Security of Password Managers

At USENIX Security this year there were two papers studying the security of password managers:

• David Silver, Suman Jana, and Dan Boneh, "Password Managers: Attacks and Defenses."

• Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song, "The Emperor's New Password Manager: Security Analysis of Web-based Password Managers."

It's interesting work, especially because it looks at security problems in something that is supposed to improve security.

I've long recommended a password manager to solve the very real problem that any password that can be easily remembered is vulnerable to a dictionary attack. The world got a visceral reminder of this earlier this week, when hackers posted iCloud photos from celebrity accounts. The attack didn't exploit a flaw in iCloud; the attack exploited weak passwords.

Security is often a trade-off with convenience, and most password managers automatically fill in passwords on browser pages. This turns out to be a difficult thing to do securely, and opens up the password managers to attack.

My own password manager, PasswordSafe, wasn't mentioned in either of these papers. I specifically designed it not to automatically fill. I specifically designed it to be stand alone. The fast way to transfer a password from PasswordSafe to a browser page is using the operating system's cut and paste commands.

I still recommend using a password manager, simply because it allows you to choose longer and stronger passwords. And for the few passwords you should remember, my scheme for generating them is here.