This past year we saw a flurry of news reports about leaks of personal data from various online services and even from popular password managers. If you use a digital vault, when you read about such a data leak, you’ll probably start imagining a nightmare scenario: attackers have accessed all your accounts whose passwords are stored in your password manager.
How justified are these fears? Using the example of Kaspersky Password Manager, we’ll tell you how the multiple layers of defense of password managers work, and what you can do to make them stronger.
To start, let’s review why password managers are a good idea. The number of internet services we use is constantly growing, and that means that we’re entering a lot of usernames and passwords. It’s hard to remember them, but writing them down in random places is risky. The obvious solution is to save all your login credentials in one secure place, and then lock that vault with a single key. Then you’ll only need to remember one main password.
When you first activate Kaspersky Password Manager, it prompts you to create a main password that you’ll use to open your digital vault. Then you can enter in this vault the data for each internet service you use: URL, username and password. You can do this manually, or you can set up a password manager browser extension and use a special command to transfer all the passwords saved in the browser to the vault. Besides passwords, you may add other personal documents to the vault, e.g., ID scan, insurance data, bank card data and important photos.
When you need to visit a website, you open the vault, and then you can either manually copy the data you need into the login form, or allow the password manager to autofill the saved login credentials for the website. After that, all you need do is lock the vault.
Digital vault and self-locking
Now let’s look at the protection mechanisms. The vault file is encrypted using a symmetric key algorithm based on the Advanced Encryption Standard (AES-256), which is commonly used around the world to protect confidential data. To access the vault, you use a key based on your main password. If the password is strong, attackers would need a lot of time to crack the cipher without the key.
Also, our password manager automatically locks the vault after the user is inactive for a certain length of time. If an attacker happens to get hold of your device and manages to bypass the operating system’s protection and reach the vault file, they won’t be able to read what’s in it if they don’t have the main password.
But it’s up to you to configure the self-locker. The default setting in the app might not lock the vault until after a rather long period of inactivity. But if you’re in the habit of using a laptop or smartphone in a location that may not be completely safe, you can configure the self-locking to kick in after a minute.
There’s another potential loophole though: if an attacker has planted a Trojan or used another method to install a remote-access protocol on your computer, they may try to extract passwords from the vault while you’re logged in to it. In 2015, such a hacker tool was created for the KeePass Password manager. It decrypted and stored as a separate file an entire archive with passwords that was running on a computer with an open instance of KeePass.
The encrypted file with passwords can be saved not only on your device but also in Kaspersky’s cloud infrastructure — this allows you to use the vault from different devices, including home computers and mobile phones. A special option in the settings enables data syncing across all your devices with the installed Kaspersky Password Manager. You can also use the web version of the password manager from any device through the My Kaspersky website.
How likely is a data leak if you’re using cloud storage? First, it’s important to understand that we’re operating on the zero-knowledge principle. This means that your password vault is as encrypted for Kaspersky as it is for everyone else. Kaspersky developers won’t be able to read the file — only someone who knows the main password can open it.
Many — but not all — of today’s services that store passwords and other secrets adhere to a similar principle. So, if you see a news report about a data leak from a cloud storage service, don’t panic immediately: it doesn’t necessarily mean that the attackers were able to decrypt the stolen data. This sort of breach is like stealing an armed safe from a bank without having the combination to the lock.
In this case, the combination is your main password. Here’s another important security principle: Kaspersky Password Manager doesn’t save your main password on your devices or in the cloud. Even if a hacker accesses your computer or the cloud storage service, they won’t be able to steal your main password from the product itself. Only you know this password.
A strong main password
However, a leak of an encrypted file with passwords can also create problems. Once attackers swipe a vault, they may try to hack it.
There are two principal attack methods. The first is brute force. In general, this is very time consuming. If your password is made up of a dozen random characters and includes both lowercase and capital letters, numbers and special characters, brute forcing all the combinations takes more than a sextillion operations — that’s… a whole number with 21 figures folks!
But if you had decided to make your life easier and used a weak password — such as a single word or a simple combination of numbers like “123456” — the automatic scanner will pick it out in less than a second because in this case the brute forcing is based not on individual symbols but on a dictionary of popular combinations. Despite this, to this day many users pick dictionary passwords (combinations of symbols that have long been in the dictionaries of hackers’ scanners).
Users of the password manager LastPass were warned about this potential problem in December 2022. When the account of a LastPass developer was hacked, the attackers gained access to the cloud-hosting the company uses. Among other data, the attackers got hold of backups of users’ vault passwords. The company told users that if they followed all the recommendations to create a strong and unique main password, they wouldn’t have anything to worry about because “it would take millions of years” to brute force such a password. People who used weaker passwords were advised to change them immediately.
Fortunately, many password managers, including Kaspersky Password Manager, now automatically check the strength of your main password. If it’s weak or only of medium strength, the password manager gives you a warning and you sure should heed it.
Unique main password
The second hacking method counts on the fact that people often use the same login credentials for different internet services. If one of the services is breached, attackers will automatically brute force the username and password combinations in other services in an attack known as “credential stuffing”. This kind of attack is often successful.
Users of Norton Password Manager were warned about this kind of attack in the first weeks of this year. The company NortonLifeLock (formerly known as Symantec) announced that there were no breaches of its infrastructure. But in early December 2022, mass attempts to enter Norton Password Manager accounts using passwords that hackers had stolen because of a breach on another service were documented. Investigations by NortonLifeLock found that the hackers were able to use this attack to access the accounts of some of its customers.
The obvious lesson from this story is that you shouldn’t use the same password for different accounts. As for technical ways to protect yourself from these kinds of attacks, Kaspersky Password Manager can perform two important checks of your password database…
First, it checks for uniqueness: the app warns you if one of your saved passwords is being used in multiple accounts.
Second, our password manager checks whether your passwords are in a database of breaches. To perform this password-check securely, it uses the SHA-256 cryptographic hash algorithm. This means that the app doesn’t send the passwords themselves to be checked; rather, it calculates a checksum for each password and compares these hashes to the checksums in the database of compromised passwords. If the checksums match, the app warns you that the password is compromised, and you should change it.
But remember that these checks are done only with passwords you are saving in the vault. It’s up to you to make sure that the main password is unique: you’re the only one who knows it and it should be different from your other passwords.
Memorable main password
There are other ways to leak main passwords — and this is where the dreaded human factor comes into play. For example, some people note their main password in a place where it can be stolen, such as in an unencrypted file on their desktop or on a Post-It they stick on their office wall.
Instead of writing it down, try to remember it. It’s true that security rules say that a password should be long and complicated — sometimes we’re even prompted to generate a random combination of 12 to 16 characters. It’s hard to remember a password like that. That’s why many people try to use simpler passwords, and then they become targets of hacks.
So how do you make your main password both strong and memorable? A good strategy is to come up with a password based on three or four secret words. For example, you can take the name of the city where you had the best vacation of your life, tack on the name of the best bar you went to on that vacation, and then add the name and number of cocktails you drank. A password like that will be long and unique, as well as easy to remember — that is, of course, if you didn’t have too many cocktails and still remember all those facts separately.