Storing a password has always been a problem that involved other problems. Today everyone has a digital life made by different accounts for each activity, from online banking to email, from different forums to social networks, so it’s crucial to find a way to remember all the credentials, possibly avoiding password stealing. If you search on the web you’ll find a lot of articles about tools that help you to store your passwords securely but what these articles usually do, is present a list of useful tools. I’d personally prefer to make you reflect on the implications of using one or another storage system, helping you to find your favourite solution.

LOCAL VS ONLINE

Reading on the web, you’ll encounter tools that allow you to store your passwords online, and other tools that store them locally, on your pc. The difference between these two different approaches, depends only by which system you can trust more. OneLogin, the provider and developer of single sign on, has been hacked recently.

The company said that “the threat actor was able to access database tables that contain information about users, apps, and various types of keys” .

In an update the company stated: “our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US”.

With this example, certainly I don’t want to blame all the cloud based password managers but I want to warn you that if you choose an online password manager, your credentials can be stolen by hackers targeting your provider.

In a similar way, if you store your credentials in a password manager that keeps the data locally on your machine, you can’t exclude the possibility to be hacked.

To conclude, your credentials are safe as well as your storing system is safe.

PLAINTEXT VS ENCRYPTED

This part shouldn’t be hard to understand for you. Storing your passwords unencrypted is just stupid. Use encryption. Most of the available tools use AES-256 bit encryption.

FREE VS PAID

In my opinion paid password managers don’t offer features that justify their prices. Just search for free software and you’ll find a plenty of good tools without spending a fortune.

STANDALONE VS BROWSER EXTENSION

Every browser offers a password manager. You can find a password manager in chrome going to “Settings”, “Advanced”, “Passwords and forms”, “Manage passwords”. In Firefox you can go in “Preferences”, “Security” and you can set a “Master Key” to manage all your credentials. There are also third party tools that are developed as browser extensions; anyway even if they could be useful allowing you to autofill every form without effort, you should remember that browsers can be affected by malwares, spywares and every sort of virus that you can imagine. Again, in the same way as the “local vs online” case, if you think that your machine is secure, you should prefer a standalone software running on it.

AVOID AUTOFILL

All the tools you can find on the web offer you the autofill feature. So you don’t have to type your passwords anymore, because the software will do it for you. For what concerns security, you shouldn’t see this feature as a convenience, you should see it as a risk instead. In fact, the autofill function can be easily exploited by hackers in a phishing attack, resulting in your browser giving away your bank credentials, your Facebook password and so on.

Viljami Kuosmanen, a well known web developer and hacker, discovered a serious vulnerability in the most important browsers including Chrome, Opera and Safari and in many plugins (LastPass to cite one example) that can exploit their behaviour in order to steal credentials.

When a user fills a form with, for example, his email, the browser fills all the other forms with all the users’ other credentials even if these forms are not displayed on the screen.

You can change the autofill feature in your browser’s settings.

CONCLUSIONS

If you keep in mind the simple distinctions explained in this article, it should be easy for you to choose your favourite password manager from those proposed on the web. Anyway, I don’t see the necessity to use a software when you can simply use an encrypted text file choosing a strong password. Maybe in this case the simplest way is also the best way…