Password Management Security Review
Elsewhere on this site, we have compared commercial password managers for their ease of use and for their effectiveness as replacements for browser-based password managers such as Chrome and Firefox. We have also suggested why certain options are better for small businesses, where the skills may not exist to manage API integrations, directory synchronizations, and complex configurations.
In this article, we´ll be looking at password management security in respect of the mechanisms provided by commercial password managers to secure account access, and the tools provided for system administrators to ensure the mechanisms are used effectively. First, we´ll start with an overview of some security features all commercial password managers have in common.
Encryption, Encryption, Encryption!
All the leading commercial password managers operate a “zero-knowledge” model in which encrypted, hashed, and salted master passwords prevent vendors and their employees accessing users´ vaults. The data inside users´ vaults is also protected by 256-bit encryption, while data in transit – for example, when passwords are shared between users – is protected by TLS encryption.
In layman´s terms, this level of encryption not only means vendors and their employees cannot access vaults and the data within them, but it is almost impossible for a cybercriminal to crack a user´s master password using brute force tactics. The only way an unauthorized third party can access a user´s vault is if they obtain the user´s login credentials via a phishing attack.
Beyond Encryption, Further Mechanisms Exist
Further security features all commercial password managers have in common include Single Sign-On (SSO), Multi-Factor Authentication (MFA), and Event Logs/Audit Trails for integration with SIEM solutions. It´s important to note some features are subject to the type of business plan subscribed to. It may also be the case some plans place limits on which Authenticator apps can be used.
Possibly the most important mechanism for enhancing security is the policy engine. The policies created by system administrators control factors such as password strength, whether SSO or MFA is required, and how many groups or teams an individual can belong to. The application and enforcement of password policies can impact the effectiveness of password management security.
Additional Security Features by Vendor
Despite most commercial password managers sharing similar security features, a few have additional features that enhance the security of their products. These features can have an influence on which password manager is implemented because of business concerns, experiences, or potential vulnerabilities identified by a risk assessment.
Bitwarden offers two additional security features. The first is a self-host option in which data is stored on-premises rather than in the Azure Cloud. This option should only be taken advantage of if the business is subject to industry regulations relating to the whereabouts of protected personal information and has the internal IT skills to deploy and manage the password manager on-premises.
The second additional feature is that Bitwarden is an open source password manager. This means the source code is published and constantly checked for vulnerabilities by the security community. You can access the code repositories here, or read Bitwarden Security Whitepaper here which contains an overview of the Bitwarden Security and Compliance Program.
1Password´s “Secret Key” enhances the level of protection provided by the master password by increasing the amount of entropy. 1Password claims that a strong master password has between 40 and 60 bits of entropy; but, with the 34-character Secret Key (which only users have access to), the entropy increases beyond 128 bits.
To eliminate the need for users to enter the master password and the secret key on every login, the secret code can be saved locally on trusted devices. If the trusted device is lost or stolen, hackers will still be unable to access the user´s vault because they do not have the master password. You can read more about Secret Key Security on 1Password´s Security Design Whitepaper.
Dashlane recently added Intel SGX support to its Windows app – an impressive “software guard extension” that protects data in use via application isolation technology. This means data is protected not only at rest and in transit, but also at the time it is being used – preventing spyware and keystroke malware recording login credentials and other confidential information.
It is not known at the time of publication whether this feature will be extended to other apps in the Dashlane portfolio; and, as it is quite a new technology, it is likely the innovation will be copied by other commercial password managers. However, you can read more about Intel SGX and password management security in Dashlane´s Security Whitepaper.
Conclusion: Take Advantage of Free Trials
Technology is constantly evolving – especially in the world of IT security – so while this password management security review and the additional security features by vendor are current at the time of publication, they could quickly fall out of date. If your business has concerns about the security of password managers, the recommended course of action is to speak with the vendors and take advantage of free trials whenever possible to test the security mechanisms on each password manager.