2.3 Password managers
This section is part of the amber and green pathways.
While it is possible to create your own strong passwords, it can sometimes be difficult to remember each one, especially if you use a number of online services.
A password manager is an application running on your computer, smartphone or tablet that stores passwords for you. Very simple password managers allow stored passwords to be copied and pasted into login boxes. More sophisticated managers let users launch and log in to an application or website by clicking on their entry in the manager itself, while some password managers include browser ‘plug-ins’ so that you can complete a login on a web page simply by pressing a button.
The majority of password managers also offer password generation facilities. Since computers can remember arbitrarily long pieces of nonsense text, say MHpKQCvpYoouTAaPiiWuFKjpNe7qnsbwkrvq3s3cX, password managers have no problems with creating passwords that are highly resistant to both brute force and dictionary attacks. Since a password manager contains a great deal of extremely valuable information it represents an attractive target for an attacker. Before choosing a manager you should check that:
- The password manager itself requires a password to use it. This prevents an attacker simply starting the password manager and accessing your passwords.
- The password manager should lock itself after a period of inactivity. This stops an attacker accessing the passwords if you have previously used the password manager and then left your machine unattended.
- The passwords themselves should be encrypted on your computer. This prevents an attacker reading your passwords without needing to open the password manager.
Most modern web browsers offer to remember passwords when you enter them into web forms, providing password management for websites you visit using the browser. This can be very convenient for frequently visited sites where you regularly have to enter details. The security of this password storage is strong and your data will not be visible to casual inspection, but you should be extremely careful using them on any computer that you do not own or have sole control of, since your data will be stored on the machine and could be misused by another user or an administrator.
You should only consider using a browser’s password storage on a machine that you are the sole user of, or one where you entirely trust the other users. Under no circumstances should you store passwords in the browsers of public machines in places such as cafes, libraries and workplaces.
When using a password manager check that the password manager’s security functionality has been evaluated by a reputable independent organisation. Additionally, make sure you select a very strong password for controlling access to the password store. This will minimise the risk of attackers having access to your passwords, even if they do manage to steal the encrypted password store, either from your machine or from online storage provided by the password manager software.