Why do we use a password manager?
Several people argue that they already have a very well-established password, consisting of more than 16 characters, including lowercase letters, uppercase letters, and even special characters. They use it everywhere, they don’t need a password manager…
Okay – I usually say – let’s say that we looked at a gift for our partner on the “Glitch Webshop” page that we ordered for her/him. As with all webshops today, it was mandatory to register an account (sicc), which we did with our super safe password. It turns out (in the best case) that the given page was hacked and the user passwords were compromised, they weren’t even stored encrypted (sic)… So now how many places do we have to change our super secure password!? Did you keep a record of this at all!?
The answer to this is that I have another, simpler password for “non-important places”…
On the one hand, fine, but then how many “non-important places” do we have to change passwords?
On the other hand, there have already been incidents in “important” places…
Thirdly, our password can be leaked through a successful phishing attack, or from a compromised device, etc…
In the end, he usually comes as a last resort, saying, well, I have two-factor authentication!
Indeed, this is already a big step forward, congratulations! Some thought-provoking questions also arise in this case:
- What did you use as the second factor?
- E-mail?
- Is there 2FA there too?
- Is your password the same there too!?
- Using Authy to have 2FA in multiple devices?
- Is this also the Authy password?
- What alternative login do you have if primary 2FA is unavailable?
- Isn’t it a problem there too if your password is revealed?
- If your password was compromised, do you think it’s still 2FA?
- E-mail?
Of course, the above could be listed further, but I hope it is already clear from this that we need some kind of password manager in today’s world.
Ok, password manager, so what?
The first idea to do is to use the password manager built into your browser, since mainly we are useing some kind of web interface almost everywhere. Basically, we can make a big step forward with this, but at the same time, comfort was typically the primary consideration for these solutions, not IT security considerations.
On the one hand, passwords stored in browsers can typically be recovered relatively easily, on the other hand, there are solutions to synchronize them with our other devices, but their implementation and usability are not necessarily smooth…
Solutions integrated into the operating system are also available. IT security considerations are given greater focus here, but at the same time they are typically linked to the given platform, or they are not supported by e.g. group password management, which is often useful not only at work, but also in the family. Or it doesn’t support reports about passewords, etc.
There are “offline” password managers available for several platforms, one of the most popular is KeePass, and there are different KeePass implementations that even implement cloud storage support too. Here, the passwords are stored in an encrypted file, which we can share with others, and if we know the password, we can see the passwords stored in it.
It can typically be managed with a clipboard, however, it is more fiddly to use on a mobile device, and if it is compromised, it does not support the replacement of passwords stored in it with any automation.
LastPass
One of the largest platforms specifically designed for password management. I used it myself for many, many years, not just me, but also the family with the Family subscription. In practice, when I was looking for a solution for password management, I didn’t really find an alternative, and in 2015 the Hungarian-based LogMeIn (now GoTo) bought it, which only made it even more sympathetic for me.
Then in December 2021, it became independent again, saying that they could develop even more effectively. Maybe something went wrong here, I don’t know exactly, in any case, incidents involving LastPass have slowly become leading news in recent times.
Basically this would not necessarily be a problem, since it can be assumed that a leading solution supplier specializing password management could be the focus of attackers, but at the same time, the information that comes up, the details of the incidents, and how their handling it made my hair stand on, so 2023 brought a change for me.
Bitwarden
It’s no secret, that’s what I switched to, the fact that it’s Open Source really impressed me. Not only because I’m in favor of open source, but also because I think it adds to security.
I know that many people now think that open source software is much less secure, but I say the exact opposite. Because it is. 🙂
In my opinion, this is a banal mistake, in general, the open source system can indeed be much safer!
Without going into too much detail (maybe I’ll write a post about it one day), I think so because really, if someone writes a program and publishes its code, it is much easier to discover errors from the source code than if we did not know it. But at the same time, with a large system, this turns into the exact the opposite. Many more people look at the source code, vulnerabilities are revealed sooner, it is not very possible to hide the problems, etc…
Returning to Bitwarden, the other competitor for me when switching was 1Password. At the time of the switch, the security solutions also pushed the weight towards 1Password, and in the end Bitwarden’s Open Source nature, its pricing (as well as that the security considered weaker for me at the time of the decision, my hope will it soon change here as well) led me to Bitwarden, with the stipulation that if he doesn’t come in, I’ll move on…
That’s fine, but what do I say about perceived weaker security when I’m preaching about security? I thinking the encryption used by Bitwarden, more precisely for password hashing.
PBKDF2
PBKDF2, or Password-Based Key Derivation Function 2. Still have questions? 🙂
Don’t be afraid, the basic principle is simple.
Let’s start from the fact that when we check a password, we practically encode it (hash) according to some algorithm and check whether it matches the stored data. This algorithm is a mathematical procedure that is quasi one-way, so we cannot (at least not in the foreseeable future) decipher the source from its result.
However, if we have the encrypted password, we can already test whether the same encrypted password is generated from the given password. This is called the brute force method.
With the development of technology, especially the rise of GPUs, i.e. video cards (partly thanks to video games and bitcoin mining), these attempts can be carried out relatively quickly.
Therefore, the coded password is iterated in several steps, so with it, the time required for the attempt are increases.
PBKDF2 is one of the most common procedures for this. Using this, after adequate iteration, hundreds of thousands of attempts per second can be reduced to tens of thousands, or even less. In practice, if the password is long enough, it makes brute force attempts impossible. However, when checking a known password, the algorithm and iterations still need to be run only once, which can still be done in a very short time.
If you want to see in dollar terms how much it would cost to try to crack a password, you can check it at https://support.1password.com/pbkdf2/.
The reason I wrote that Bitward was weaker than 1Password at the time of my change is, on the one hand, the fact that 1Password performs 650,000 iterations, and on the other hand, it even combines it with a secret key that is only present on client devices. (So, if a file is leaked, the password alone is not enough to decrypt it.)
In contrast, Bitwarden uses “only” 200,001 iterations. The quotation mark is because LastPass used 100,100, so this is also an improvement compared to that.
For the sake of completeness, it should be noted that there was a bit of “mischief” here as well, the 200,001 iterations came from 100,000 server-side iterations and 100,001 client-side iterations, so the iteration of the master password was only 100,000, practically the same as in the case of LastPass. (sic)
Another non-negligible problem is that the OWASP (Open Worldwide Application Security Project) recommendation today is 600,000 iterations for PBKDF2…
Fortunately, since mid-February, Bitwarden has also raised it and now uses 600,001 iterations by default, and also made it possible to set how many times we want to iterate on the client side. So we can set it to 650,000 like 1Password, but we can even go higher if we want. Obviously, this affects performance, but if we are not working with old hardware, we will not notice the change very much. (Of course, within reasonable limits. 🙂 )
It is important that if we created our account before February 2023, the iteration will not be raised automatically, we have to do it by logging in on the web interface!
(Account Settings / Security / Keys)
What’s more, Bitwarden also made the Argon2id algorithm available at the same time!
Argon2
Argon2 won the 2015 Password Hashing Competition, Argon2id is a hybrid version of it, which combines data-dependent and data-independent memory accesses.
Argon2i is more resistant to side-channel cache timing attacks, and Argon2d is more resistant to GPU-based attacks.
Unlike other algorithms, Argon2 uses 3 parameters, a memory size (m), an iteration number (t), and a parallelism number (p).
The default for Bitwarden is above the current OWASP recommendation:
64MiB memory, 3 iterations, on 4 threads.
(More about encryption used by Bitwarden: https://bitwarden.com/help/what-encryption-is-used/ )
So now PBKDF2 or Argon2? And with what parameters?
The current OWASP recommendation can be found here: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
The current Bitwarden defaults all meet or exceed the recommendation.
Sometimes it might be worth looking at the recommendation and our settings.
If we want to comply with the NIST recommendation, or if it is important to operate according to FIPS-140, then we can stay on PBKDF2, applying the appropriate iteration.
If we want to move faster with the times, we can use Argon2 now, also taking into account the recommended settings.
Ok, I switched to Bitwarden (or another password manager), so now I’m safe, can I sit back?
Of course not! 🙂
On the one hand, it is important to change the super-secure master password used only and exclusively in our password manager from time to time. Why? As you saw with hash algorithms, the recommendation changes from time to time, as the technology develops, the algorithms also become obsolete, and their parameters also need to be increased.
If a previous backup is leaked and the algorithm used in it is already weak, or the password we used at the time is leaked, then all our passwords have been compromised!
So is it all for nothing now?
No! We just know we’re dealing with our passwords.
All of these password management systems support automatic password changes (although I have to say that LastPass was stronger than Bitwarden), they can provide reports on whether one of our passwords is included in one of the public databases, and we can also collect information on which of our passwords was changed last time. (although I didn’t find this in Bitwarden, I hope I didn’t search hard enough), but it can also list our weak passwords, and they also provide a list of websites declared unsafe where we have an account.
Recommendations for secure password management
- Change the master password of our password manager at least once a year!
- The password must be sufficiently long, at least 16 characters long, contain uppercase and lowercase letters, as well as special characters.
- Make 2FA mandatory at least for our password manager.
- Group your passwords into folders according to their criticality, take your time accordingly, and generate new passwords.
- Use a different password everywhere, if there is no other reason, generate your passwords, they should be at least 16 characters long, contain uppercase and lowercase letters, as well as special characters.
- At least once a year, download the reports available in the password manager and take the necessary steps depending on the results.
- Make a backup at least once a year or after mass password changes!
- Store the backup in a safe place, using reliable encryption! After the new backup, destroy the old one! (Remember what I wrote earlier, the encryption used for that save may no longer be reliable…)