If you’re like me, you have at least a dozen online passwords to keep track of.
For work alone there are five I need almost daily. IT security pros following best practices insist employees use different ones for the best protection. But how much can a person remember?
Some enterprises use an IT-managed password management solution, but deploying it across several hundred users could be expensive.
One solution is a Web-based password manager, offered by a number of sites like LastPass, My1login, RoboForm, PasswordBox and NeedMyPassword.
However, Ars Technica has got hold of a research paper to be presented at an upcoming conference that says four out of five solutions tested had severe vulnerabilities where an attacker could learn a user’s credentials.
Problem ranged from logic and authorization mistakes to misunderstandings of the Web security model.
And remember, if an attacker gains access it means theft of all of that user’s passwords.
“Our study suggests that it remains to be a challenge for the password manages to be secure,” say the four authors, researchers from the University of California at Berkeley.
Unfortunately, Web vulnerabilities (such as sharing authentication tokens across applications) have to be understood and addressed by the password manager creators. Then there are booklet, authorization and user interface vulnerabilities to be dealt with.
In one way or another, the authors say, developers of the five solutions studied haven’t.
One can’t help but agree that their paper is, as they say, a wake-up call to such services. Their developers need to take a systematic approach to dealing with the vulnerabilities of each solution.
Until then it looks like IT pros can’t recommend them to staff.