Who has the best password manager for online security?

Online security is now more important with cyber attacks are on the rise in 2012. That is the prediction by many security experts. Individuals, industries and agencies are all trying to find safeguards that will reduce the risk of an attack. But what is the best solution? Do you use Public Key Infrastructure (PKI), One Time Passwords (OTP), Single Sign-On (SSO) or Password Management (PM)? Before I, or anyone else can answer that you first need to understand your environment, what are you protecting, what are the risks and who else would have access.

No one solution works for everyone and every environment. They all have their advantages and disadvantages. For this discussion, let’s just address Password Management. While I have developed Power LogOn® to offer solutions to a number of issues, I also recognize that it may not be entirely the best solution for everyone. So first off, if you are using any type of password manager and generator you are ahead of most internet users. Congratulations.

Instead of doing a product, feature-by-feature comparison with the intention to eliminate one product/competitor from another, I want to discuss some topics you need to consider in picking any password manager.

1. Target Customer: Password manager solutions typically target two different customers – Consumer and Industrial. While the basics of protecting passwords are similar, the differences is how much customization is allowed, integration into existing servers/networks and additional functions.
2. Authentication: Security experts all say that the more ways one authenticates themselves to the computer/network/site the better. The security industry standardized on three types of authentications: Something you have (card or token), something you know (PIN or Password), and something you are (biometrics). Security is strengthened by incorporating any two of the three types or using all three. A single PIN or Password does not authenticate the user; it only authenticates that a someone knows the secret but not the person. The tradeoff here is also that the more levels of authentication the higher the security costs.
3. Password Storage: Reading all the articles about the resent hacking attacks, the target has been the password database. It does not matter how complex and unique your password is if someone breaks into the database. Therefore, another consideration has to be where passwords are stored (Hard Drive, Cloud or Token). Here are some considerations:
   

   • File Encryption: Do you encrypt the password files or are you using a service’s encryption? Is there any concern that the encryption could have a backdoor?
   • Authentication Access: Does the product/service have single or multi- factor authentication?
   • Files Access: Are the passwords stored on a sole computer, directory, cloud or token? How do you access your passwords if you are on different machines? Can someone else access your passwords/accounts it you are away from your machine?
   • File Encryption: Do you encrypt the password files or are you using a service’s encryption? Is there any concern that the encryption could have a backdoor?
   • Networks and clouds: Does an IT administrator have access, where are the passwords stored, any back doors, what encryption is used, and how is authentication established?
   • False authentication lockout and recovery: Are there a limited number of authentication attempts before the password file is locked. If it is locked, what is the recovery processes? Will a “brute” force attack work?
   • Token based storage security: If you use a USB device, smartcard or even your smartphone what happens if the device is lost or stolen? How do you recover your passwords? Will others have access to your passwords if they find it?

4. Malware, Phishing, Virus protection: How does the password manager protect from phishing emails, keyloggers and viruses?
5. Additional Application: Many industrial solutions can incorporate other features into the same card. For example employee photo ID, building access control, electronic payment, etc. How will you handle card issuance and management? Some solutions require re-badging whereas others can work with the existing field-issued badges.
6. Customization: Does the security solution require that your conform to it’s default settings or does the technology allow it to be changed per your security policies?
7. Flexibility: Passwords are needed to log onto computers, networks, web sites and applications. Does the password management solution have the flexibility to address all these areas?
8. Multiple platforms: Will the solution work with different operating systems (Windows, Linux, Mac, Android, etc.) and with different browsers (IE, Firefox, Safari, Chrome, etc.)? Does it matter in your environment?
9. Price and cost-of-ownership: Are there any annual or subscription fees? Can licenses be transfers or recycled? What additional hardware and computer modifications are required? How long will it take to install? How much employee training is required to use a product?

While there are some pretty shoddy products on the market, but when dealing with a name brand solution you can rest assure that security and convenience is top notch. Trying to determine if one technology or solution is better than another is like comparing a Range Rover to a Bentley. It all depends on where it is to be used. If your try to use the Bentley for climbing mountain dirt roads and forging raging streams you might think that it is the worst vehicle in the world. But if you are going to the Oscars… well you decide.