Why Not All Password Managers are Secure and What to Do About It
With over 30 million monthly brute force attacks, it’s crucial to use strong passwords everywhere. But creating and remembering unique strong passwords across all your accounts can feel like an impossible task. A password manager can help… or can it?
While using and enforcing strong passwords is strongly recommended especially on your WordPress website, not all password managers are created equal.
They come with potential security vulnerabilities that can lead a hacker straight into your WordPress website to steal your identity through brute force attacks.
Fortunately, there are ways you can protect your website and there are secure password managers you can use.
Today, I’ll share more detail on password managers, their potential security holes and how to protect your WordPress website as well as provide you with a couple of the top secure password manager apps.
What’s a Password Manager?
A password manager is an app, browser extension or tool that can securely store all the passwords you want to save.
That way, you don’t have to remember the numerous strong passwords you create for the tens (or hundreds!) of sites you sign up for from email, Amazon and YouTube to your ISP, phone company, and all the rest.
Your passwords are safeguarded in the app, that’s locked with a different password you create. The idea is, you only need to remember this one password. With it, you can access all your other login credentials, then copy and paste them when they’re needed.
Some password managers also have additional options such as two-factor authentication or auto-fill so the login fields of a website are automatically populated with your username and password.
The Problem with Password Managers
While password management apps are incredibly convenient, there are potential security risks involved with using them. This is particularly a problem when you use a browser extension that’s made available by the password manager app you choose to use.
If you visit a website that includes malware, is vulnerable to a Cross-Site Request Forgery (CSRF) or a Cross-Site Scripting (XSS) attack and you use a password manager’s browser extension, all your passwords can be stolen without you knowing.
There are countless ways this could occur.
For example, in the case of a past LastPass security exploit, the vulnerable website could be injected with a script that checks a visitor’s browser for the extension.
If the user has it enabled while they’re visiting the site, the script displays a notification at the top of the page that looks identical to one that LastPass would often display, which tells the user they need to log in again due to an expired session.
The user would then click the link and a phishing site would load that looks identical to the LastPass login page.
The user would log in and the malicious site would check the LastPass API to confirm the details. If the credentials are correct, the phishing site would then request a two-factor authentication token, which the user would enter in.
The phishing site would check the LastPass API again and if the details check out, the login credentials would be automatically sent to the hacker’s server for immediate use.
In the event that a user entered the wrong username or password, the script would check the LastPass API and once it confirmed the details are incorrect, the script loads an error message asking the user to try again.
There are other past LastPass security issues that would give complete access to internal privileged LastPass RPC commands and access to execute code. There has also been issues which would let a hacker override legitimate messages with their own to create a similar phishing attack to the one described above.
Welcome to the (Insecure) Party
LastPass isn’t the only browser-based password manager that has experienced countless vulnerabilities, according to Network World.
For example, Keeper had a security vulnerability where the extension would inject its trusted UI into an untrusted site, leaving it open to CSRF, XSS and other similar attacks.
Dashlane experienced a universal XSS security hole. The vulnerability would let any site attack another with an XSS exploit, which would compromise cookies and user data including login credentials for any site.
A 1Password bug also reported that “There are a number of problems with the security model of 1Password that results in the local security model being disabled, as well as a number of security, sandboxing and virtualization features.”
Except for the phishing security vulnerability in LastPass, all these issues have since been patched. But, more similar security issues pop up all the time in password managers – especially in ones that rely on a browser extension to work.
Here We Go Again and Again
As previously mentioned, many password managers include an auto-fill feature that automatically populates the login form of a website with the correct, previously saved credentials. This auto-fill feature is a particular source for security vulnerabilities, according to Wired.
Princeton’s Center for Information Technology Policy reported that there is a long-standing vulnerability in browsers with built-in password managers that’s starting to be exploited.
Hackers have created scripts that can track the password manager’s auto-fill feature to directly steal login credentials without you even knowing about it.
While only one thousand sites have been tracked to date, this vulnerability is only just getting started so gear up.
The Hits Just Keep on Comin’
All these security vulnerabilities aside, password managers can’t protect you once your login credentials or your identity have been stolen.
If you find out about a security breach, you can quickly change your password, but the vulnerabilities mentioned above can steal your user details without you or the website even knowing.
If this happens to you, there’s no way a password manager can save you from these kinds of threats after the fact.
If you’re thinking, “That’s fine. If I use a website that gets hacked, they would let me know.”
Unfortunately, there have been several instances where user information has been stolen from a website and users haven’t been notified. For years. We’re talking major companies like Yahoo!, Uber and Equifax just to name a few.
So even if you use a secure password manager, it still can’t save you from websites and companies who don’t properly secure their sites enough to avoid getting hacked.
Protecting Your Passwords and WordPress Website
Fortunately, there are several ways you can protect your login credentials while you’re online as well as protect your WordPress site from the potential security risks of some types of password managers.
There are also ways you can protect your passwords while having the convenience of a password manager even if one of your accounts get hacked.
1.6 million WordPress Superheroes read and trust our blog. Join them and get daily posts delivered to your inbox - free!
Should You Use a Password Manager?
With all the security vulnerabilities lurking around various password managers, does that mean you shouldn’t use one at all?
No, you should use one that’s secure. It’s far better than not using one at all. Especially if you’re guilty of using the same password across all your accounts… yikes!
If you don’t use one, you’re way more vulnerable to the exploits out there since you won’t have an extra layer of security readily available.
It may be unnerving to use a password manager if it has had security vulnerabilities in the past, but that doesn’t necessarily mean it’s not secure.
If you use a password manager that’s properly supported and frequently updated for security, those vulnerabilities will be a thing of the past, and you can rest easy knowing your passwords are safe from the latest tricks that hackers try out.
Using a secure password manager can help you use strong passwords that are less likely to get hacked through brute force attacks. You won’t have to remember them all and you can securely store them all in one place for your convenience.
There are secure password managers out there that are listed later on and that you can use to help protect you as much as possible if one of your accounts does happen to get hacked. You can quickly change your password and often before the hacker has a chance to use your credentials.
But, you should avoid using browser extension and built-in browser password managers such as the one that comes with Chrome.
Instead, use a desktop-based app option since they are the most secure. Just be sure not to use the auto-fill feature if the app you use has that option.
Additionally, you can store your passwords in an encrypted file as backup option that compliments the secure password manager you use. That way, if you forget your master password, you still have another way to recover your login details.
Further Ways to Safeguard Your Passwords
Beyond using a secure password manager, there are several ways you can further protect your passwords online:
- Use different strong passwords for every site where you sign up.
- Don’t use a password you have used in the past.
- Change your passwords at least every 90 days.
- Don’t register on a site that doesn’t have a valid SSL certificate.
- Update your browser regularly as security updates roll out.
- Be mindful of the browser extensions you use. Research them before you install them to avoid malware.
- Comb through your browser extensions often to weed out any that have been hacked with malware, that could infect your browser and computer as a result.
- Don’t use an auto-fill feature. Ever.
- Use a strong anti-virus and malware software on your computer and mobile devices.
- Schedule regular anti-virus scans.
- Be cautious about the sites you visit and don’t go to any without a valid SSL certificate.
- Don’t log into any website on a public WiFi connection.
- Don’t use an auto login feature if your browser supports that option.
This is especially prudent if you develop WordPress sites locally since malware you accidentally or unknowingly download online or through email can infect your computer.
Protecting Your WordPress Website
There are also several ways you can help protect your WordPress site’s users from being exploited by the security vulnerabilities that often come with using insecure password managers.
Securing your WordPress site can help do just that:
- Use an SSL certificate on your website such as a free one from Let’s Encrypt.
- Enable two-factor authentication such as with Defender.
- Enforce all users to login using two-factor authentication with Defender.
- Use and enforce strong passwords for all users.
- Use a security plugin.
- Do what you can to step up your site’s overall security.
For details, check out The Ultimate Guide to WordPress Security, WordPress Security: The Ultimate 32-Step Checklist, Ultimate Guide to the 60 Best Security Resources for WordPress and Give Brute Force Attacks the Boot with Defender’s New IP Lockout Features.
The Best Password Managers
These are the two password manager desktop apps that are stable and updated regularly to ensure they’re secure. Each have different features and user experiences so you can try them out and use the one that works for you.
There was a vulnerability in 1Password that was mentioned above, but it’s worth noting that it has been fully patched. 1Password is also updated vigorously to ensure that any other vulnerabilities and bugs are squashed before a hacker even has a chance to try an exploit.
It’s also a premium desktop password manager that doesn’t have an auto-fill feature for greater security and includes extra features such as a secret key to use alongside your master password and an emergency kit you can fill out in case you forget your master password later on.
You can also store more than just passwords such as your Social Security Number, passport details and more. There’s also an option for syncing the desktop app to your mobile devices for increased convenience.
KeePass is a free, open source and OSI-certified desktop password manager. It’s UI is a bit trickier to use, but it’s a secure option since it’s not maintained by a company with limited security staff. It’s maintained and frequently audited by a large volunteer community of security experts to ensure the best possible security practises are used at all times.
While it has strong, basic features that get the job done, it doesn’t include mobile syncing capabilities. Although, there are free community-developed, unofficial mobile extensions available.
The internet can be a scary place from hackers exploiting software meant to keep you safe, to websites invading your privacy, getting hacked and your identity stolen.
Fortunately, the secure password managers and tips outlined above should give you a good kickstart and also help keep you safe while you browse online.