Urgences 24 sur 7 – (888) 287-5858   Connexion au Portail TitanSupport    Contactez-nous      Blogue

Stock photoIn January, we published a blog explaining why it is important to have strong passwords, and provided some advice to increase their robustness. Little did we know that this blog’s writing would create a commotion among the research team as different opinions on password managers emerged. The next two blog posts will cover password managers. The first one aims to explain why it might not be as popular as the InfoSec community wishes, while the second one attempts to nuance that anything is better than the status quo.  

 

The password-management tool 

Weak passwords are effortless and quick to crack for malicious hackers. One solution to avoid weak passwords is to use randomly generated strong passwords, but those are hard to remember. Plus, malicious actors will use the passwords revealed in data breaches to try to access other accounts. This is why having different passwords for each account is important. However, people have 100 accounts on average that are protected by passwords. It is impossible to remember strong passwords for each of them. For some, the solution is simple: use a password manager! A password manager is a tool designed to store and manage online credentials. It also generates randomly created passwords that are strong. Usually, these passwords are stored in an encrypted database that you protect with a master password. Password managers have tons of advantages! They allow you to store a great quantity of strong passwords by remembering only one master password. They also can store more than just passwords, such as your passport number and expiry or your social insurance number.  

However, previous studies have shown that password managers (particularly stand-alone applications) suffer from low adoption rates, especially among nonexperts. Let’s devote this post to understanding why.  

Awareness 

Researchers have suggested that many users are not aware of what password managers are, how to use them, and/or whether they are trustworthy. Therefore, basic awareness of password-management tools is the primary adoption barrier for some users. Another important awareness problem is that users think that they do not have enough accounts for a password manager, or that their accounts are not valuable enough to require a secure password-management tool. People tend to have security concerns, lack of need for this solution, and a lack of motivation. Other reasons noted are time for installation, the lack of the sense of urgency, or the lack of awareness of how password managers worked. Some users are simply unwilling to hand over control to a third party. 

It is yet ANOTHER tool 

Researchers mention the rationing of effort to be a central theme in users’ password-management choices, meaning that using this tool or not is a tradeoff between security and convenience. For some users, it seems like yet another extra effort that is added to their long list of things they have to do to protect themselves. Plus, when you think about it, the password is supposed to be protecting my information already. So, this extra effort from the user part is meant to adjust to a system that is presenting weaknesses in protecting them. I am getting carried away, let’s refocus.  

The password manager solution does not answer all problems. Even if a user decides to use it, the effort does not stop after downloading it. It does not lift the weight of creating strong passwords for every account. It does not erase the fact that some websites –even if counter-indicated by NIST, will ask to change your passwords after a certain period of time. It also does not avoid the use of two-factor authentication, which rob us of our time already (although MFA is a necessary protection in this immediate urgency of increasing account security). Even after the installation, you must spare time in making sure that all passwords are strong, then store them in the right place, and then retrieve them when you need them. 

Not costly…Or user-friendly 

Free password managers are not user-friendly. You still have to open your password manager EACH time you need a password. If you are like me, it takes 30 seconds to access the vault (that’s only when I enter my very hard to guess master password adequately on the first try) and must access it around 23 times a day. This represents more than 10 minutes of my time every day, and, needless to say, I consider my time as precious.  

The embedded password manager in browsers is much more user friendly. It remembers your password and enters your credentials for you as soon as you reach the website. However, this tool has been proven to be unsafe, as the entire list of your credentials can be stolen via cross-site scripting. Plus, this practice presents an imminent other threat: If someone has physical access to your computer, this person automatically has access to each account stored in the browser.  

Two features are necessary to make password managers user-friendly: 1) the auto-filled credential when accessing a website; 2) access your account from different devices. However, most (if not all) password managers which have those features are associated with a significant cost.  

The single point of failure problem 

The recent LastPass data breach has proven that the password manager as a service model is not immune to cyber-attacks. It is a fact that using a password manager controlled by a third-party presents security risks. This is related to the fact that all passwords are now stored in one place and that if the vault is decrypted, all the password information, instead of a single password, is compromised. Plus, there is always the risk of losing access to the vault because you forgot your master password. In those two cases, you will have to recreate passwords for 100 accounts all at once.  

Don’t get me wrong: Password manager is an adequate (or tolerable?) solution  

In an ideal world, people would adopt password managers and have different strong passwords for each website they use. This way, data breaches would be less effective for two reasons: it would prevent password stuffing and the effortless cracking of credentials. Users’ information getting compromised would have a much lesser impact on the individual users. The point of this blog post was to expose the different reasons why password managers are not so easily implemented among non-experts, and they are the ones that we are trying to protect with misguided advice.  

Man disappointed sitting in front of computer

The solution is a world without passwords. After all, even the inventor of the computer password, Fernando Corbató, said that “passwords have become kind of a nightmare with the World Wide Web”.  

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR)

Détection et réponse gérées et étendues GoSecure TitanMC (MXDR) Fondation

Gestion des vulnérabilités en tant que service GoSecure TitanMC (VMaaS)

Surveillance des événements liés aux informations de sécurité gérée GoSecure TitanMC (SIEM gérée)

Défense du périmètre gérée GoSecure TitanMC (pare-feu)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Passerelle de messagerie sécurisée GoSecure TitanMC (SEG)

Modélisateur de menaces GoSecure TitanMC

Identity GoSecure TitanMC

Plateforme GoSecure TitanMC

Services de sécurité professionnels de GoSecure

Services de réponse aux incidents

Évaluation de la maturité de la sécurité

Services de confidentialité

Services PCI DSS

Services de piratage éthique

Opérations de sécurité

MicrosoftLogo

GoSecure MXDR pour Microsoft

Visibilité et réponse complètes au sein de votre environnement de sécurité Microsoft

CAS D'UTILISATION

Cyberrisques

Mesures de sécurité basées sur les risques

Sociétés de financement par capitaux propres

Prendre des décisions éclairées

Sécurité des données sensibles

Protéger les informations sensibles

Conformité en matière de cybersécurité

Respecter les obligations réglementaires

Cyberassurance

Une stratégie précieuse de gestion des risques

Rançongiciels

Combattre les rançongiciels grâce à une sécurité innovante

Attaques de type « zero-day »

Arrêter les exploits de type « zero-day » grâce à une protection avancée

Consolider, évoluer et prospérer

Prenez de l'avance et gagnez la course avec la Plateforme GoSecure TitanMC.

24/7 MXDR

Détection et réponse sur les terminaux GoSecure TitanMC (EDR)

Antivirus de nouvelle génération GoSecure TitanMC (NGAV)

Surveillance des événements liés aux informations de sécurité GoSecure TitanMC (SIEM)

Détection et réponse des boîtes de messagerie GoSecure TitanMC (IDR)

Intelligence GoSecure TitanMC

Notre SOC

Défense proactive, 24h/24, 7j/7

À PROPOS DE GOSECURE

GoSecure est un leader et un innovateur reconnu en matière de cybersécurité, pionnier de l'intégration de la détection des menaces au niveau des terminaux, du réseau et des courriels en un seul service de détection et réponse gérées et étendues (MXDR). Depuis plus de 20 ans, GoSecure aide ses clients à mieux comprendre leurs failles en matière de sécurité et à améliorer leurs risques organisationnels ainsi que leur maturité en matière de sécurité grâce aux solutions MXDR et aux services professionnels fournis par l'une des équipes les plus fiables et les plus compétentes de l'industrie.

CALENDRIER D’ÉVÉNEMENTS

DERNIER COMMUNIQUÉ DE PRESSE

BLOGUE GOSECURE

AVIS DE SÉCURITÉ

Urgences 24 sur 7 – (888) 287-5858