Following the news regarding Google Chrome’s redesign introducing a password manager, Richard Archdeacon, Advisory CISO at Duo Security offers the following comment.
Richard Archdeacon, Advisory CISO at Duo Security:
“It is good to see that a password manager is being introduced into a browser. To step back, the issue with passwords is that often they are too simple and are used across different sites. Hackers can either guess or test against known lists of passwords using techniques, referred to as password spraying. This allows them to compromise an account once a password is known.
There are a number of advantages to using a password manager instead of trying to remember all passwords or resorting to the fabled Post-it note password management system. Some of the key benefits that are recognised are that they make it easier for users to use unique long passwords for different sites without having to remember them, thus reducing reuse of the favourite dog’s name type password; often a password manager will have a generator capability that will provide unique, long passwords and when used within a browser they can often be utilised across devices making it easier for users.
However, password managers can become targets themselves. And, in some cases if a user forgets the master password then they lose everything. There have also been recent cases where some organisations have recommended that they are not used to store the passwords to access their services.
It is still recommended by organisations such as the NCSC that additional identification factors are used and relying on passwords to secure access is on its way out. Yes, it is better to use a password manager than not, but is even better to improve your access authentication with additional factors. This will mean that hackers have to compromise multiple controls rather than just the one – the password – to gain access to an account.”