This past year we saw a flurry of news reports about leaks of personal data from various online services and even from popular password managers. If you use a digital vault, when you read about such a data leak, you\u2019ll probably start imagining a nightmare scenario: attackers have accessed all your accounts whose passwords are stored in your password manager.<\/p>\n
How justified are these fears? Using the example of Kaspersky Password Manager<\/a>, we\u2019ll tell you how the multiple layers of defense of password managers work, and what you can do to make them stronger.<\/p>\n To start, let\u2019s review why password managers are a good idea. The number of internet services we use is constantly growing, and that means that we\u2019re entering a lot of usernames and passwords. It\u2019s hard to remember them, but writing them down in random places is risky. The obvious solution is to save all your login credentials in one secure place, and then lock that vault with a single key. Then you\u2019ll only need to remember one main password.<\/p>\n When you first activate Kaspersky Password Manager<\/a>, it prompts you to create a main password that you\u2019ll use to open your digital vault. Then you can enter in this vault the data for each internet service you use: URL, username and password. You can do this manually, or you can set up a password manager browser extension and use a special command to transfer all the passwords saved in the browser to the vault. Besides passwords, you may add other personal documents to the vault, e.g., ID scan, insurance data, bank card data and important photos.<\/p>\n When you need to visit a website, you open the vault, and then you can either manually copy the data you need into the login form, or allow the password manager to autofill the saved login credentials for the website. After that, all you need do is lock the vault.<\/p>\n Now let\u2019s look at the protection mechanisms. The vault file is encrypted using a symmetric key algorithm based on the Advanced Encryption Standard (AES-256), which is commonly used around the world to protect confidential data. To access the vault, you use a key based on your main password. If the password is strong, attackers would need a lot of time to crack the cipher without the key.<\/p>\n Also, our password manager<\/a> automatically locks the vault after the user is inactive for a certain length of time. If an attacker happens to get hold of your device and manages to bypass the operating system\u2019s protection and reach the vault file, they won\u2019t be able to read what\u2019s in it if they don\u2019t have the main password.<\/p>\n But it\u2019s up to you to configure the self-locker. The default setting in the app might not lock the vault until after a rather long period of inactivity. But if you\u2019re in the habit of using a laptop or smartphone in a location that may not be completely safe, you can configure the self-locking to kick in after a minute.<\/p>\n There\u2019s another potential loophole though: if an attacker has planted a Trojan or used another method to install a remote-access protocol on your computer, they may try to extract passwords from the vault while you\u2019re logged in to it. In 2015, such a hacker tool was created for the KeePass<\/a> Password manager. It decrypted and stored as a separate file an entire archive with passwords that was running on a computer with an open instance of KeePass.<\/p>\n However, Kaspersky Password Manager<\/a> is typically used along with the antivirus solutions by Kaspersky<\/a>, and that makes it much less likely that a password manager will run on an infected computer.<\/p>\n\n The encrypted file with passwords can be saved not only on your device but also in Kaspersky\u2019s cloud infrastructure \u2014 this allows you to use the vault from different devices, including home computers and mobile phones. A special option in the settings enables data syncing across all your devices with the installed Kaspersky Password Manager<\/a>. You can also use the web version of the password manager from any device through the My Kaspersky<\/a> website.<\/p>\n How likely is a data leak if you\u2019re using cloud storage? First, it\u2019s important to understand that we\u2019re operating on the zero-knowledge principle. This means that your password vault is as encrypted for Kaspersky as it is for everyone else. Kaspersky developers won\u2019t be able to read the file \u2014 only someone who knows the main password can open it.<\/p>\n Many \u2014 but not all \u2014 of today\u2019s services that store passwords and other secrets adhere to a similar principle. So, if you see a news report about a data leak from a cloud storage service, don\u2019t panic immediately: it doesn\u2019t necessarily mean that the attackers were able to decrypt the stolen data. This sort of breach is like stealing an armed safe from a bank without having the combination to the lock.<\/p>\n In this case, the combination is your main password. Here\u2019s another important security principle: Kaspersky Password Manager<\/a> doesn\u2019t save your main password on your devices or in the cloud. Even if a hacker accesses your computer or the cloud storage service, they won\u2019t be able to steal your main password from the product itself. Only you know this password.<\/p>\n However, a leak of an encrypted file with passwords can also create problems. Once attackers swipe a vault, they may try to hack it.<\/p>\n There are two principal attack methods<\/strong>. The first<\/strong> is brute force. In general, this is very time consuming. If your password is made up of a dozen random characters and includes both lowercase and capital letters, numbers and special characters, brute forcing all the combinations takes more than a sextillion operations \u2014 that\u2019s\u2026 a whole number with 21 figures folks!<\/p>\n But if you had decided to make your life easier and used a weak password \u2014 such as a single word or a simple combination of numbers like \u201c123456\u201d \u2014 the automatic scanner will pick it out in less than a second because in this case the brute forcing is based not on individual symbols but on a dictionary of popular combinations. Despite this, to this day many users pick dictionary passwords (combinations of symbols that have long been in the dictionaries of hackers\u2019 scanners).<\/p>\n Users of the password manager LastPass <\/a>were warned about this potential problem in December 2022. When the account of a LastPass developer was hacked, the attackers gained access to the cloud-hosting the company uses. Among other data, the attackers got hold of backups of users\u2019 vault passwords. The company told users that if they followed all the recommendations to create a strong and unique main password, they wouldn\u2019t have anything to worry about because \u201cit would take millions of years\u201d to brute force such a password. People who used weaker passwords were advised to change them immediately.<\/p>\n Fortunately, many password managers, including Kaspersky Password Manager<\/a>, now automatically check the strength of your main password. If it\u2019s weak or only of medium strength, the password manager gives you a warning and you sure should heed it.<\/p>\n The second hacking method<\/strong> counts on the fact that people often use the same login credentials for different internet services. If one of the services is breached, attackers will automatically brute force the username and password combinations in other services in an attack known as \u201ccredential stuffing\u201d. This kind of attack is often successful.<\/p>\nGeneral principles<\/h2>\n
Digital vault and self-locking<\/h2>\n
Zero knowledge<\/h2>\n
A strong main password<\/h2>\n
Unique main password<\/h2>\n