This from The Verge. Not for nothing, I urge the use of a password manager, but I have never been an advocate of the built version from your browser. Even if this method is new, unfortunately browsers are generally under siege,
The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.
If you ever need to convince somebody to use a password manager, try playing them The Russian Passenger on Reply All. The episode covers a service called Have I Been Pwned, which keeps a record of known data breaches that users can search to see if their credentials have ever been exposed. Try searching the email addresses of friends, family and colleagues on the site. It won't take you long to find somebody you know.
A good password manager is easy to use, and simple to learn, and yet convincing people to use one can be difficult. My sense is that most people either don’t realise how insecure their recycled credentials are, or they think ‘that will never happen to me, I have nothing worth stealing’. I can only hope that wouldn’t apply to experienced researchers and academics, but students too need to be aware of how vulnerableuniversitynetworks are. There are numerous reasons for hackers to target universities, gaining access to thousands of usernames and passwords chief among them. Because of all this, I believe it is critical for anyone working within the walls of a university – virtual or otherwise – to have a secure means for managing their credentials. To my mind, a password manager is the best solution – it is certainly the easiest.
Which Password Manager?
As for which password manager, for sheer user-friendliness, ease of use, and excellent design, I still feel that 1Password is the best choice for most people. It actually has the Pwned functionality inside the app itself. A lot has been written lately about changes to 1Password. The concern from security experts has to do with the company’s move to a subscription service, and in turn the service itself being moved to a priority cloud based architecture. The concerns are not around the business model, but with certain technical decisions; specifically with the status of where the default user vaults are stored – i.e on the Agile Bits encrypted servers. It should go without saying that the vaults are mega-encrypted, so worthless to anyone without the user’s key, but to end the debate there drastically oversimplifies the matter.
I’m not going to dive any further into the debate itself, as I believe a lot of what is doing the rounds is either based on a combination of misunderstanding, miscommunication, and the wants and needs of edge-case users who aren’t representative of most people. Moreover, some people seem to be conflating the Mac and Windows versions, and the functionality under debate remains very much a part of 1Password. I would argue that regardless of the validity to concerns around cloud-storage, 1Password is still the best password manager for most people. In fact, some of the features that make it so are only available because of the cloud-based architecture. My take is this:
The vast majority of people are ludicrously vulnerable at the moment, simply because they have next to nothing in place to manage their online security. For most people, not only are obscure security threats not a huge concern, but there is much more to be gained by using a password manager than maintaining the status quo.
In the absence of a clever password scheme – which, let’s face it, most people will never use – even if you do generate strong passwords, you still need an absolutely unique one for every site and service you use. Most people who have taken this half measure are using paper notebooks, or some for of plain text or spreadsheet to store the credentials. Ironically, this is a half measure that will make you doubly vulnerable
A Password manager does all the work once you get used to using it. Not only have I found 1Password to have the best user experience in this regard, anybody I have ever got to use it in earnest has taken to it immediately. The browser extension on the Mac, and iOS Safari automatically generates and stores credentials for new registrations, and automatically populates forms and logins. It can also populate payment forms with one click, making it even more useful than Safari’s own Auto-Fill features.
Take travelling researchers, with the new 1Password travel mode one can remove the entire app from a device and then reinstate it once any overly officious border police have done with their perusal of any given device.
There are further benefits to having secure information in such a vault if you were to ever to lose your mobile device and other valuables. I use 1Password to store my bank cards and encrypted copies of documents.
1Password’s subscription model is one of the more advantageous memberships of its kind. The Families plan gives you 5 licenses for US$5 a month. You can manage vaults for your less technically inclined, younger or older family members. It also means shared vaults for credentials you all need access to, Netflix anybody?
The concerns around the cloud-storage model are moot for anyone wanting to sync a password vault and doing it via Dropbox.
I could go on, but I fear I have lost enough of you already.
Perhaps Agile Bits could have handled this situation better than they have, but to be clear, they are keeping intact the functionality that security boffins most value, i.e local vaults. Unfortunately, it seems people will seize upon anything to reinforce their own reluctance to address their security issues. So controversy like this tends to feed the fear and doubt. My concern is that people use something other than recycling passwords, becoming so blasé about resetting them that they become easy targets for phishing attacks. Attacks that nowadays can easily include the capture of two-factor authentication. A password manager mitigates most of the risks. And without labouring the point, using one will provide a huge improvement to most people’s security.
Lastpass – I have been a user of Lastpass in the past. I have never found it to be as user-friendly as 1Password, but it has a lot of fans. The biggest selling point is its free tier, which is a good start for anyone balking at paying for security – and the upgrade price is only US$12 a year. You will need to upgrade to use things like two-factor authentication and device syncing.
Dashlane – I prefer the user interface of Dashlane to Lastpass. It has a similar ‘freemuim’ model, with similar limitations before upgrading.