SAFETY OF PASSWORD MANAGERS – ONE POINT MANY BYPASS

I was recently perusing online articles related to security and was surprised to see the number of warning posts regarding laptop theft in colleges. Upon investigating this further, I found that this wasn’t just an issue with colleges, but it was a fairly common security risk.

Whereas the lines between work and home life have blurred in recent years so has the usage of laptops for both home and work blurred. This is probably part of the reason that Bring Your Own Device (BYOD) is such a hot topic. It is not uncommon for workers to be using their own laptops to work from home at all hours.

One common question asked is whether business information resides on an unprotected laptop. On the heels of that question is the issue of whether the laptop has been properly secured. In other words, when a staff member leaves a laptop on a desk at home, do other members of the family have access to it?  Even in an office setting, how often do individuals walk away from workstations leaving desktops and laptops open to the world?

Unfortunately, the gravity of device theft is exacerbated by the security flaw of password managers. Prior to the Password Manager, only the person who knew a website’s credentials and entered them could gain access to a particular website. When a Password Manager is used, many website credentials are stored and subsequently retrieved in order to automatically enter that website.  In essence, once these credentials are saved, the Password Manager automatically opens related websites to anyone using the device. The huge leap here is the supposition that the person using the laptop is the person whose credentials were stored by the Password Manager.

One easy way to counteract this security risk is to require the Password Manager to use facial and/or voice recognition to capture a biometric to be associated with the credentials.  TrithenticatorTM does this and then requires that same biometric capture at the Windows logon and prior to the automatic entry into the website. In other words, there is still the convenience of having credentials remembered, but there is also the security of having to use a biometric to get into the device and then secured websites. So, for example, if anyone steals a laptop, a personal banking application will not automatically open up allowing the thief to wreak havoc with one’s finances. Unfortunately, this is one point being bypassed in discussions regarding Password Managers.