Why you should use a password vault

Passwords are an annoying necessity in today's world, should you use a password vault to ease the burden? Recent attacks like Gawker media has also got people thinking about stronger passwords. Here are some of the pro's and cons of password vaults:

  • Great balance of convenience and security - people tend to choose simple passwords and the reuse the same password (or base) because there are so many of them and you have to enter them so often. With 1Password or Lastpass you can generate a truly strong password (at least for your critical accounts) but still have the convenience of having it auto-filled or at least available written down on your phone. A real benefit is also in things like secret questions, this is commonly a weak point where a really strong password has a 5 letter dictionary word as a secret question answer. You can now generate strong secret question answers also
  • Portability - the problem with using your browsers save password function is that unless you combine it with something like Google or Firefox sync it is not portable. Even then it is currently not available on your phone (at least not the iPhone, not sure whether the Android browser has Google sync)
  • Secure storage - your sensitive information is encrypted in storage and protected by a master password. This is a lot better than just writing it somewhere or storing in a note or unencrypted spreadsheet
  • Not just for passwords - you can store bank details, insurance numbers, credit cards, passport numbers, etc which can save you time entering in these details and provide you secure access to the details on move. You can also store files like scans of your documents or your private keys
  • Improve your memory - on sites I hardly ever use, and government sites with those complicated usernames I can never remember these details. Launch up the iPhone, 1Password and everything to hand with easy search
People also add anti-phishing / anti-malware to this list but that one I don't agree with. You still have to enter your master password which malware can capture, if you have it on your phone and enter the password again it can be captured. If you launch websites from the tool I guess it could be anti-phishing but that's the same as typing it in directly or using your bookmarks

  • Single point of failure, keys to the kingdom - if you sync your keychain to your phone or have it on your desktop or laptop some could get access to that. If your master password is weak then you lose everything in one go. As far as I'm aware 1Password does not offer a hardware based two factor authentication option for the master password which would reduce the risk of this significantly. Lastpass does offer a using a yubikey as a two factor mechanism but because Lastpass has a web application it can suffer from web application vulnerabilities (e.g. XSS) which could leave your account details and at worst case passwords exposed.
  • Terms and conditions - it is still technically 'writing a password down'. This maybe against the terms and conditions on things like your Internet Banking site. This may reduce or remove any protection you get in case of a fraud. You can always check this and not store the password for these sites
  • Trust in the cloud - it is supposed to be encrypted in storage but if you do synchronize the data some people will never trust that 1Password or Lastpass does not have a backdoor, potentially allowing a malicious or disgruntled employee access. All software has vulnerabilities, again a serious one could allow an attacker access to your data

Another option is to use a password vault stored in a hardware encrypted device like an Ironkey. Versions come with a password manager loaded in. This gives mitigates some of the risks highlighted above, it is hardware encrypted and only stored on your device. Also if its on your key chain you are far less likely to lose it than your phone or laptop. You can also remotely destroy it if you do manage to lose it and also set it to auto self destruct after 10 failed master password attempts. It is a little bit less convenient as you have to attach it to a USB drive and have read access to this but it is definitely more secure.


Overall I believe the pro's outweigh the cons. If you have no option for two factor authentication then having a strong password is your only defence. Using a password vault just makes this a lot more practical and convenient.


In an enterprise setting Password vaults can be even more useful. There are service accounts, private SSH keys, all where need multiple users to access them in. Thus securely storing these and providing individual accountability when they need to accessed is a challenge. This can be provided by a password vault. There is also the problem of once someone knows a password they know the password until it is changed. Enterprise password vault software can also provide you the ability to automatically change the password once it has been "checked back in". It is is also useful for automatically changing large amounts of service account passwords that would otherwise be difficult and expensive to do manually e.g. Windows local administrator passwords.

No comments:

Post a Comment


Written by