Spartak - Fotolia
The June 2015 breach of LastPass does not mean that the model is broken or that there is no future for password managers, according to rival Dashlane.
There is no such thing as absolute security online, but users of password managers will be more secure than non-users, Dashlane chief executive Emmanuel Schalit told Computer Weekly.
“As soon as you connect all computing devices on the planet in one network that uses a single protocol, you abandon the notion of absolute security unless you disconnect,” he said.
“But if you are connected, then it is a question of relative security, and using a password manager is safer in the same way as putting money in a bank is safer than putting it under your mattress.”
Today, said Schalit, there is no safer alternative to password managers for anyone who accesses a wide range of online services using a variety of devices.
One of the key reasons “serious password managers” such as Dashland and LastPass are safe, he said, is that they use architectures that ensure that encryption keys are not stored alongside data.
“The LastPass hack is like someone breaking into the front office of the bank, but not getting anywhere near the main vault. The core data can’t be stolen because it is encrypted and the encryption keys are different for each user,” said Schalit.
Dashlane has sought to bolster the inherent security of this model even further by disallowing weak master passwords and enforcing two-factor authentication (2FA) when adding new devices.
Schalit is also optimistic about the future of password managers because he does not expect the username and password model to disappear any time soon.
“It is a de facto standard used by more than 500 million websites because it is a free system that does not involve any patents, it is not controlled by any big technology companies, it is easy to implement, and there are not yet any practical alternatives,” he said.
The only potential alternatives, said Schalit, are biometrics and single sign-on (SSO) systems such as Facebook Connect, but hackers have shown that fingerprints can be stolen using high-resolution photos to fool authentication systems and Facebook Connect has had limited adoption.
“The problem with biometrics is that they can be stolen, that they cannot be changed or replaced if they are stolen, and there are no standards for biometrics,” he said.
Passwords on the other hand, are easy to change, they enable people to be anonymous on social media, and they can be shared, which Schalit said is key in business and at home.
“The problem with Facebook Connect, is that no-one is going to use it to log in to Google Mail, Amazon, Tesco or online banking,” he said.
According to Schalit, password managers are the only practical solution because they make it practical to use unique, strong and automatically-changed passwords.
“Passwords will therefore continue to be used, but will recede into the background as a technical vector of identity that will disappear from day-to-day life," he said.
But Schalit believes that password managers will evolve to guarantors of identity as websites begin to accept token identities from such services.
Dashlane’s vision of identity in the future is not very different from that of the Fido Alliance, a consortium of technology firms seeking to eliminate dependency on password-based security.
The Fido Alliance has published a technical specification and launched a certification programme to enable interoperability between authentication systems.
Once the Fido open standard is ubiquitous, it will mean that users can authenticate themselves to a device, which in turn will authenticate them to other devices and online services.
While Dashlane has applied to join the Fido Alliance, Schalit believes it will take quite some time before the Fido vision can be realised because it will require all technology firms to support the standard, and while several key players such as Microsoft, PayPal, Google and Docomo are Fido members, Apple has not yet given any indication that it intends to join.
“Even if Apple joins Fido, there will still be hundreds of millions of websites that are not geared to work with the Fido standard, and that cannot change overnight,” he said.
Whatever the way forward regarding online identity, Schalit believes that replaceability, anonymity and shareability are indispensible attributes that will need to be taken into account.
Read more about the Fido Alliance
- The Fido Alliance has published the final technical specification of its password-killing authentication standards
- Google’s Security Key is the first deployment of the universal second-factor authentication (U2F) standard published by the Fido Alliance
- Before FIDO was launched, there were limited kinds of two-factor authentication tools
Businesses typically have a single corporate Twitter account with a single password that needs to be shared among several people within the organisation, things need to be replaceable if they are compromised, and anonymity – which was essential to the Arab Spring – remains important on the internet, he said.
“Passwords meet these needs, and the problem is not with the passwords themselves, but the fact that security relies on humans to come up with and remember passwords that are strong, unique and frequently changed,” said Schalit.
Password managers in general solve these problems, but Dashlane in particular meets the need to share certain passwords among members of a team who need to access a single Twitter or cloud service account, or members of a family who need to access a single Netflix account.
Dashlane’s password-sharing feature ensures all team members have strong and secure passwords, and automatically logs team members into shared accounts.
The feature also enables businesses to manage who has access to passwords and revoke and/or modify an individual’s ability to use the credential.
To enable this feature, Dashlane built a peer-to-peer transaction system between Dashlane accounts to ensure that no attackers would be able to masquerade as team member or steal passwords shared using email messages.
Schalit predicts that whoever solves the problem of identity in future, it will not be one of the technology giants.
“Consumers are fundamentally platform-agnostic and those that live only in the Apple world or only in the Google world represent a very small minority. Identity is a cross-platform problem, and I predict it will be solved by an emerging player that is not constrained by a single environment or platform,” he said.