/2013/01/24/kim-dotcoms-coders-hacking-on-megas-cryptography-even-as-we-speak/
El. Mich.
Dear Mr. Ducklin!
_If_ one can really get cryptography right! At the present moment _and_ also for an (indefinite) future. And that is very often a very big problem! Because once Your data is out of Your hand there is absolutely no way to be really sure that no NSA, GCHQ, KGB, BND and so on has not got a copy of Your data which _perhaps_ they cannot decrypt at the moment but perhaps anytime in the (near) future. Cryptography algorithms have evolved constantly and surely will do that in the future. And who’s to say that AES for example really has been implemented well? Even with Open-Source-solutions very often a difficult problem but completely unsolvable with closed-source-solutions.
You really dare to state You know what for example the NSA has in store to crack most and even “strong” cryptography? What’s the purpose of NSA’s Utah Data Center? Perhaps we cannot crack it at the moment so why not store the data for future usage?
Once upon a time it was common knowledge that DES is secure … Or 1.024 assymetric keys … and so on and so forth …
Of course You are right that one can in principle, at least to common knowledge, implement really strong cryptography. But how often do we have to learn that passwords really have been stored in cleartext or without any real salting? Sorry, but the numbers are (nearly) legion …! :-(
And PFS for example is also not used very often
But the good news is: At least at the moment one is not forced to use “the cloud”.
Cheers, thanks and so long! :-)
Mahhn
One password to rule them all, is to big of a single point of failure to me.
I’m a firm believer pen and paper and my home safe over any cloud service. Even then I only write hints.
I can see how it would be convenient, and maybe for some people secure-ish, but, google has a looooooong way to go to gain my trust.
Bill G
@Bob Stromberg There ARE password managers which will work on all those devices. iCloud or Smart Lock are not one of those. Many password managers have many more features as well.