6 min read · Mar 24, 2023
--
In today’s world, we rely on countless online accounts and services that require passwords. Managing all these passwords can be a daunting task, which is where password managers come in.
There are two types of password managers available: online (cloud-based) and offline (local). Online password managers store the password vault on a remote server accessible through the internet, while offline password managers store the password vault only on the user’s device.
One of the most critical factors to consider when choosing a password manager is the level of data security it provides. In this article, we will focus on the attack surface of online and offline password managers and how it impacts data security. By examining potential vulnerabilities and attack vectors, we hope to provide you with the information you need to make an informed decision about which type of password manager is right for you.
Attack surface refers to the potential entry points that an attacker can use to compromise a system or steal sensitive information. In the context of password managers, the attack surface includes factors such as the number of access points, the type of encryption used, and the level of user access control.
Online password managers have a larger attack surface due to requiring an internet connection, making them vulnerable to man-in-the-middle attacks, phishing, and data breaches. Additionally, storing the password vault on a remote server poses the risk of server compromise and data theft. Offline password managers have a smaller attack surface since they store the password vault only on the user’s device, but if the device is compromised, sensitive information can be stolen.
Next, we will explain the possible attack surfaces of password managers one by one.
One potential vulnerability that affects online password managers more than offline ones is the authentication process. When unlocking an offline password manager, the decryption process is straightforward. However, with online password managers, there is an additional step to verify the user’s identity to ensure they are accessing the correct password vault on the cloud.
Most online password managers use a master password as a means of authentication. However, verifying a user by their master password without actually knowing the password can be a subtle process. While there is a standard protocol, known as the Secure Remote Password protocol, to address this issue, not all cloud-based password managers implement it or implement it flawlessly.
Unfortunately, not all password manager developers have adequate security expertise, and some may not prioritize security when developing their products. As a result, some online password managers may be vulnerable to attacks that exploit flaws in their authentication processes. It is crucial to carefully research and select a password manager that has been developed with strong security measures in place.
When using online password managers, your password vault data is frequently transmitted over the internet to reach your device or the cloud servers. This happens when you save passwords in a cloud-based password manager or log in to the app on another device. This increases the risk of your data being intercepted by third-party routers during transmission.
While many online password managers use TLS connections to enhance security, there are still potential threats to consider. Therefore, it is important to carefully assess the security measures taken by the password manager service and weigh the risks before deciding to use an online password manager.
Using cloud storage for password vaults comes with at least three potential threats.
Firstly, a bad employee with access to the cloud servers can potentially access and misuse user vaults. This highlights the importance of secure unlocking factors.
Secondly, cloud storage is an attractive target for hackers. If they manage to breach the cloud servers, they can potentially gain access to a large number of users’ high-value secret data at once.
Lastly, supply chain attacks are another potential risk. The cloud infrastructure relies on many third-party components to function, and if one of these components is compromised with malicious code, it could potentially send user vaults to a hacker.
Therefore, it is important to consider these risks when using cloud storage for password vaults and ensure that the chosen password manager has robust security measures in place to prevent such attacks.
Many cloud-based password manager services offer web-based access. Users can access the vault anywhere with a browser and the master password. Here’s how they work:
Step 1: The browser downloads the web-based password manager app from the cloud.
Step 2: The web app prompts the user for their username and master password.
Step 3: The app authenticates the user and downloads the appropriate vault from the cloud.
During this process, there are at least three possible scenarios in which data could be attacked:
- Bad Insiders: Web-based password manager apps are stored on cloud servers, and if bad administrators or hackers gain access, they can inject malicious code and steal your master password and vault. This risk is higher because cloud servers are always connected to the internet and face attacks.
- Third-Party Resources: If the web app relies on third-party resources, such as ads or traffic analysis components, those components could be compromised, leading to a breach.
- Malicious Browser Extensions: If a user installs a malicious browser extension, it could be used to steal all of their passwords.
Cloud-based password managers offer browser extensions to help autofill passwords, but these extensions use a technology called WEB DOM API which allows third-party JavaScript code to access powerful features of the browser. This creates many attack surfaces which can be exploited by attackers.
Security researcher Sean Cassidy advises against using browser extension password managers because they give attackers an API to interact with your password manager via JavaScript or the DOM. Unlike desktop-based password managers, which require compromising the local machine first, browser extensions can be compromised simply by visiting a webpage.
In conclusion, when it comes to password management, offline password managers are a better option in terms of security. While online password managers offer convenience, they also come with a greater attack surface, making them more vulnerable to security breaches.
By choosing an offline password manager, you can have peace of mind knowing that your sensitive information is stored securely on your device, and not on a remote server accessible to potential attackers. If you want to find the best offline password manager, this article may be helpful.
