Password manager

Bitwarden is an example of a password manager.

A password manager is a software program to prevent password fatigue by automatically generating, autofilling and storing passwords.[1][2] It can do this for local applications or web applications such as online shops or social media.[3] Web browsers tend to have a built-in password manager. Password managers typically require a user to create and remember a single password to unlock to access the stored passwords. Password managers can integrate multi-factor authentication.

History

The first password manager software designed to securely store passwords was Password Safe created by Bruce Schneier, which was released as a free utility on September 5, 1997.[4] Designed for Microsoft Windows 95, Password Safe used Schneier's Blowfish algorithm to encrypt passwords and other sensitive data. Although Password Safe was released as a free utility, due to export restrictions on cryptography from the United States, only U.S. and Canadian citizens and permanent residents were initially allowed to download it.[4]

As of October 2024, the built-in Google Password Manager in Google Chrome became the most used password manager.[5]

Types

Browser-based

These are built directly into web browsers like Chrome, Safari, Firefox, and Edge. They offer convenient access for basic password management on the device where the browser is used. However, some may lack features like secure syncing across devices or strong encryption.

Local

These are standalone applications installed on a user's device. They offer strong security as passwords are stored locally, but access may be limited to that specific device. Popular open-source options include KeepassXC, KeePass and Password Safe.

Cloud-based

These store passwords in encrypted form on remote servers, allowing access from supported internet-connected devices. They typically offer features like automatic syncing, secure sharing, and strong encryption. Examples include 1Password, Bitwarden, and Dashlane.

Enterprise

Designed for businesses, these cater to managing access credentials within an organization. They integrate with existing directory services and access control systems, often offering advanced features like role-based permissions and privileged access management.

Hardware

These physical devices, often USB keys, provide an extra layer of security for password management. Some function as secure tokens for account/database access, such as Yubikey and OnlyKey, while others also offer offline storage for passwords, such as OnlyKey.

Vulnerabilities

Weak vault storage

Some applications store passwords as an unencrypted file, leaving the passwords easily accessible to malware or people attempted to steal personal information.

Master password as single point failure

Some password managers require a user-selected master password or passphrase to form the key used to encrypt passwords stored for the application to read. The security of this approach depends on the strength of the chosen password (which may be guessed through malware), and also that the passphrase itself is never stored locally where a malicious program or individual could read it. A compromised master password may render all of the protected passwords vulnerable, meaning that a single point of entry can compromise the confidentiality of sensitive information. This is known as a single point of failure.

Device security dependency

While password managers offer robust security for credentials, their effectiveness hinges on the user's device security. If a device is compromised by malware like Raccoon, which excels at stealing data, the password manager's protections can be nullified. Malware like keyloggers can steal the master password used to access the password manager, granting full access to all stored credentials. Clipboard sniffers can capture sensitive information copied from the manager, and some malware might even steal the encrypted password vault file itself. In essence, a compromised device with password-stealing malware can bypass the security measures of the password manager, leaving the stored credentials vulnerable.[6]

As with password authentication techniques, key logging or acoustic cryptanalysis may be used to guess or copy the "master password". Some password managers attempt to use virtual keyboards to reduce this risk - though this is still vulnerable to key loggers. [7] that take the keystrokes and send what key was pressed to the person/people trying to access confidential information.

Cloud-based storage

Cloud-based password managers offer a centralized location for storing login credentials. However, this approach raises security concerns. One potential vulnerability is a data breach at the password manager itself. If such an event were to occur, attackers could potentially gain access to a large number of user credentials. A 2022 security incident involving LastPass exemplifies this risk.[6]

Password generator security

Some password managers may include a password generator. Generated passwords may be guessable if the password manager uses a weak method of randomly generating a "seed" for all passwords generated by this program. There are documented cases, like the one with Kaspersky Password Manager in 2021, where a flaw in the password generation method resulted in predictable passwords.[8][9]

Others

A 2014 paper by researchers at Carnegie Mellon University found that while browsers refuse to autofill passwords if the login page protocol differs from when the password was saved (HTTP vs. HTTPS), some password managers insecurely filled passwords for the unencrypted (HTTP) version of saved passwords for encrypted (HTTPS) sites. Additionally, most managers lacked protection against iframe and redirection-based attacks, potentially exposing additional passwords when password synchronization was used across multiple devices.[10]

Blockage

Various high-profile websites have attempted to block password managers, often backing down when publicly challenged.[11][12][13] Reasons cited have included protecting against automated attacks, protecting against phishing, blocking malware, or simply denying compatibility. The Trusteer client security software from IBM features explicit options to block password managers.[14][15]

Such blocking has been criticized by information security professionals as making users less secure.[13][15] The typical blocking implementation involves setting autocomplete='off' on the relevant password web form. This option is now consequently ignored on encrypted sites,[10] such as Firefox 38,[16] Chrome 34,[17] and Safari from about 7.0.2.[18]

In recent years, some websites have made it harder for users to rely on password managers by disabling features like password autofill or blocking the ability to paste into password fields. Companies like T-Mobile, Barclaycard, and Western Union have implemented these restrictions, often citing security concerns such as malware prevention, phishing protection, or reducing automated attacks. However, cybersecurity experts have criticized these measures, arguing they can backfire by encouraging users to reuse weak passwords or rely on memory alone—ultimately making accounts more vulnerable. Some organizations, such as British Gas, have reversed these restrictions after public feedback, but the practice still persists on many websites.[19]

See also

References

  1. ^ Waschke, Marvin (2017). Personal cybersecurity : how to avoid and recover from cybercrime. Bellingham, Washington: Apress. p. 198. doi:10.1007/978-1-4842-2430-4. ISBN 978-1-4842-2430-4. OCLC 968706017.
  2. ^ "Password Managers - Information Security Office - Computing Services". Carnegie Mellon University. Retrieved 2024-07-07.
  3. ^ "What is a Password Manager? - Definition from Techopedia". Techopedia.com. Retrieved 2022-12-14.
  4. ^ a b "Counterpane Systems Brings the Security of Blowfish to a Password Database". Counterpane Systems. Archived from the original on 1998-01-19. Retrieved June 24, 2023.
  5. ^ "U.S.: top password managers 2023 | Statista". Statista. Archived from the original on 2024-07-18. Retrieved 2025-02-23.
  6. ^ a b Valiaugaitė, Inga (2022-07-13). "Are Password Managers Safe to Use in 2024?". Cybernews. Archived from the original on 2024-03-24. Retrieved 2024-03-31.
  7. ^ Nadkarni, Tanusha S.; Mohandas, Radhesh; Pais, Alwyn R. (2011). "A Novel Technique for Defeating Virtual Keyboards - Exploiting Insecure Features of Modern Browsers". Advances in Computing and Communications. 191. Springer: 680–689. doi:10.1007/978-3-642-22714-1_71. Retrieved April 11, 2025.
  8. ^ Claburn, Thomas (2021-07-06). "Kaspersky Password Manager's random password generator was about as random as your wall clock". The Register. Archived from the original on 2024-03-07. Retrieved 2024-03-31.
  9. ^ Arghire, Ionut (2021-07-07). "Kaspersky Password Manager Generated Passwords That Could Quickly Be Brute-Forced". SecurityWeek. Archived from the original on 2023-06-02. Retrieved 2024-03-31.
  10. ^ a b "Password Managers: Attacks and Defenses" (PDF). Retrieved 26 July 2015.
  11. ^ Wright, Mic (16 July 2015). "British Gas deliberately breaks password managers and security experts are appalled". TNW. Retrieved 7 July 2024.
  12. ^ Reeve, Tom (15 July 2015). "British Gas bows to criticism over blocking password managers". Retrieved 26 July 2015.
  13. ^ a b Cox, Joseph (26 July 2015). "Websites, Please Stop Blocking Password Managers. It's 2015". Retrieved 26 July 2015.
  14. ^ "Password Manager". Retrieved 26 July 2015.
  15. ^ a b Hunt, Troy (15 May 2014). "The "Cobra Effect" that is disabling paste on password fields". Retrieved 26 July 2015.
  16. ^ "Firefox on windows 8.1 is autofilling a password field when autocomplete is off". Retrieved 26 July 2015.
  17. ^ Sharwood, Simon (9 April 2014). "Chrome makes new password grab in version 34". Retrieved 26 July 2015.
  18. ^ "Re: 7.0.2: Autocomplete="off" still busted". Retrieved 26 July 2015.
  19. ^ Zetter, Kim (July 8, 2015). "Websites, Please Stop Blocking Password Managers". Wired. Retrieved April 11, 2025.
Index: pl ar de en es fr it arz nl ja pt ceb sv uk vi war zh ru af ast az bg zh-min-nan bn be ca cs cy da et el eo eu fa gl ko hi hr id he ka la lv lt hu mk ms min no nn ce uz kk ro simple sk sl sr sh fi ta tt th tg azb tr ur zh-yue hy my ace als am an hyw ban bjn map-bms ba be-tarask bcl bpy bar bs br cv nv eml hif fo fy ga gd gu hak ha hsb io ig ilo ia ie os is jv kn ht ku ckb ky mrj lb lij li lmo mai mg ml zh-classical mr xmf mzn cdo mn nap new ne frr oc mhr or as pa pnb ps pms nds crh qu sa sah sco sq scn si sd szl su sw tl shn te bug vec vo wa wuu yi yo diq bat-smg zu lad kbd ang smn ab roa-rup frp arc gn av ay bh bi bo bxr cbk-zam co za dag ary se pdc dv dsb myv ext fur gv gag inh ki glk gan guw xal haw rw kbp pam csb kw km kv koi kg gom ks gcr lo lbe ltg lez nia ln jbo lg mt mi tw mwl mdf mnw nqo fj nah na nds-nl nrm nov om pi pag pap pfl pcd krc kaa ksh rm rue sm sat sc trv stq nso sn cu so srn kab roa-tara tet tpi to chr tum tk tyv udm ug vep fiu-vro vls wo xh zea ty ak bm ch ny ee ff got iu ik kl mad cr pih ami pwn pnt dz rmy rn sg st tn ss ti din chy ts kcg ve
Prefix: a b c d e f g h i j k l m n o p q r s t u v w x y z 0 1 2 3 4 5 6 7 8 9

Portal di Ensiklopedia Dunia

Portal : Agama
Agama
Portal : Bahasa
Bahasa
Portal : Biografi
Biografi
Portal : Budaya
Budaya
Portal : Ekonomi
Ekonomi
Portal : Elektronika
Elektronika
Portal : Film
Film
Portal : Filsafat
Filsafat
Portal : Geografi
Geografi
Portal : Indonesia
Indonesia
Portal : Ilmu
Ilmu
Portal : Lingkungan
Lingkungan
Portal : Masyarakat
Masyarakat
Portal : Matematika
Matematika
Portal : Militer
Militer
Portal : Mitologi
Mitologi
Portal : Musik
Musik
Portal : Olahraga
Olahraga
Portal : Pendidikan
Pendidikan
Portal : Politik
Politik
Portal : Sastra
Sastra
Portal : Sejarah
Sejarah
Portal : Seni
Seni
Portal : Teknologi
Teknologi

Kembali kehalaman sebelumnya