.

Password Managers?

<<

SephStorm

User avatar

Hero Member
Hero Member

Posts: 569

Joined: Sat Apr 17, 2010 12:12 pm

Post Mon Feb 06, 2012 7:30 pm

Password Managers?

I was reading an article today and at the end the author noted the well know issues with password security (specifically email passwords, and by default the keys to the kingdom). And he said the same thing that I have always seen, it is the users fault blah blah.... simple passwords... and then he said something interesting.

Yes, he realizes that users have a lot of passwords to remember, but his suggestion was that PW managers voided that argument. Now I have never been a fan of PW managers. My perhaps unreasonable suspicion was that someone would include callback functionality in at least one of these programs that would send all of your passwords happily home. Or that this archive is a good thing an attacker would go after.

Am I just being paranoid? Are PW managers really that secure and trustworthy? Should they be deployed in the enterprise?
sectestanalysis.blogspot.com/‎
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Feb 07, 2012 8:33 am

Re: Password Managers?

It obviously depends on the scenario, but there are many reasons to go with an enterprise-class password management product (i.e. shared accounts, service accounts, etc.). This is an example of a product (there are many others) that does auditing, check-in/out, integrates with RSA for two-factor authentication, and so on: http://www.manageengine.com/products/pa ... index.html

Personally, I use 1Password on my iPhone, iPad, and desktop. As long as you're getting your software from a reputable company, you should be fine. There will always be exceptions, and even a trusted company may have a rogue employee slip some extra code in. It's up to you to make that determination based on your risk appetite. If you're not comfortable with a commercial product, you can get by with a spreadsheet in a TrueCrypt archive. If you're extremely paranoid, use open-source password managers and review each line of code, or write your own ;)
The day you stop learning is the day you start becoming obsolete.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Tue Feb 07, 2012 9:24 am

Re: Password Managers?

Nothing is ever full proof and there is always risk involved.  Like Dynamik mentioned, if you go with an enterprise class product from a proven/trusted vendor then you lower your risk significantly compared to using less costly products.  Personally I like password safe. 

To the point though, I would rather have my clients using complex long passwords that differ from each account/website than one simple password.  I would simply instruct them to just use the auto-generator for all new site/app accounts.  They can then set an easily remembered passphrase on the safe and another passphrase to log onto their system, or utilize smartcards or other two-factor process for logging into their desktops.

I think educated the users of the "Why" rather than just telling them to do it will probably have longer lasting effects.  "If you use a simple password or right them down and hide them in your keyboard, it will be your fault that the company gets breached and hundreds of people are now without a job..." :D
Certs: GCWN
(@)Dewser
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Wed Feb 08, 2012 8:51 am

Re: Password Managers?

For me it comes down to a basic risk decision once you can get your brain past the psychology of risk (Our brains are fundamentally flawed when it comes to calculating risk).

Online password manager like lastpass which on the surface sounds like a really bad idea

Impact is high for compromise since they have all my credentials mitigated somewhat by their use of encryption. I also use a robust 2 factor auth with the service so credential harvesting attacks for my lastpass account would be somewhat ineffective.

Likelihood is fairly low given their effective security posture and excellent incident response


vs

Password reuse for all sites


impact is very high since a single compromise means all my sites are compromised

Likelihood is very high since any one of the sites I frequent can lead to compromise.

vs

Use different password for each site and manage myself in Truecrypt protected datafile

Definitely the most secure option, but yeah that's too much work especially given the wide variety of platforms I utilize. Lastpass works on every platform I commonly use.  Afterall, I'm a user too. Guess which option I choose? Is it perfect? No, but I think it's the best combination of security + usability.

I think we could probably diverge the discussion on how usable security solutions that are technically less secure are in actuality more secure than the more rigorous and less usable counterparts because users will comply and not seek to subvert the controls due to complexity or inconvenience. Generally speaking of course, swiss cheese is still swiss cheese.

BTW I'm not advocating this for enterprise usage, I still think an internally managed product like Cyber-Ark or something similar is a good fit but that's out of my personal budget. For $12/year, Last Pass Premium service fits the bill nicely for my personal stuff.
Last edited by tturner on Wed Feb 08, 2012 8:57 am, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software