The Why and the What of Password Manager
Have you ever faced the issue of setting complex password adhering to some password policy (like, password should have upper case, special symbol, digit etc) and then when try to login a week later from another device (e.g., your mobile) you can’t remember it? Even worse, some of our passwords are so sensitive that we don’t want browsers to remember and a week later or so we have to again reset it. Remembering 2–3 difficult password is Ok, but you can’t do for a dozen of passwords. Especially, if you need to keep on changing them — which is the right way.
The workaround here is to keep 2–3 passwords and use them on all different websites. With underlying assumption that your password is not stored at website as plain text rather Hashed/Salted/Encrypted using some sophisticated algorithm. So that even if the website gets hacked, plain text password won’t be revealed. And getting plain text from Hashed/Salted/Encrypted version is impossible.
Well, unless you are sure what kind of passwords hiding is used by website, please be aware it’s not that difficult of get plain text from either hashed password or even encrypted password. Let’s just see how:
A lot of developers still thinks MD5 is good enough to generate the hash. Even though the Wikipedia calls is “Broken” https://en.wikipedia.org/wiki/MD5 too.
When a website gets hacked the username and password of its users are exposed. Basically, the hashed value of your password is now with hacker. Should you be worried, considering the fact that it’s impossible to generate the plain text password from the hash. Well, the short answer is yes if hash is generated using algo like MD5. Let me show you why. Let’s just say you keep simple password with any 7-letter word. The total combination for someone to guess in worst case would be:
26*26*26*26*26*26*26 = apx 8 Billion
The way hacker gets your plain text password is by doing reverse engineering. So, they would use combinations, generate its hash value and compare against yours password hash stored in Database of website whose security is compromised. When there a match they would know the plain text.
There are utilities like “Hashcat” which does this automatically. And when you run it on machine which has high end GPUs it can literally attempt Billions of combination/sec. Meaning the 7 character (all either lower case or Upper case) will be cracked in a second.
So even with the most naïve approach (brute-force), your password will be revealed. Sophisticated, hackers use dictionary attack, and other advanced methods which increases the probability of getting plain text from hashed value.
How about you are getting smarted and using mix of upper and lower case. Well, most people use first character as upper case. Alright, let’s add some digits. Most people add digits at last like 3 or 4. You see, ultimately is not that difficult to crack the password if you have the hash.
The problem with encryption is that commonly used password from different users will have same encrypted values, as website uses same encryption key to encrypt. A hacker can then look at the hint field (remember a lot of website ask u password hint) of same encrypted password and with like 4–5 hints he can guess the password
The way to avoid above is to use what they call Salting. But let’s not go into that. The point is your precious password’s secrecy directly depends on kind of password you put and the way its stored in DB of given website
a) The developer used code which combines Salting with Hashing/Encryption.
b) You really create a complex password, having many special characters, upper lower case — meaning something you can’t remember easily and sticking to protocol of keeping separate password for different websites.
We can’t really guarantee a), therefore taking things in own hand, let’s focus on b). The problem with b) is you can’t remember many such password and you really can’t generate such random passwords because we are humans who were taught dictionary words and not random words made of special characters — and that’s exactly what password managers are built for.
They keep your username, passwords, card details etc encrypted with sophisticated algorithms that are literally impenetrable and can also generate passwords for you which are both complex and unique.
The most important part is to have a strong Masterkey for password Manager. The way it works is, Password manager stores all your passwords, username, card details etc with AES-256 (Or Similar) encryption to both on serve and local client. It also depends upon which kind of Password Manager you choose — the one which only keeps your data at your local drive or the cloud based solution.
The encryptions key is drive from your Masterkey salted hash at the server side. AES-256 is what they call military grade encryption standard. Meaning it’s computationally infeasible to decode information you store in password manager even if someone get’s it’s DB. Or even for the employees of Password Manager. Unless they get you master key and user-id.
How about man in the middle attack? Well, the Client always encrypts and/or hashes your data on your local device before anything is sent to cloud servers for storage. The servers are only used for storing encrypted data, where it’s hashed again and stored in Database. So essentially it works on zero knowledge. Meaning even if the password Manager’s DB gets hacked it’s computationally infeasible to get your username password to Password Manager and same for all you encrypted data (i.e., your username, password which you stored at Password Manager).
In conclusion I can say, password managers is something one should consider to use. There are numerous videos and documentation which you can watch/read to understand how to use given password Manager. The purpose of this article is to spread the awareness.