Individuals and companies rely on a virtual alphabet soup of usernames and passwords to protect their assets and personal information online. But it can be difficult to keep track of login information for a multitude of sites and networks, especially when security standards dictate that users maintain a different complex password for every site and reset passwords regularly.
Enter the password management system – a software application or service that helps users keep track of all of their logins, usually by securing them under a single master password. Some password managers can generate unique, strong passwords for the user, and others even log into websites automatically, eliminating the need to remember or enter the passwords in the future.
“There’s always a tradeoff between security and convenience, but password managers are one of those rare tools that makes you more secure and makes life easier,” says password security expert Jeremi Gosney, CEO of Sagitta HPC, a firm offering password-cracking services. Gosney is also a co-founder of the hacker conference PasswordsCon.
Though there’s been talk about the death of passwords, password management companies maintain that the age-old method continues to be the principal form of authentication for both individuals and enterprises, even as multi-factor authentication gains acceptance.
“The reality is that it will take decades to see the end of passwords. Companies need to be proactive now,” says Joe Siegrist, CEO and co-founder of LastPass, a password management tool.
Despite their drawbacks, passwords remain because they are simple for an enterprise to set up and easy to maintain
Despite their drawbacks, passwords remain because they are simple for an enterprise to set up as an authenticator, and they’re easy to maintain as well. Not every institution has the resources to incorporate biometric authentication or a two-factor system. “Passwords are still the most cost-effective security solution on the market,” says Amber Gott, marketing manager for LastPass.
Data storage methods vary
There are a number of companies offering password management systems, and for the most part there’s very little to separate them. Typically these companies employ one of three different approaches to how they store data.
The systems can be cloud-based, PC-based or built into a Web browser with an encrypted database on a PC. Most password management systems offer a free version and a paid version, as well as a distinct system for consumers and another for enterprises.
Cloud-based password managers have become more prevalent in recent years, with the notable advantage being the added convenience that the cloud offers. “You don’t have to do anything to sync devices,” Gosney says. A user could log in to a cloud-based system from any location using the device of choice, and all of the password information would be right there.
“Say your computer crashes. You don’t have to worry about it because everything is stored in the cloud, so it’s automatically backed up for you,” Gosney says.
The advantage of local, or PC-based password managers is that the security of that database is completely in the user’s control. Some are hesitant to allow this treasure trove of login data to leave their possession. That control, however, could be a disadvantage for someone who isn’t very security conscious, says Gosney.
Local solutions tend to be less feature-rich than cloud alternatives. “It’s the bare-bones functionality that you would expect from password management. And some people like that,” Gosney says.
Another drawback of PC-based systems is that they don’t readily sync with other devices. Although some platforms offer a plugin that does enable syncing, modern users that access services from multiple devices and locations are likely to find this added step burdensome.
With the browser-based password manager, the advantage is that there is no software to install. A pop-up appears asking whether the user wants to save the password. The downside, Gosney says, is that if the operating system is running, the password database is open for anyone at that computer to see. “It’s very convenient, but it’s not secure,” he says.
Many password managers come equipped with a number of features such as two-factor authentication, the ability to fill out online ordering forms with personal data, and a security checkup option that can see if any accounts have been compromised or if duplicate or weak passwords are being used.