Published: 2 May 2019, Rémon Verkerk
Online headlines and leading security bloggers make headlines daily about yet another data breach, with personal data and login credentials being posted on the street. Last month, for example, researchers came across multiple online databases containing data from some 60 million LinkedIn profiles. Such data breaches also often exploit usernames and passwords, whose passwords are frequently included in original readable form (‘plaintext’). Looted login sers are often traded on the Internet, so other cyber criminals can easily access your data.
Numerous marketplaces on the Dark Web offer login credentials for sale.
In short, the diversity of software platforms and applications is overwhelming. This also applies to the extent to which personal data is processed and stored in such systems. This means that these systems have to meet strict security requirements. In order to prevent the user from forming the weakest link in the security of these systems, the user is asked to choose a highly unique password. This expectation is often not fulfilled in practice. It turns out impossible for the human brain to remember hundreds of complex passwords; let alone change these passwords periodically.
It is essential to manage login credentials, such as usernames, passwords and security questions in a proper manner. This seems to be a bit of a trap, but in practice many organisations do not seem to have properly arranged this and are at risk of falling victim to another data breach scandal.
The password manager offers a solution
In short, a password manager consists of a software vault, in which you can store your passwords. A password manager makes it easy to generate complex passwords and store it securely. Therefore, it is no longer necessary to remember complex passwords. In fact, it is preferable not to do so. The only password you need to remember is the password to access your vault. Of course, it is advisable to store a ‘spare key’, safely elsewhere. For example, in the safe at the notary’s office.
Risks when using password managers
The use of password managers is not entirely risk-free. When the password manager application is active and you’re actually logged in, unauthorized people who have access to your system have all your passwords at your fingertips. This applies not only to physical access to the system, but also to (un)authorized persons who have gained access over the network. In the past, it has been shown that the master password, with which the password vault is unlocked, was, in the case, extracted from the computer’s internal memory (RAM). It is therefore recommended to log out the application immediately after using the password manager.
Password storage in the browser
Modern internet browsers also offer the possibility to store login names and passwords. However, we strongly advise against using this. Not only is this integration limited to browser usage, the data stored herein can only be seen with a few clicks. Useful for the user, but also for unauthorized people who can view your passwords in an unguarded moment or write it off to a USB stick. In addition, the platform-independent browsers have been a beloved attack vector of cyber criminals in recent years, with the extraction of the passwords stored herein high on the shopping list.
Single Sign-On (SSO) the same as password management?
Single Sign-On software (abbreviated SSO) allows end users to log in once, after which it automatically provides access to multiple applications and resources in the network. An SSO solution (e.g. Radius, Diameter) bears some resemblance to password management, but has a different approach. SSO does not have the specific focus on passwords, but works on trust-based (trust) between users and resources.
A username and password provide user authentication. Where password management is in order and it is not plausible that third parties have this data, there is also accountability; in other words, the user can be held responsible for his actions.
Single Sign-On goes one step further by also providing the user with the authorization of the resources available.
Summary
Password management is of great importance and can be easily regulated. A password manager has a cost-saving effect because employees don’t have to reset their password on the assembly line, after they’ve forgotten it for the umpteenth time. In addition, it is childishly easy to maintain the use of complex passwords, keep an eye on passwords used for multiple resources, and the extent to which multifactor authentication (MFA) is applied. Single Sign-On is a good next step in the further professionalization of your identity management.