Password Manager? Is it really secure?

TimeI$MoneyTimeI$Money Member Posts: 15 ■□□□□□□□□□
I`m looking for security professionals perspectives on password manager topic. There are many solutions out there offering the ability to generate, store, mobility, integration with phone/computer etc are these solutions really reliable? Some of them are cloud based solutions and some hardware based. The idea of keeping the key to your sites and tools externally doesnt sound very secure to me. I`d appreciate to hear from you all. Thanks

Comments

  • cyberguyprcyberguypr Senior Member Mod Posts: 6,911 Mod
    Password managers are absolutely fantastic. Every single security professional in my circle uses some sort of KeePass, LastPass, Dashlane, etc. At my $dayjob we do massive awareness efforts demoing these for our users and explaining the value that they bring.  

    You have to ask yourself what is the problem you are trying to solve. What is your threat model? My main problem is solving the password reuse issue while at the same time ensuring availability of my secrets at the tip of my fingers. A cloud-based password manager solves both problems. You control the decryption key so the vendor does not have access to your secrets. Before I forget, another fear of mine is losing my data in a house fire. That is another reason why I want my stuff stored and protected outside my perimeter. Same reason why I encrypt my backups on a weekly basis and send them to the cloud. More on online password managers here: https://nakedsecurity.sophos.com/2016/07/19/why-you-should-use-a-password-manager/

    Others are set on zero cloud. For those use cases KeePass is a good compromise. More on this here: https://nakedsecurity.sophos.com/2017/11/17/keepass-a-password-manager-thats-cloud-less-but-complex/
     
    Haters try to say that methods like using "unique" passwords like #$54google%^ and #$54dropbox%^ are more secure and what not. That's just ridiculous.

    The key takeaway here is that you need to decide what you can live with. 
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,303 ■■■■■■■■■□
    This "it's in the cloud therefore it's insecure" trope is really getting old and needs to be stamped out.  It all comes down to the proper implementation of the solution, not the location.
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • DZA_DZA_ Untitled. Member Posts: 438 ■■■■■■□□□□
    We've used Thycotic Secret Server at my last job. It did a pretty decent job of managing admin credentials, service accounts, etc. It was very descriptive when you were classifying what type of credentials e.g. Windows OS, Linux, SSH and so on. I am not sure from an architecture standpoint (HA/Fail-over) how it scaled out to between the different data centers but overall it wasn't a bad product. Something that you can take a quick glance at it. 

    Correction: I did a quick look on their website and only the Professional and Platinum support HA/DR.
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 11,900 Admin
    Whatever your password manager, it only takes one password to get all your passwords. Therefore MFA on your password manager is a must.
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK Member Posts: 515 ■■■■■■■■□□
    This isn't a question that can be answered. The "security" of your password manager depends on what threats and issues you're solving with the solution. It depends on how you use the solution, and how the solution operates.

    I dislike railing on the trope of "if it's in the cloud it's insecure." It's a way of making the point that, depending on how you use it and how it is set up, *you* have no way to assure that it *is* secure. You have to trust the provider. There are situations ti mitigate this, like whether you encrypt a file and then send it up and they have no way to decrypt it, but at some point there is a level of trust handed over to an entity you cannot 100% vouch for (even up to trusting your own platform like your Android phone and that mystery app you gave lots of permissions to). I mean, try doing that with LastPass 5 years ago, and you'd have been wrong.

    Sometimes you do what you can to match your level of need. And that is always going to be a personal decision.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2020 goals: AWS Security Specialty, maybe AWAE or SLAE, CISSP-ISSAP?
  • shochanshochan Member Posts: 936 ■■■■■■■□□□
    This one is a decent password mgr

    https://safe-in-cloud.com
    2021 Goal ~ OSCP

    Urban Achiever~ A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+
  • iBrokeITiBrokeIT GICSP, GCIP, GXPN, GPEN, GWAPT, GCFE, GCIA, GCIH, GSEC, CySA+, Sec+, eJPT Member Posts: 1,303 ■■■■■■■■■□
    edited January 2019
    LonerVamp said:
    I dislike railing on the trope of "if it's in the cloud it's insecure." It's a way of making the point that, depending on how you use it and how it is set up, *you* have no way to assure that it *is* secure. You have to trust the provider. 

     You completely missed the point the of my second sentence. Having to trust the provider of your software is NOT a unique circumstance to cloud solutions.  You have also trust the provider of any on-prem software that you install.  You should be applying the same level of rigor during your assessment of solutions, regardless of location, and not blindly dismissing something just because "it's in the cloud therefore it's insecure". 

    You can fail at your on-prem implementation just as badly as your cloud implementation which is why I said " It all comes down to the proper implementation of the solution, not the location."
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA | eCPPT | eWPT | eCTHP

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security
  • Jon_CiscoJon_Cisco Member Posts: 1,775 ■■■■■■■■□□
    I have used a password manager for years. I don't know if the information is always secure but I am not using it for anything overly sensitive so I did not worry to much about the specifics.

    The one thing I am confident about is that I am more secure by using a different random generated password for every login which the manager tracks for me. Currently I have 400+ logins saved. So as long as my password manager is not compromised I am doing OK. This seems like a better risk then reusing a common password or storing everything on a piece of paper that can't be accessed away from my safe.
  • cyberguyprcyberguypr Senior Member Mod Posts: 6,911 Mod
    One more super fresh article worth the read to understand the value of password managers: https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
  • jdrobinsonjdrobinson A+, CISSP Registered Users Posts: 2 ■□□□□□□□□□
    I'll probably reiterate what many of the guys said here, but password managers serve a very specific purpose and for that specific purpose they work excellent. Cloud should indeed be treated in a zero-trust type manner, but that's for the security professionals to administrate and ensure that only those who should be accessing resources, are accessing resources. When the two are put together the same requirements need to be met. The solution is only as secure as the implementation.

    For additional security most cloud-based solutions use multi-factor authentication which is a much better solution then just a single password. Remember that multi-factor is at least two of the following: Something you Know (Password), Something you Have(RSA Key, Phone), or Something you Are (Bio-metrics). I'd recommend Google Authenticator if you're looking for a key generator for your phone. Most multi-factor solutions support it. I also have DUO for work stuff.
Sign In or Register to comment.