Macon Moyer

4/2/2024

Hello everyone. This is my first blog post as part of my project of completing CEUs to renew my CompTIA Security+ certification. I've always wanted to start a blog for a variety of reasons and forcing myself to create sixteen of them for CEUs will be a good starting point. I'm going to start with a relatively basic topic that's not necessarily a hot debate but has different points of view. Here is my shallow dive on the importance and types of password managers.

First, I will discuss the different types of password managers. The most popular that I have seen the common person use are web browser built-in password managers, specifically Chrome's password manager. Most of the common browsers now have built-in password managers that are incredibly convenient for an extra layer of security for the common person. Browser password managers are by no measures the most secure and provide the smallest amount of password security besides a common notepad or text file. The reason being is that most of the browsers automatically log the user in when the session is started and immediately have access to the passwords that are saved in the settings. They are susceptible to shoulder surfing attacks, and I have seen an instance or two with a student doing this to teachers. Browser passwords do provide a bit of security in the theory of allowing the user a more effective and convenient way to create different passwords for different logins. Unfortunately, this is not always the case and some common users may use a default password for everything (including chrome) and their password manager is an easy target for hackers. With good practices, I believe that browser password managers are fine for a common user contrary to some professional’s opinions. At the end of the day, it comes down to the mix of time, effort, convenience, and security and I believe that most browsers do a great job of helping common users have a slight amount of security that they wouldn’t have had before.

The next type of password manager we will discuss is a traditional software password manager. There are too many options on the market but the main difference between software password managers are: paid vs free, offline vs cloud, and SSO (single sign-on). Most software password managers are paid service, cloud, and not SSO. Offline password managers are generally thought of as the most secure among the password managers but require a bit of tech knowledge and a place to store the password manager. This comes alongside data protection, keeping back-ups, version control, emergency planning, and ease of access. The offline password manager has a few different use cases including a singular person who is incredibly security conscious, a business that has high security needs (think DoD), and businesses that may not always be connected to the Internet. Cloud password managers are the most common among businesses and provide a method of security for all users that is stored in another business’s servers. This means that if that company is breached your own business’s data could be leaked but I think that this is just one of the realities of the modern world of business. I don’t personally see a world where a business can operate 100% independently without having to rely on cloud services in some way. Whether the breaking point comes from a cloud password manager or from a third party cloud payment service is almost irrelevant because both can be exploited and a great hacker could accomplish the same goal from both. The last thing I’ll speak on in this section is that paying for an offline password manager for a singular person is a waste of money in my opinion. A truly security conscious person has better methods of securing their data offline than paying another service to do it for them. A simple encrypted txt file put on a USB in a fireproof safe for instance isn’t the most convenient answer but in my mind is seemingly a lot more secure than any third-party service. There are a lot of better options than this extreme of course but I hope that you are seeing my point where you don’t have to be scared into believing in organizations being your ultimate haven of security when a lot of it can be handled on your own.

Concluding statements of password management is that, like anything in cybersecurity, there is no one size fits all and each use case is different. Password managers are essential because having a different password for every login is essential. Whether you or an organization decide to pay for services, keep it in house, or simply use browser password managers is entirely up to your security needs and how important the data is to you. I hope that this short guide provided some insight on the value and different types of password managers.