Blog post

What does the NCSC think of password managers?

Created:  24 Jan 2017
Updated:  24 Jan 2017
Author:  Emma W
Android password screen

People keep asking the NCSC if it's OK for them to use password managers (sometimes called password vaults). If so, which ones? Who should use them - private citizens, small businesses, massive enterprises? And how should people use them? Is it safe to put all your crucial passwords into a password manager, and forget trying to remember any at all?

This is a big topic, so we're chunking it up. This blog explains what I think about password managers in general, and how I use them myself. This might be helpful if you're an individual deciding whether and how to use a password manager for your personal use. If you're looking for business use, this blog post won't hold all the answers you need (look out for more from the NCSC on this soon).

 

Should I use a password manager?

Yes. Password managers are a good thing.

They give you huge advantages in a world where there's far too many passwords for anyone to remember. For example:

  • they make it easy for you to use long, complex, unique passwords across different sites and services, with no memory burden
  • they are better than humans at spotting fake websites, so they can help prevent you falling for phishing attacks
  • they can generate new passwords when you need them and automatically paste them into the right places
  • they can sync your passwords across all your devices, so you’ll have them with you whether you’re on your laptop, phone or tablet

All these things are full of win. They reduce security friction - making security easier and more convenient.  If security is difficult, tedious, appears to add no value or gets in the way of the main task we're trying to do, then we tend to find (insecure) ways around it. And then we end up less protected.

 

Well, that all sounds great. Where's the catch?

You might be thinking "If password managers are this good, why haven't you recommended them before now?"

Well, they do have some drawbacks:

  • Password managers are attractive targets in themselves. They've been successfully attacked in the past, and realistically they will be again. So all your passwords could get stolen in one go.
  • If you forget the master password for your password manager, you will not be able to get back in. You will have to try and access all your accounts individually, or recreate/reset them from scratch. This will hurt.
  • You can't use them for everything. Some service providers (such as certain banks) don’t support the use of password managers. If you tell them you’ve put your banking passwords into one (or written them down in any way at all) they might not give you your money back if you are the victim of cyber crime. If your bank is one that takes this stance, you'll need to think about how you’re going to manage critical passwords without writing them down. On the brighter side, this is much easier to do once you've got most of your passwords out of your head and into the password manager.

 

Should I use a browser-based password manager?

Many web browsers now come with password managers built in, and they can be a very good choice. They are very convenient to use, as they are fully integrated with the web browser - so they know when you're on a website that needs a password, and they just pop up and do their thing. You don't even have to remember a separate master password. So feel free to use the built-in password manager, provided that:

  1. You keep your web browser up-to-date.
  2. You have some kind of access control on your device such as a PIN/password/biometric

    ...two things you should be doing anyway!

 

One drawback with browser-based password managers is that your passwords may not automatically sync between all your devices if these use different operating systems. So, if you have a Windows laptop, an iPad and an Android smartphone, your passwords may not follow you around everywhere - unless you use the same web-browser on all your devices and log into it. Also, if more than one person uses a device on the same user profile, they would all have access to the same password-protected content. You may not want that.

 

Should I use a standalone password manager?

Compared to browser-based managers, standalone password managers tend to do a better job of keeping your passwords available to you on all your different devices, no matter what platform they're on. They give you a little more control over when and where you use your passwords, as you get to press a button to say 'I want to use the password please', rather than the web page in the browser requesting one when it feels like it.

Importantly, with a standalone password manager you do have to create and remember a long master passphrase (unlike with a browser-based one). Standalone password managers may also include more advanced features, such as:

  • notifications about compromised websites
  • flagging up reused or weak passwords
  • prompting you to change old passwords*
  • helping you change passwords for some websites, by integrating with your browser
  • multi-factor authentication

 

How do I do this, then?

As with many things, there are lots of different ways of going about this. This is what I do myself:

  1. First, try and cut down the number of passwords in your life, and reduce how much you rely on those passwords to prove who you are. Use multi-factor authentication or single sign-on where available. For infrequently-used passwords, use a password reset mechanism when you need to log in (instead of making any attempt to recall or store the password). But take really good care of the email account that the password reset emails are sent to.
  2. Consider biometrics. Fingerprint readers on smartphones are generally good enough to protect your phone and the data on it, and they are very usable. So feel free to use them. Turn on encryption (if it's not already on) for extra protection.
  3. Decide whether to use a browser-based or a standalone password manager. Personally, I use both, for different things.
  4. If you use a standalone password manager, make its master passphrase the best you possibly can. We suggest a passphrase rather than a password as it's much easier to make it really long, and adding length gives much more protection than adding complexity. Make it hard for someone who knows you to guess in 20 attempts, and make it totally different from any password or passphrase you’ve ever used anywhere else.
  5. Memorise your passphrase. Yes, you really do have to, sorry! If it helps, write it on a piece of paper until it’s firmly lodged in your memory. Keep the piece of paper very safe, and destroy it when you’ve memorised the password.
  6. Don’t put any work passwords into your personal password manager unless you’ve got permission from your employer.

 

Finally, think about how important each password is to you for each account. If someone discovered this password, would it result in

  • your life being ruined?
  • your bank refusing to refund any losses?

If the answer to either is 'yes', then I wouldn’t put it in a password manager. For these cases, a password shouldn't be the only thing that the security of your account rests on. So look at extra defences such as multi-factor authentication.

For other, less important accounts, having the password stolen might be massively inconvenient, but there would be no real permanent damage done. Passwords for these accounts should be OK to go into your password manager.

Some accounts have very low value. For instance, an online forum that requires a password, but doesn’t actually hold any personal information you care about. These passwords can be stored in a password manager without a second thought.

 

A future without passwords?

Long-term, I think the success of password managers shows  - yet again -  that password-based authentication has outstayed its welcome. Passwords are supposed to be 'something you know', but now we’re saying the best way to manage them is not to know them (because your password manager knows them all for you). Passwords have taken us a long way, but now it's really time to move on.

The NCSC is working to help us all reduce our reliance on passwords, and to move towards a future where we make greater use of better, more secure, more usable authentication mechanisms instead. In the meantime, we're also working on some guidance on how best to use password managers in organisations - look out for this soon. 

Password managers are a good thing - for now. But we hope not forever.

 

*  We normally recommend against regularly changing passwords where there is no indication or suspicion of compromise - if you are trying to memorise them. The costs are greater than the benefits. However, remembering new passwords that are very different from the previous one isn't a problem for a password manager.

31 comments

Mark T - 25 Jan 2017
Great article. It follows the advice I have been providing to the members of my organisation, <145,000 globally.
Lennox M - 25 Jan 2017
Using password mangers is a bad idea. There is no such thing as 100% security and it will only be a matter of time before the services are comprised.
Matt - 14 Feb 2017
Utter rubbish - my password manager is stored on a encrypted drive and not pushed up to the "cloud (aka someone else's computers!)".

It secured by complex password. And because it's local crack all the services you like you're not getting near it. The volume it's on is mounted when I need it and unmounted when I don't.

Don't spread mis-information when you are ill informed
Ian F - 21 Mar 2017
Both of these comments make for sad reading.

No-one (least of all the author) said password managers were foolproof. The article states that they are useful in low risk scenarios, and help to make remembering your important passwords easier. They are also designed to be accessible - if your password manager is on a volume that needs to be mounted everytime it needs to be used then it doesn't fit the accessible check box.

I think the article is spot on: Are they good? Yes. Should you exercise caution? Yes.
Peter o - 05 May 2017
The comment of Lenox appeared to me to be plain stupid, all the more because no practical alternative was suggested.
Then Matt suggests a complex approach that you can almost guarantee only he will ever use.
For heavens sake we need easy to implement procedures that ordinary people can use.
Personally although I have been "keyboarding" (can't call it typing) I have difficulty even typing in successfully "difficult" passwords. I frequently do copy paste especially when LastPass fails to make the necessary entries automatically. Even Password Managers don't function reliably!
I could go on but what's the point?
Chris B - 19 Aug 2017
I while heartedly disagree with you here. You are much more likely to reuse passwords, or at least have patterns in your passwords, if you aren't using a password manager. The security of all your other accounts could boil down to some forum that a kid made in their spare time.... not very secure. At least with a proper password management service their entire business is built around security so they will be investing heavily in it
Robin ottawa - 26 Jan 2017
Over the years of accumulating passwords I have changed phones and laptops many times. Many of these changes don't allow the migration of the passwords or the manager. But it sounds like you can do it now. Hourly we won't have to put up with this Micky mouse situation much longer.
Jorge - 28 Jan 2017
I was on board with this until it said "full of win", then you lost me.
Matthew Ravden - 01 Feb 2017
I'm looking forward to your interpretation of this subject for business. Businesses seem to think that password vaults prevent data breaches, but in fact (as you said) they simply become the target. If a hacker 'owns' a system adminstrator's workstation, then no password management system will prevent a breach. We need to look WAY beyond passwords when it comes to breach prevention in the corporate world.
Emma W - 07 Feb 2017
You're absolutely right - password managers will never be a one-shot solution to all password-related problems, but we do think they can help organisations manage some significant password-related risks. As always, we'll say what we think about the advantages and drawbacks and then it will be up to customers to decide the most appropriate solution for their particular circumstances.
Brian E - 14 Feb 2017
I wonder about browser storage of password information. I use Chrome and let it sync bookmarks between devices. But it also stores passwords and log-in details and, as this information is also synced between devices, it must be transmitted over the internet. Is that data safe? If not, does that mean that we should never let a browser store a password?
Bill - 14 Feb 2017
Good article thanks...

I'm thinking of changing my codes and a phrase is the way to go!

For companies, in my opinion, they need more security questions to choose from,
The answers should be able to ignore upper or lower case errors and spaces.... so many times I have to rest for that reason,
Matt - 14 Feb 2017
"If your bank is one that takes this stance, you'll need to think about how you’re going to manage critical passwords without writing them down"

Or change banks. It's also very annoying when organisations enforce poor password strength requirements limited to 12 characters max..... come on we can do better than this!
John A - 20 Feb 2017
It occurs to me that a useful service the NCSC could provide would be a certification process for password managers (and perhaps other security software). In the case of password managers, I suppose that would be a combination of approving their technical quality (i.e. they don't commit any known security boo-boos), and also ensuring that they are not themselves malware (e.g. secretly uploading all passwords to dodgy.org).
Emma W - 22 Feb 2017
Hi John. We are hoping to produce some more detailed guidance on things to look for when considering password managers, and depending on the feedback we get for this, we would definitely consider incorporating password management as a category into one of our assurance schemes in the future.
Richard Bartlett - 16 Mar 2017
It looks like Tavis has made your job just that little bit harder this morning! (He's publishing a vulnerability in LastPass Mozilla Addon current v3.3.2, which is for some reason the latest version available on addons.mozilla.org, despite the latest LastPass addon from their site being 4.1.35).
Jez - 23 Mar 2017
Good idea to use a password manager, simply because it allows you to use longer/stronger passwords. I keep my database offline; only loading it temporarily, as and when I need it.

I now use a PM for all of my passwords - After all, I want the strongest passwords possible for my most important (financial) accounts and do not want to have to memorise them.
Alex - 18 May 2017
Not all password managers are attractive targets for hackers. Bluink Key (bluink.ca) is an offline password manager that encrypts passwords on your smartphone and logs you in to anything automatically. Nothing is stored in the cloud (unlike other large password managers).
Emma W - 13 Jun 2017
It’s true that password managers that use cloud services to store/synchronise your credentials have additional attack surface. But a password manager is always an attractive target, regardless of which features it supports. Ones like Bluink Key that integrate with web browsers still have to accurately validate a website’s identity and ensure they don’t expose any unintended functionality- such as allowing a malicious or compromised website to extract credentials from the password store.

All in all, we believe password managers are a worthwhile addition to the cyber security toolbox – but like any other tool, they can’t be guaranteed risk-free.
Alex - 13 Jun 2017
You're right that no tool is guaranteed risk-free. However, online password managers are much more attractive for hackers to target than offline password managers.

Online password managers are attractive targets because they store the passwords of millions of people in one location in the cloud, which can be attacked remotely. In contrast, offline password managers locally store passwords on each individual user's device, which can only be attacked if the hacker has physical control over the device. Therefore, targeting online password managers is more feasible and profitable than hacking offline password managers, which I think makes online password managers attractive targets and offline password unattractive targets in comparison.

Bluink Key does not integrate with web browsers. It locally encrypts and stores login credentials offline in the smartphone app and sends them over an encrypted Bluetooth connection to the Bluink Key USB device, which uses keyboard automation to log in on the computer. It also includes FIDO Universal Second Factor authentication and one time passwords to increase security. While it isn't guaranteed risk-free, I do strongly believe that it has serious advantages over other password managers.
Ishaan P - 22 Aug 2017
Many online managers (such as Lastpass) send passwords to the cloud AFTER encrypting it locally, so I don't see any different risk level if it's the risk of password compromise we are talking about. Other than that the main app (extension, thick client etc.) still need to be hard enough to withstand different types of attacks - which we know is only a matter of time.
Peter H - 07 Sep 2017
Re: A future without passwords? Has the NCSC looked at the SQRL protocol at grc.com ~ sqrl ~ sqrl.htm yet?
John Hayes - 18 Oct 2017
hello Peter, that is pretty cool. thanks for sharing.
Carl Connor - 18 Sep 2017
Fantastic article. Password managers are great for applications and browsers, such as LastPass (Secured with my Iris scanner would be ideal). Those with a few more pennies can always invest in privileged access management tools such as C.A or CyberArk but they won't cover your browsers. Personally, I don't keep the crown jewels in my shed, if you catch my drift
Stuart Smiles - 20 Sep 2017
what about credentials/encryption recovery keys for windows and phones, and guides to make it easy to store such important details?

- lots of people don't know what they don't know till they're presented with "can't get in" and all your data is gone because the keys weren't kept from setup, or the phone isn't backed up automatically,
whilst probably less secure, at least there is a way to get to stuff, rather than being so secure you can't get info needed when you want it, or loose a device and everything is gone forever.

backup solutions for critical data, use of onedrive, google docs or other online services for mantaing access to information across devices.
Dan Shephard - 20 Sep 2017
Password managers are great for most applications and are even more secure when two factor authentication is enabled. I'd rather have a simpler password/phrase and have to provide a code from a phone/usb 2FA key.
pj - 22 Sep 2017
I would rather create my own password. I fill more secure and sure and be sure I am the only one who knows it. It will be store in my head and not in the cloud or on the internet
Stephen Humphreys - 04 Oct 2017
you need passwords
stephen thorogood - 04 Oct 2017
thanks i found this information useful
graham - 09 Oct 2017
Looking forward to the business guidance and further discussion of web based vs standalone, and treatment of privileged accounts at reasonable cost.
sue shinton - 17 Oct 2017
yes very helpful

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No