What makes a good password vault?

Password vaults are very helpful additions to a desktop environment, particularly for personal use. They can provide secure storage of passwords, synchronisation across multiple devices, and a whole myriad of other features.

What are we trying to achieve when using a vault? What are the critical high level objectives?

  • Reducing password reuse
  • Promoting regular password change
  • Increasing password complexity (by using machine generated passwords)
  • Enhancing secure storage of passwords
  • Facilitating “digital legacy”

But capabilities can vary, so what features are good to look out for in personal password managers? Here are some good features to look out for:

  • Automated form filling, ideally on user prompt
  • Two-factor authentication for the vault access account, to allow download of the password vault (without decryption of the vault)
  • Encryption of the password vault using a local password (that is not shared with the vault host)  (an important subtlety that should not be overlooked – host authentication combined with local encryption and decryption is a significant security enhancement)
  • Browser import, to take logins from browsers and store them securely (ideally removing them from browser password stores)
  • Secure sharing with other recipients
  • Password generation, including a variety of configurable parameters such as length, complexity, etc.
  • Copy and paste features to allow passwords to be copied to the clipboard
  • Browser plugins to integrate directly with the password vault and minimise use of the clipboard as much as possible
  • Synchronisation of a password vault across devices
  • Free text storage of secrets in the password vault, for instance challenge response sentences or codes
  • Digital legacy – the ability to share credentials with another person in the event you become incapacitated or unable to use your logins
  • Automatic review of passwords for strength and quality, with advisories as appropriate
  • Finally, and importantly, a broad range of browser support, including all mainstream browsers and also mobile apps

The primary benefits of using a password vault include:

  • Reducing the potential for passwords to be stored insecurely
  • Removing the risk of data loss (and therefore loss of passwords) through the use Cloud synchronisation (also a weakness)
  • Allowing highly complex passwords to be used, minimising simple password use
  • Minimising password reuse across accounts
  • Secure storage of passwords using local encryption, minimising some but not all risks of Cloud vault storage
  • Storage of related authentication data, such as secrets and challenge response codes
  • A reduction in the use of password reset procedures, possibly maintaining the use of more secure (and cumbersome) reset methods
  • The ability for others to use your passwords when you cannot
  • Automatic review of passwords for strength and quality, ensuring you are able to maintain the strongest password posture and minimising the attack surface

Password vaults present risks and issues at the same time:

  • In my mind, the primary risk is encountered when losing a password for the vault, which usually leads to the password vault becoming inaccessible. This is a risk to availability. The solution is to maintain a hard copy of the password, e.g. in an appropriately secure location (e.g. safe).
  • A lesser risk, reduced with local vault encryption, is potentially greater exposure to duplication of a vault store by an attacker due to Internet vault storage vulnerabilities. This could come about through authentication weaknesses surrounding the vault, or other means such as side channel attacks. This of course is the flip side of vault sync capability. Ideally the vault store will be encrypted with a second layer as described above, but limiting access is obviously a desirable control to put in place as much as possible. Some vaults allow for local operation only, which could be a sensible step.
  • A Single Point of Failure (SPOF) by centralising credentials into a password vault. Here is the tradeoff with convenience. A potential mitigation is to regularly duplicate the vault and store with the password backup as above.

In many personal password vault services, the security of the vault will effectively rest in a single password. This becomes more and more crucial, as the vault is increasingly used to store new credentials. Most users are unaware of just how critical the vault password will be.

Regardless of whether the vault is locally encrypted or not, always use two-factor authentication on critical accounts contained in the vault. This will go some way to mitigating Cloud risk.

Things I don’t consider a critical feature of a password vault include VPNs, file storage, and dark web credential compromise scanning. These are undeniably useful features, but may be better addressed using separate complementary desktop security products.

I’ve intentionally not covered true enterprise password vaults much in this post, for which there are several well-known vendors, solutions and use cases.

Overall, password vaults are highly recommended in the present Internet environment, and with some experience they can turn into a powerful way of improving your digital security, minimising the risks of hacking and identity theft.

Passwords are not a particularly elegant authentication method. Long criticised, we have unfortunately not seen the critical mass needed behind federated identity or as yet unspecified distributed standards to really halt their use.

Part of the challenge there is technical, such as drawbacks with frameworks such as OAuth, but also in terms of good options for Identity Providers—the usual crowd such as Google and Twitter maybe not being the best options long term.