Security optimize

Five features of a good password manager

Password managers, like any type of software, are not all created equal. What are the key security features that you should consider when selecting a password manager?

Password managers, like any type of software, are not all created equal. What are the key security features that you should consider when selecting a password manager?


Given the number of different sets of login credentials we need, especially online, managing strong password policy for your entire computing life may feel like an insurmountable challenge. There are some tips and tricks that may be used to ease the procedures of secure password managment, however. A rough approach that many use involves nothing more than maintaining a text file full of passwords that is kept encrypted, so that none of the passwords stored in the file ever really needs to be memorized. They are all accessible by way of a single password, which is used to decrypt the file's contents when a password is needed.

Such an approach is a bit clunky for many, however. Smoother methods of managing passwords securely exist, most commonly in the form of a type of program known as a "password manager." Numerous examples of such tools exist, of varying quality and effectiveness. Different people have different needs, and the plethora of options ensures that something "close enough" to one's needs is almost certainly available. Even failing that, there is always the option of just using an encrypted file.

Unfortunately, many people are unaware of the importance of using strong passwords that are unique in each context where a password is needed. Even if they are aware of these measures to protect their private data and login credentials, many of them do not see much value in further protecting such passwords when storing them locally. Finally, even among those who are aware of all the above considerations, many people do not consciously think through all the implications of the design and feature set of a given password manager when they select it, beyond the basics of ensuring that it encrypts stored passwords.

A number of key characteristics of a password manager are very important for securely managing passwords:

  • Encryption: Stored login credentials should always be stored in an encrypted form, using peer reviewed, heavily tested, strong encryption, so that even if the device used to store the passwords is stolen the thief is unlikely to be able to recover passwords.
  • Secure resource usage: A number of possible vulnerabilities involving unsecured resource usage are possible. For instance, using secure memory that will not be written to a pagefile or swap partition on disk guards against the danger of a decrypted password being dumped onto the disk where it can be recovered later by a malicious security cracker.
  • Self-contained functionality: A lot of software is not written with absolute data security in mind, and it often should not be written that way if the intended functionality of the application presents no need for such security. This does mean, however, that any password management software should not trust the security of outside applications. What good is using secure memory if the decrypted passwords will just be passed directly through another application that stores everything in tempfiles that may never be explicitly deleted?
  • Usability: Quick, simple, and easy use of the day-to-day functionality of the password manager is important for ensuring that the password manager actually gets used regularly. If it is not at least nearly as easy to use for all of a user's common password needs, it may get neglected in favor of less secure options.
  • Verifiable design: Just as encryption that does not trust the user is not trustworthy, the same is true of software that handles any part of one's secure data management needs. This is especially true of something like a password manager, which manages the data used to access other applications that also need to manage data securely. To ensure that the software is trustworthy, it should be verifiable -- which means that the source code is not only available for scrutiny, but verifiably the same as the source code used to produce the actual executable program itself. Security through visibility requires open source software. Ideally, security software should use copyfree licensing policy.

These five criteria are of fairly universal value for a general purpose password manager, and should probably be considered by everyone designing a password manager or selecting one for personal use. Other features may also be desirable, many of which involve suitability for a particular user's workflow, and the specific uses to which a password manager may be put, as contrasted with the specific uses to which another person might put a password manager. For your particular needs, this short list of considerations will surely not be the only things worth considering, but it should offer a good start.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

18 comments
oldcobolguy
oldcobolguy

Interesting but there are easier ways, to wit: I use a Java program to generate random 10 position passwords from ~ 70 ascii characters, I store those passwords with the Logon Id and other data, like the personal questions, in a password protected Excel file on a USB drive, I NEVER check the Remember Me box on any logon website, I copy the ID and Password from my excel file into the Id and Password fields of the logon webpage. So, my password file is password protected, I only have to 'remember' ONE password so the remaining passwords can be as complex as random will make them, No logon or password is stored ANYWHERE else on the WWW, and when I go remote my USB file simply goes with me! No passwords are stored on any computer that I use, even at the library. This easily implemented technique really works well for me....

Zwort
Zwort

I use MirekW's PINs. It's OSI Certified Open Source Software, standalone/runs from portable storage (including a floppy if you like that sort of thing), uses 448 bit Blowfish algorithm, and has a lot of other powerful features, including a function to generate very complex and long passwords (sometimes I am appalled at the maximum password length some sites impose). It has a tree/grouping function that makes it easier to store passwords in memorable categories, and has a basic search function. There are internal security functions; hide passwords from view unless viewing an entry; empty clipboard on minimise to tray/closure; lock database on minimise; date password/site initiated; expiry date and function; system sounds to alert user to status[...] I've been using it for approaching 10 years, possibly longer... According to Properties Plus my current file was created on 22 July 2002 19:01:43.640! Before that I used Oubliette. Like AT Notes and TrueCrypt it's one of those now taken for granted things, without which I'd be uncomfortable. It won't look very Vista/Windows 7, but I chose it for functionality not beauty. http://www.mirekw.com/winfreeware/pins.html

bboyd
bboyd

Good ideas? How about suggestions for PWM software. Maybe a list of the common contenders.

Ed-M
Ed-M

A multi-function password manager not only stores your logins with industrial-grade encryption, but also simultaneously does the random password generation and assignment for you, does auto-logins for you instead of copying and pasting and has other time-saving functions (all in a single interface). Your method sounds harder and more time-consuming, not easier. Not to mention pretty unsecure as well. If you ever lost, or lost control of, that USB, cracking an Excel password is a pretty trivial matter these days. There are several free tools available to do it. I have the impression you've not checked out good password manager apps in a while. I think you'll be surprised how easy and feature-rich they are.

Neon Samurai
Neon Samurai

Excel may leave remnants of your login credentials in memory. There may be something available through the swap file or a cold ram attack. Excel may not be using protected methods for copying your name and password into the login fields. Any existing sniffers on the system will easily capture your login and password during the copy/paste. Excel password protection may be breakable. Even if not easily broken, the file may not be encrypted meaning that data can be sucked out of it though it may not open through Excel without the password. Better to trust your information to an encryption application rather than MS Excel password protection. Otherwise, you seem to be getting the functions and benefits of a password manager like Keepass. Portable Keepass on your USB may be a nice upgrade to your approach.

Ed-M
Ed-M

I've done some extensive testing and use of several products over the years. (Password Corral, Oubliette, Robo, Lastpass, PassPack (online) and KeePass.) We were looking in our case for the solution with the most mobile, cross-platform potential as well as pretty much all the other criteria mentioned. KeePass rather amazed us, especially the newer pro version (http://keepass.info/news/n090912_2.09.html). Of course, cost was not outside the scope of consideration either, although most products are free. KeePass has the added dimension of keylogger protection, a raft of extensions and plugins, including one for FireFox that makes it into a decent form-filler as well. It is scriptable and can work from a master hotkey for any kind of login for any kind of application, online or off. I keep my encrypted KeePass database in on a private Dropbox folder and have it shared and synchronized between four computers as well as my PortableApps version on my thumb drive and my Ubuntu VM. It's configured on all the computers to automatically generate a local backup. No problem when switching from another product. It imports databases from a long list of them, including your Firefox password store. One interesting thing I accidentally noticed in the pro version was that after I defined which password pattern I wanted for a long list of logins I was creating, its preview returned to me 30 different passwords that conformed to the pattern on a single screen. That saved me some time. I'd say its uniqueness from other products is that it can be a production tool for security techs as well as a very worthy personal password manager. I hope that came across as an objective review. I have a soft spot in my heart after long use of a couple of the other products, but I finally had to say goodbye. Ed

203T
203T

keepass FAQ says: "Is the Auto-Type feature resistant to keyloggers? By default: no. The Auto-Type method ... and consequently is not keylogger-safe. ...KeePass features ... TCATO, which renders keyloggers completely useless" (edited for brevity) Further reading says you have to enable TCATO for each entry. So, while it's possible, it isnt' practicle.

edwill4500
edwill4500

I've used eWallet for almost five years now and it's a great product! eWallet is highly configurable and supports password management for my Windows XP and Win-Mobile devices. On the two occasions where I needed support for some questions, illium support responded in a timely and very helpful manner. eWallet is compatiable with a number of O.S. and hardware platforms. Typically, I dont make product suggestions but, in the case of eWallet, I've been very pleased with the product and support.

jrpettit
jrpettit

Been using this program since 2005.

Michael Kassner
Michael Kassner

I have admired Mr. Schneier forever. He recommended an application called Password Safe. I have been using it since beta. I would love to learn what others thought about it. After reading Chad's list or requirements, it seems to meet most. Yet, I am by no means an expert. http://passwordsafe.sourceforge.net/

apotheon
apotheon

It does all of the mentioned suggested requirements and so much more. Really? I was under the impression it was proprietary closed source software that was tightly integrated with browsers -- thus violating the "verifiable design" and "self-contained functionality" requirements.

gothkittykiss
gothkittykiss

I've also been using Roboform for many years now-back when it was known as "Gator". I'm extremely happy with the program. It does all of the mentioned suggested requirements and so much more. The amount and type of data able to be stored in the program gets better with every release. The updates always add super new features, and keep up with the ever-changing O/S's, Internet browsers, etc. I was using Win98 when I first started using Roboform, and it's come right along the operating system's with me to where I am now-using Vista64 SP2. Not only does it maintain and genrate passwords for me, it's a great form-filling application and holds all of my family's sensitive info (such as banking) and it's so versitile that it crosses over a multitude of applications. It has a great feature for off-site back-up and syncronization so data loss on my local machines is not a completely terrifying experience! It's extremely user friendly, and I believe that is what prompted me to use it in the first place. Customer service is fantatic, too. What always amazes me is when I come across a website that I haven't visisted in 6 years, and Roboform still has my log-in information for it. I love that! No tedious and needless re-creation of the wheel (user profiles and log-in's, in this caes) for sites that haven't been visited in years. I absolutely love Roboform, recommend it, and would be so very upset if the company discontinued the product any time soon.

LarryBoy2
LarryBoy2

Cross platform support is probably the one drawback to Password Safe. That isn't an issue for me, at least yet, but for those who need it, I can understand where it would be a problem.

LarryBoy2
LarryBoy2

For a year or two I have been using Password Safe, as well, for similar reasons. If Bruce Schneier recommends it, I figure it has to be worth it's salt. http://www.schneier.com/passsafe.html I've found it to be fairly easy to use, and it seems to meet all the stated criteria. But a comparison would still be interesting.

Neon Samurai
Neon Samurai

Password Safe was my first unless one can consider Locknote in the same software class. My only complaint about Password Safe is cross platform support. The Maemo version did not support the same data file format as the Windows and general desktop versions. Maemo's Password Safe build may have been updated finally but the delay drove me to look at Keepass and I've not looked back since.