Password managers are utilities for safeguarding your passwords. By entering a single master password, you can gain access to all your securely stored passwords. This allows you to have a unique, complex password for every website and application you use while only having to remember a single master password. Sounds great, right?
Unfortunately, attackers have begun to target some popular password managers. If your computer has been infected by malware, the malware can use keylogger software to record your keystrokes when you type in your master password, stealing it. This allows the malware to gain access to your stored passwords. In this case, a password manager can actually decrease security because all the passwords can be compromised by stealing just one.
The best practice, of course, is to keep your computer free of malware. But you actually have several other options for improving the security of your password manager so that it’s less vulnerable, should your computer be infected by malware.
Some password managers, such as Password Safe and LastPass, offer virtual keyboards. Instead of entering your master password with the keyboard, you enter it with a graphic keyboard displayed on the screen. Password Safe has a little keyboard icon to the right of where you would normally type in a password, and LastPass has a hyperlink that says Screen Keyboard.
When the virtual keyboard is displayed, you click on the letters, numbers, and symbols that make up your master password. The idea of using a virtual keyboard is that keyloggers can track keystrokes, but most can’t track the screen location of mouse clicks. So when you enter a master password using a virtual keyboard, the keylogger probably won’t be able to steal it. Be careful, though, because some forms of malware can monitor screen activity and still reveal your password through observation.
A virtual keyboard provides a stronger authentication solution than typing in a password, but stronger solutions are available. A one-time password is, as the name implies, a password that you can only use one time. Some password managers, such as LastPass and Intuitive Password, support the use of one-time passwords. Because a one-time password is only good the first time it’s used, an attacker that captures you using it can’t reuse it themselves.
The list below presents computer-generated one-time passwords from LastPass. Note that there is a Print option; it is a common practice to print out these passwords and store them in your wallet for safekeeping. It may be tempting to save them in a file on your computer, then copy and paste them into your password manager as needed, but this is a poor security practice. Assuming that your computer gets infected by malware, the malware is likely to seek out text files containing passwords, and if anyone gets physical access to your computer, they could copy and paste the password and immediately gain access to everything stored in your password manager.
Another option for one-time passwords is to get a randomly generated number from a special one-time password application. A notable example of this is the Google Authenticator mobile app. Password managers such as DashLane and LastPass can leverage Google Authenticator. When you want to unlock your passwords, you go to your mobile device and generate a new one-time password using Google Authenticator. Then you type this password (typically six digits) into your password manager. Here’s a video that shows you how to set up Google Authenticator for use with LastPass.
There are also password managers such as Intuitive Password that can be configured to send you a one-time password through a text message.
Another option for some people is the use of biometric readers, such as fingerprint scanners. The Premium version of LastPass and the RoboForm utility both support use of biometrics in lieu of a master password. Some computers, especially laptops, have fingerprint scanners built in, and some computers (desktops and laptops) have external fingerprint scanners.
If your device already has a fingerprint scanner, you might want to consider acquiring a password manager that can use that scanner. If you don’t have a scanner, one of the other options (virtual keyboard or one-time password) is probably a better fit for you.
A final option is multifactor authentication. So far we’ve only talked about single-factor authentication, which means using a single authentication method, typically a password. For stronger security, you can adopt multifactor authentication, which refers to using multiple authentication methods at the same time, such as a password (something you know) and a fingerprint (something you are).
For example, the password manager KeePass can use a cryptographic key file that it sets up on a USB flash drive, along with a password. If an attacker gets your password, they would still need to get your flash drive, and vice versa. But if your computer is infected with malware, it’s likely that a determined attacker could grab a copy of your key file from your flash drive as well as your password. So in this situation, multifactor authentication may not be stronger than single-factor authentication.
Most people will find multifactor authentication unnecessarily complicated for their password manager. Ultimately, if your computer is infected with malware, your passwords are at risk. And no matter how strong your password manager’s authentication method is, at some point you’ll be unlocking that secure vault of stored passwords and malware will be able to access it. Strengthening your authentication method is a deterrent, not an absolute preventative.
Recommendations for Password Manager Authentication
Using a regular password to protect your password manager is becoming increasingly risky because of malware. Consider using a virtual keyboard, or even better, a one-time password in place of a master password to thwart the possibility of malware grabbing your master password and accessing your stored passwords.
And don’t forget to follow all the recommended practices for keeping malware off your computer, such as foiling social engineering attacks, using antivirus software, and promptly installing patches and updates for your computer’s operating system, web browser, and other important applications. If your computer doesn’t get infected in the first place, the strength of your password manager authentication won’t be so important.
Are you prepared to handle the threats against your password manager? What precautions are you taking?
Image credits: Phone security by Ervins Strauhmanis via Flickr