It’s time to make a change.
There’s a truism in cyber circles, that hackers don’t break in, they log in. It’s not new — users have been warned as such for years. But now more than ever your passwords are at high risk. And for most users, there’s nothing more protecting your digital life.
Your passwords are almost certainly included in multiple data breaches, especially given our habit of using the same username and password across multiple accounts. Hackers know this, and it makes their job easier as and when they target your accounts.
Google, Microsoft and others are warning you to upgrade all your accounts to add passkeys. Microsoft is going even further, urging a billion users to delete passwords on their accounts. And you have just 5 days before it deletes passwords in its Authenticator smartphone app whether you like it or not. Now is the time to act on your passwords.
While most people still don’t use two-factor authentication (2FA), most that do still use SMS codes, even as government agencies warn that’s little better than no 2FA at all. Use a top-tier authenticator app at a minimum for one 2FA, albeit passkeys are better.
Meanwhile, we all need to save our passwords, to conveniently autofill them when required to access websites and apps. But if you’re using your browser to store your passwords then you should make a change and stop doing that. And no browser is more widely used as a password manager than Chrome — across all platforms.
Saving your passwords in Chrome is undoubtedly easy. But easy is rarely best when it comes to security. And while there may have been arguments for browser-based password management in the past, the password manager options are now so good that there’s no excuse not to switch and delete the passwords stored in your browser.
“Do you use Google’s Password Manager?” TechRadar asks. If so, “you should reconsider.” While “Google’s free password manager has handy features like auto-filling passwords and alerting you about data breaches, there are significant downsides you can’t ignore: It doesn’t use zero-knowledge encryption, meaning Google could potentially access your passwords if they wanted to. Yikes!”
The Freedom of the Press Foundation, PC Mag and even Android Police say the same. Especially now that “Google has made it easier to move away from its password manager with a new ‘Delete all data’ option in the settings, allowing users to completely wipe their saved passwords before switching to a third-party password manager.”
A standalone password manager should be protected by your trusted hardware security. That means Passwords on Apple or an app that uses strong passkey or app-based 2FA authentication. You also need to ensure there’s zero-knowledge assurance, meaning your master password and your stored data is only ever available to you. That means a central password manager data breach can’t compromise your own accounts.
Clearly, if your device is compromised then your password app might be accessible as well. But it’s more likely for your browser to be compromised than your device. That could be via a core browser compromise, a malicious extension or even a browser agent. There’s no fire gap between your browser and your credentials. That is a risk.
Per TechRadar, “the security risks associated with web-based password management solutions cannot be overlooked. Google Password Manager is susceptible to malware attacks, including those exploiting vulnerabilities like JavaScript. This vulnerability increases the likelihood of unauthorized access to your sensitive information compared to standalone products that don’t have the same exposure to web-based threats.”
Google has upgraded its password repository — especially with device-level encryption. But there’s still no fire gap between your public facing browser and your passwords.
As TechRepublic explains, “today’s online landscape is fraught with many cyber threats, and only a dedicated password manager can offer advanced features like zero-knowledge encryption, cross-platform compatibility, travel mode, and secure password sharing and inheritance options for adequate security.”
And while “Google Password Manager can give you some basic protection and password management features, it still cannot be compared to dedicated password managers in many other areas beyond password storage and password generation.”
As with VPNs, avoid all but top tier password managers from well-known, leading developers. The app should be part of your ecosystem — such as Apple’s — or should be paid. Again just like VPNs free means risky. And you should ensure it ticks all the boxes — fully encrypted security, zero knowledge, authenticated access and a fire gap.
Source link
