Using a complex and unique password for each login is obviously important, however this can cause remembering all of your passwords to become very difficult and often leads to a compromise on password quality, as well as repeated uses of the same password. Using passwords that are uncommon but easily memorable also has the potential to be an issue, as such passwords may still be easily cracked using Markov chains; this paper outlines the use of Markov chains in password cracking, and claims that 67.6% of passwords from a real-world sample were able to be cracked using the technique.
Password managers attempt to offer a solution. You only have to remember one password, which means that you can easily make this password very secure, and you will have access to all of your accounts. On top of this, most password managers will generate random passwords for you, allowing the use of highly secure and unique passwords for each of your logins. There are a lot of very good password managers available (as well as some not so good ones), and it largely comes down to personal preference, however there are some things to bear in mind when choosing which password manager to use.
Generated Password Quality
For most password managers that have an option to generate passwords for the user this is a non-issue – they allow for the length of the generated passwords to be set higher than most login forms will even allow, and have options on which character sets to use. However it is always worth checking the quality of the generated passwords before committing to using a password manager, and it is also important to be aware of the options available to you when generating a password. Check that it is possible to include a wide range of characters, including symbols, numbers, and capital letters, and that these can be randomly combined to form a password of suitable length. It is also important for the generation to be customisable, as different login forms have different requirements for passwords – you don’t want to be unable to use your password manager for a particular login.
Some password managers allow for the generation of ‘memorable passwords’; while this will usually be fine, I would recommend avoiding it. Most of the time it is unnecessary as you will be relying on your password manager to supply your password to a login form, and when you do need to remember a password it is better to think of one using the usual guidelines. The passwords that I have seen generated by this mode often do not contain numbers and symbols (which are easy to include in a memorable password when generated by a human) and may well be easy to crack when using Markov chains as mentioned above due to the way in which they are generated. The way around this is to create long passwords with the memorable mode, however this makes them difficult to remember, defeating the point of using this mode in the first place.
Online vs. Offline
Password managers come in two different flavours – online and offline. Online password managers come with many advantages – they can allow for easy use across multiple devices, and often use bookmarklets to allow for “no install” as well as wider support including moble browsers that do not allow extensions. However, as discussed in this paper published last year they can be rather insecure. If you do not wish to read the whole paper, then just read the following paragraph from the introduction:
“Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites. We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords. The root-causes of the vulnerabilities are also diverse: ranging from logic and authorization mistakes to misunderstandings about the web security model, in addition to vulnerabilities like CSRF and XSS”
Offline password managers are generally considered to be more secure as the data is stored locally, causing less data transfer and authentication which may potentially be exploitable by an attacker. While they are not quite as convenient as online password managers, the portability can often be recreated through the use of USB sticks (though this is rarely an option for mobile devices).
Autofill and Phishing Protection
An advantage of password managers is that they can help protect the user against phishing attacks as they will only fill in the credentials on the correct page, preventing the user from entering their password into a fake site. This is certainly good, however the autofill feature of many password managers, when poorly implemented or misconfigured, can allow for an attacker to obtain peoples’ passwords with relative ease. A great discussion of the issues associated with autofill features in password managers, as well as examples of attacks to exploit these features, can be found here. The researchers from the previous paper were able to extract around ten passwords a second from a password manager using an invisible iFrame on the landing page of a WiFi hotspot (among other methods), without the knowledge of the victim. If you wish to use autofill, it is recommended that you set a your password manager to prompt you before entering credentials into a form to avoid such attacks.
Using a password manager is a good idea, so long as the password manager chosen is well made. You should choose which password manager to use based on the previously mentioned criteria, as well personal preference for things such as the UI, additional features, and method of browser integration.