Password Prompt

If you’re like me, you have at least a dozen online passwords to keep track of.

For work alone there are five I need almost daily. IT security pros following best practices insist employees use different ones for the best protection. But how much can a person remember?

Some enterprises use an IT-managed password management solution, but deploying it across several hundred users could be expensive.

One solution is a Web-based password manager, offered by a number of sites like LastPass, My1login, RoboForm, PasswordBox and NeedMyPassword.

However, Ars Technica has got hold of a research paper to be presented at an upcoming conference that says four out of five solutions tested had severe vulnerabilities where an attacker could learn a user’s credentials.

Problem ranged from logic and authorization mistakes to misunderstandings of the Web security model.

And remember, if an attacker gains access it means theft of all of that user’s passwords.

“Our study suggests that it remains to be a challenge for the password manages to be secure,” say the four authors, researchers from the University of California at Berkeley.

Here’s a link to the paper.

Some IT pros might groan at the idea of a browser-based system being secure (although some use JavaScript bookmarklets and not browser extensions), but as the paper points out they provide some protection against phishing attacks, and cloud-based synchronization across devices promises tremendous security and usability with low deployability costs.

Unfortunately, Web vulnerabilities (such as sharing authentication tokens across applications) have to be understood and addressed by the password manager creators. Then there are booklet, authorization and user interface vulnerabilities to be dealt with.

In one way or another, the authors say, developers of the five solutions studied haven’t.

One can’t help but agree that their paper is, as they say, a wake-up call to such services. Their developers need to take a systematic approach to dealing with the vulnerabilities of each solution.

Until then it looks like IT pros can’t recommend them to staff.