WIXLIB

Password Managers:Devil’s in the DetailsHow Can Giving all your Passwords to a PasswordManager be Safe?AUGUST 2018Passwords are dead; long live the password! Passwords are unequivocally the most usedentry point to anything online, and the most unsecure. Users know this. Companies know this.And hackers certainly know this. To create complex passwords is important, but managingthem – remembering them, updating them, etc. – is cumbersome. Password managers help,but are they secure? Given the rampant data breaches that seem to occur every few weeks –and those are only the ones we hear about – how can giving all your passwords to a passwordmanager be smart? Forsaking security for convenience: is there a better way?Let us dissect why passwords aren't going anywhere – at least not yet, along with a novelsolution for solving the problem of password management while still maintaining security.Biometrics Are Differentfrom PasswordsThere are enoughvendor-neutralreports today thatshow that mostpeople, sites, andcompanies are usingor require the use ofpasswords the wrongways, posingimminent securityrisks.It’s important to point out first that a passwordis something that is created by the user. Thissounds simplistic but consider it. A password issomething that, when created properly, isassociated directly with the user and only theuser and the system knows it. Now, if weintroduce alternatives, namely biometrics suchas fingerprint readings or facial recognition,it’s supposed to be data that represents onlyyou. Why is this different? When a system usesbiometrics for authentication, the system mustrely on third-party software to provideaccurate information to indicate whether thefingerprint is a match or not. The softwareitself could be buggy or contain hard-codedlogic to provide false positives.Even if an open-source biometric matchingsoftware is used, which would facilitate thediscovery of bugs and incorrect logic, what isused to produce the “match” is not the opensource code, but the binaries after that codehas been compiled. Therefore, the compilercould be compromised, and this poses asecurity risk.And the biggest as-yet-unsolved problem withbiometrics is that they are not renewable. Inthe rush to build accurate biometric analyzers,they are based on the premise that your face,fingerprints, heartrate, gait, voice, etc. areuniquely yours, which currently they are. Untilthey’re not. When your personal biometrics arestolen – which they will be - how do you replacethem? Grow new fingertips, alter your voice orbuy new retinas? The black market of body partreplacement a la the movie Minority Reportwill be a real thing.

Password Managers: Devil’s in the DetailsHow to Use Passwords toReduce Security RisksWhen a user thinks up a password, there is noneed to rely on any third-party software, thus,it’s a direct connection between the systemand the user. Using a third party software toprovide accurate information poses securityrisks. Therefore, using a password forauthentication decreases security risks, whenused correctly.How does one improperly use a password?Here is where the crux of the problem resides.There are enough vendor-neutral reportstoday that show that most people, sites, andcompanies are using or require the use ofpasswords the wrong ways, posing imminentsecurity risks. The main issues with passwordsare well known. A password must be long andcomplex enough to be secure, and should notbe comprised of known words, sequences orrepetitions, or used repeatedly. For all of thesereasons, a complex password should be longand random, which means that it’s difficult toremember and takes a long time to type it inusing a keyboard. Thus, a properly created andutilized password has become less convenientto use.For convenience reasons, peopleunderstandably like to use the samepasswords that they’ve memorized over andover. Some people have been using the sameset or variations of the same passwords for alltheir logins for years because it's easy to log inusing that same password they can remember.Sometimes people add a few characters to itwhen a system forces them to change apassword. It’s done for convenience.Unfortunately, because that same passwordcould have been compromised from a systemthat failed to report it to anyone, security risksincrease every time it’s used.To improve security, systems create minimumpassword requirement rules, making it harderto memorize passwords. These are usuallysome combination of upper, lower casecharacters, numerics and/or symbols. Usersmay find themselves trying to remember if itwas Citibank or their 401k savings accountthat doesn’t allow special characters. Out offrustration many of us just never change themonce we get in with a weary shrug and an, “If itain’t broke, don’t fix it” attitude.Website SecurityLet's talk a little more about these websitesthat we log into so gullibly, giving them ourcredit cards, bank information, logins, mother'smaiden names, dates of birth, and so muchmore. First, many sites are still using plainHTTP for authentication, ignoring industrybest practices which have standardizedHTTPS/SSL to cover logins. Every user isresponsible for taking note of such systems andavoiding using them, or else they are exposingtheir passwords for anyone to grab. There is atlong last momentum in the industry to reportsuch systems and force sites to use HTTPS.This is all good news, and this issue has almostbeen eliminated by now even though usingthem across unsecured wifis remains a bigproblem. But the other issue is that many sitesare not encrypting passwords inside theirsystems, going against all best practices. Ifhacked, your password will be compromised.We’ve all heard enough reports of companiesbeing hacked and passwords being exposed,and those are just the ones that are known.Due to the bad publicity, of course, somecompanies fail to report hacks to their users.This is one of the main reasons you see policyrules in companies that care about securitythat force you to change your passwordsregularly.

Password Managers: Devil’s in the DetailsThese challenges are the reasons whypassword managers were created, but not allpassword managers are secure. Using thirdparty tools could increase security risks, so it'simperative that you use a secure passwordmanager.Sharing PasswordsSometimes we have to share passwords withother people. It’s not a best practice, but ithappens all the time – consultants, colleagues,family members. If you are the user whocreates a password and uses various versionsof that password over and over again“JaneDoe1”, “JaneDoe11”, Jan3Do3” etc., youdon’t want to share that with anyone lest theyfigure out that you use variations of “JaneDoe”for everything. Therefore, you have to come upwith a new one. It's harder to rememberanother one. How many can you handle?And how do you share a password? You cansend an email to your colleagues containingthe password, but it will expose yourpasswords for anyone who can see that email.Plus, is your email even encrypted? Mostsystems aren’t. You can simply write it downon a piece of paper or have a conversation overthe phone. You call that convenient? If youmust modify it because it has beencompromised, then you need to do the samesteps over again. That’s also frustrating.Why You Need a PasswordManagerThe longer a password is, the safer it is, butwith each character added for safety, it'sequally less convenient to memorize it as wellas to enter it using a keyboard.Some of the benefits you should expect fromusing a trusted password manager include:Ability to generate long and complexpasswords.Ability to reconstruct existing passwords,not storing them in their database waiting tobe exposed.Ability to share a password with otherpeople safely.No need to remember any passwords.Convenient enough so that only a few clicksand keyboard keys are used to enter apassword. For example, a password of 32characters would take less than three clicksto enter into a site whereas entering it oneby one would take a while and inevitably bebound to be error-prone.Encrypted and using HTTPS/SSL. Followingbest practices.Does not force you to reveal yourpasswords. This is easy to say but not easy todo, since most existing password managersrequire users to reveal their passwords andby doing that, the passwords are alreadycompromised.What Makes thePasswordWrench ApproachDifferent?Now, we're going to dig into our system, aswe've taken a novel approach as a solution:PasswordWrench. Our solution is intriguingbecause the system does not recordpasswords, and does not ask users to revealtheir passwords, already leapfrogging it aheadto be one of the more secure passwordmanagers. But you want to know how it worksand if it is easy to use, and whether the balanceof convenience vs. security is met?

Password Managers: Devil’s in the DetailsThe basis of the system uses an innovative approach, mixing what is termed a “Password Card,”alongside a “Password Hint.” The Password Card is a grid of random characters, as seen in illustration 1.The Password Hint is a hint thatis recorded in the database inorder for users to “reconstruct”their password when needed.Let’s show some examples ofhow this system meets theneeds of convenience while stilleliminating potential securitythreats.The application allows you togenerate a passwordautomatically using differentshapes such as a line, a Z shape,an L shape and so on. You canpick any shape you like. In thisexample, here we show a “Z”shape.Illustration 1: Example of a Password CardIllustration 2: Example of an automated generated password, Z shape.In illustration 2, you can see thePassword Card and a Z shape ofselected characters whichrepresent the password that itauto-generated. WhatPasswordWrench is recordingin our database is the “PasswordHint” generated (i.e. L3-S3-L10S10). and not the actualpassword. All the informationrecorded is encrypted like anygood password manager does,but in this case, if hacked, likemany other good passwordmanagers have been, the hackerwill obtain only an encryptedPassword Hint. Without thePassword Card, it’s useless. ThePassword Card is generated onthe fly and does not reside onthe database, so a hacker won’tbe able to generate thePassword Card. It’s alsoconvenient to use in this modesince only two clicks werenecessary to generate a 22random-character password.