Master password security
Many password manager applications combine two features that make for strong protection – namely, the ability to generate random and complex password strings, and the ability to automatically log the user into the service or site using those passwords.
Since you don’t have to remember each random string, each password can be as long and complex as you like, which adds greatly to the security of your access. And if the login process is being handled by the application then you don’t even have to know what the password is in the first place.
The one password that needs to be long, strong and complex, but very much known to you, is the master password; it acts as the encryption key to lock away all the others. A password manager is only ever as secure as this master password, so it needs to be a good one.
The idea of having to memorise a complex password that’s at least 12 characters long, which includes both cases, both numbers and letters, and some special keyboard characters for good measure, sounds much worse than the reality. I use a master passphrase of more than 15 characters and change it every three months, yet have never once forgotten it.
The key, if you’ll excuse the pun, is to abandon the truly random approach here and go for something you’ll remember – but in a format that makes it difficult for a human to make a guess or a machine to use brute force. You can combine words, with mixed cases and special characters in-between, throw in a few numbers and still have something that’s memorable but almost uncrackable. For example, the easily recalled phrase “my car is a pocket rocket” could be turned into a strong passphrase with the use of some misspelling and capitalisation, the addition of the numerals from your number plate and a couple of question marks to make it “?myKar13isaPokitRokit?”.
If the master password is your key to password file security, then encryption is the lock that protects that file. LastPass and 1Password, for example, encrypt your data locally on your device using the master password, so that any data that you store online in the cloud is already encrypted before it arrives.
It’s a given when choosing a secure password manager that it should use a high level of data encryption. In practical terms, this means a minimum of 256-bit Advanced Encryption Standard (AES) or equivalent algorithm. One common myth, which we touched on earlier, is that your passwords become vulnerable as soon as they’re stored in the cloud. The truth is that as long as your password data files are encrypted and protected by a secure master password – one that isn’t written down or reused elsewhere – then your passwords are safe even when stored online. In order to compromise them, an attacker would first have to compromise the password service, then crack the encryption protecting your password file. It really isn’t any more risky than if the password file were stored locally, as your laptop or USB drive could always be stolen; it’s the encryption that’s important.
For the truly paranoid it’s possible to strengthen your password vault further. Some password managers – RoboForm and LastPass Premium, for example – allow for the use of biometrics, by way of a fingerprint reader, to replace the master password for access. Both LastPass (Premium) and KeePass support the use of YubiKey hardware two-factor authentication tokens. These can be purchased cheaply online, and provide a time-variant secure login code when the button on the USB stick is pressed, by simulating a USB keyboard. This 128-bit code is unique every time the device is used and, as such, can’t be copied and reused. It is basic security logic that adding a requirement for something you physically have (the YubiKey token) to something you know (your master password) considerably strengthens the access security to your password vault.
Password managers aren’t a magic bullet against those who would steal your data, and shouldn’t be regarded as a replacement for other essentials such as security software and large doses of common sense. The autofill function of a password manager can make it harder for malware to capture live login data (a keylogger will fail, since no keystrokes are being made), but it doesn’t make it impossible; a man-in-the-middle attack could still compromise your security once you’ve logged in.
All the same, software that makes it practical to use regularly changed, truly random and complex passwords is an incredibly powerful security tool – and one that’s increasingly becoming essential.