Password management

A password management , including password management program , ISIN or password manager or password management ( English Password Manager , Password Safe called), is a computer program that allows a computer user passwords and PIN codes encrypted store, manage and produce usually also strong passwords. Programs are available for desktop computers and laptops as well as for smartphones.

need

These programs arose from the problem that users need usernames with secure passwords in their systems and on many Internet sites. Using the same user names and passwords for different services represents a high security risk, since a single stolen password would enable access to all services. Therefore, many different passwords are required. Secure passwords are long and consist of difficult-to-remember combinations of letters, numbers and special characters (see “ Choosing secure passwords ”). A password management system can be used to protect these many and long passwords from unauthorized access and still be easy to use.

System administrators in particular need many different and very strong passwords, as these are still the weakest link in the chain for protecting a network.

Functions

In the password management the user can store and organize user names, associated passwords and other information. This database , with its content encrypted, is secured by a correspondingly strong main password. During setup, the user enters all passwords, user names and other associated access data into the database and, if necessary, copies the access data into the corresponding logon fields. Automation of the entire input process is possible.

Main password

The user can save this main password as a key file on a USB stick or something similar, and he must store it carefully as it is the access authorization to the password database. With an additional password, this technology can be combined and security increased.

Encryption

As a rule, the programs not only encrypt the passwords, but the entire database. Strong encryption algorithms are ideally used.

Password generator

Password generator user interface ( KeePass )

A password generator is usually also integrated, with which passwords of different strengths can be generated. Based on the random input of the user with the mouse or keyboard, the user generates passwords of any length and different character sets. Passwords with 100 or more bits can easily be created. These strong passwords with 15 or more characters can then only be used in practice with a password management system. Example:D`k+oGw(^#"mPoO

Fuse

Backing up a password database is easier than backing up a mixture of special browser password files, other program files and slips of paper or, in the worst case, unprotected files on the computer that contain passwords.

Password management collects the passwords centrally, so only one file has to be saved for all passwords. The database can usually be exported as a CSV file which is supported by all common password management programs and text editors. Flexible XML export or simple printing is also possible. The disadvantage of these formats is that they save the passwords unencrypted. So only the storage in the program's own encrypted format remains for backup. The above formats are used for data exchange and data processing.

The normal password management of the web browsers Mozilla Firefox , Google Chrome and Internet Explorer saves the passwords unencrypted. Mozilla Firefox optionally encrypts the passwords with a so-called master password. Without entering this master password, the user cannot use the saved passwords.

If the main password for the password database is saved in a file, e.g. B. a 512-bit key , it must be secured in addition to prevent loss of the carrier medium.

disadvantage

Password Manager users are dependent on their password database. Since individual passwords are no longer memorized, the user needs permanent access. In the event of damage, backup copies should therefore be made and kept regularly.

Passwords stored unencrypted in the browser can easily be stolen, provided a data thief has access to the user's computer, and represent a security gap. The standard protection in modern web browsers has so far been inadequate. Passwords can be adequately protected with additional software for password management, or by using a master password in the browser.

defects

Investigations have shown that passwords in popular password managers remain unnecessarily long in memory, even if the manager is locked.

Alternatives

With passwords created using formulas, users remain independent from external providers. The user remembers a formula that applies to all passwords, which results in different passwords in connection with a variable factor. Examples of such variable factors are, for example, an Internet address or a company name. From such a character string you take certain characters and combine them with numbers and special characters according to a fixed scheme. The user only remembers the encryption code required to create the password and thus receives individual and secure passwords at the same time. However, if this encryption code becomes known, all passwords created by the user are also insecure. Another shortcoming is the different requirements for passwords, which are made by services such as Internet forums, shops, etc. These may prevent the application of the algorithm you have created yourself.

The disadvantages listed so far are possible by dividing the password in two. A further tool (so-called passcoder) is required for this, which appends the second part of the password (“Salt”) and, if necessary, special characters or the like in order to comply with the rules of the page. So that the second part of the password is not revealed when spying on a page, the result itself has to be encrypted (password from password manager + "Salt" + encryption = password for login).

Tools

KeePass - OpenSource password management for Windows, Linux, Mac operating systems
LastPass - browser add-on

Individual evidence

↑ Markus Kasanmascheff: Blatant security gap: Firefox, Chrome and IE reveal saved passwords. In: softonic. Archived from the original on March 7, 2016 ; accessed on October 13, 2019 .
↑ Moritz Tremmel: Password managers leave passwords in the working memory. In: golem.de. February 21, 2019, accessed October 14, 2019 .

[1] Markus Kasanmascheff: Blatant security gap: Firefox, Chrome and IE reveal saved passwords. In: softonic. Archived from the original on March 7, 2016 ; accessed on October 13, 2019 .

[2] Moritz Tremmel: Password managers leave passwords in the working memory. In: golem.de. February 21, 2019, accessed October 14, 2019 .