Password Managers

The current mainstream method of authenticating to applications and systems remains a difficult prospect for most people. Password re-use is not a good idea but remembering a separate password for each system is not feasible. Biometrics and 2-factor-authentication are great solutions but not available in all circumstances, and typically the 1st factor is still a password.

My suggestion is to use a password manager. But which one?

PMs are split into 2 primary types: online/cloud and offline/local.

The online type is basically a web service/app that provides a password database along with various features like browser-assisted ( eg. via plugin ) form filling, 2FA, random password generator and more.  Examples include LastPass, Dashlane and Encryptr.

The offline type is a discrete application that you run on your device to provide these services. Examples include KeePass ( and the X variant ), 1Password, Gnome Keyring and KDE Wallet ).

My personal preference is the offline type because even if online apps indicate special protection of your data, no one has to date displayed perfect security. At least with an offline app ( and one that is audited for security issues ), your data is stored locally and protected by you.

Most recently, security flaws have been found in the LastPass browser extensions – although these flaws were patched quickly, the risk remains.

On the whole though, password managers significantly increase overall security, by allowing users to use strong passwords for internet and other services, without having to remember those strong passwords. And that is a win for everyone.

UPDATE:

So my words were barely penned when another LastPass issue came to light:

“on Saturday, Ormandy came up with a new way to perform code execution in LastPass for Chrome 4.1.43 (the current latest version of the extension). He sent the working exploit and bug report immediately to LastPass, and the company acknowledged it.”

“This attack is unique and highly sophisticated. We don’t want to disclose anything specific about the vulnerability or our fix that could reveal anything to less sophisticated but nefarious parties. So you can expect a more detailed post mortem once this work is complete.”

So it’s quite clear that online password managers are subject to the same vulnerabilities as other software and it’s probably a good idea to stay with discrete apps.