Professional Documents
Culture Documents
April 2019
1
CERTIFICATION
I hereby certify that this thesis entitled “A Comparative study of five password management
softwares” has been carried out by me Ayeah Godlove Akoni with registration number
UBa16P254 in the Department of Computer Engineering and of the option Computer
Network and System Maintainance of the College of Technology (ColTech) Bambili,
University of Bamenda.
Date: Date:
__________________ ______________________
Dr. LINEOU JEAN PIERRE Dr. LINEOU JEAN PIERRE
Senior Lecturer Associate Lecturer
Supervisor Head of department
Signature: Signature:
_____________________ ________________________
2
ATTESTATION
I hereby declare that I am the sole author of this project. I authorize the College of Technology
(ColTech) Bambili to lend this project to other institutions or individuals for the purpose of
scholarly research.
I understand the nature of plagiarism, and I am aware of the University’s policy on this.
I certify that this project reports original work by me during my University project except for the
extracts obtained from other sources as detailed in the appendix or bibliography:
Signature Date
__________________ __________________
3
DEDICATION
4
ACKNOWLEDGEMENTS
Glory is returned to God for this work which was carried out with the assistance of several
people to which I address my sincere thanks here. In particular I express my acknowledgements
to:
The Director of the College of Technology (ColTech) Bambili, Pr. FONTEH Mathias,
who did not spare any effort for the good walk of our establishment;
The Head of department of Computer Engineering Dr. LIENOU, for the particular
attention he paid to our training;
All lecturers of the College of Technology (ColTech) Bambili, who contributed to our
training through the different courses taught to us by them;
My supervisor Dr. LIENOU JEAN-PIERE, for all his advices and contributions for this
work;
My parents Mr. and Mrs. AYEAH TEFUH ALFRED and NSOM ROSE YIWULI who
supported me morally and financially throughout my training in HTTTC Bambili;
All those who directly or indirectly contributed to the success of this project
5
UDT PROPOSAL THEME
An Open Source software for account passwords management
Supervisor: Dr LIENOU JEAN PIERRE
PROBLEM STATEMENT
Today you need to remember many passwords. You need a password for the
Windows/Linux/MacOs network logon, your e-mail account, your website's FTP password,
online passwords (like website member account), etc. The list is endless. And each online
account needs a strong password to be entered anytime a user wishes to access his/her account.
How are the users supposed to remember all these account passwords example include ; Gmail,
yahoo mail, interest, Facebook, twitter, amazon, flicker, Skype, and also bank account pins,
credit cards pins etc. It is really a hard issues of keeping tones of passwords and security hints.
There are two problems then. How to first of all how to manage these account passwords using a
password management software and also practicing secure password management practices.
OBJECTIVES (General and Specific)
I will cover a comparative study of five password management software, I will provide an
overview of how password management applications work, the security they provide, and the
benefits and risks of using them. And I will also take a deeper dive into the potential security
vulnerabilities of five of the most popular password management softwares: LastPass,
DashLane, KeePass, 1Password and Keeper.
Methodology, Tools, Equipment
I will be using five of the most popular password management applications (LastPass, Keeper,
KeePass, 1Password and DashLane). I will be focusing on password management on common
computing devices desktop, laptops and smart phones either running the Windows, Linux
(Ubuntu, BSD, Linux mint etc.), Mac, Android and IOS operating systems.
BASIC SKILLS NEEDED
Knowledge on third party password management applications.
A deep knowledge on secure password management practices.
AWAITED RESULTS
Rather than cracking our brains just to remember password for different online accounts, we just
simply make use of a password management software, which will do the job for us effectively,
efficiently and accurately, and gives you the possibility to recall just one master password.
These password management software’s fulfill all the secure password management
requirements.
They create complex passwords that are very difficult to guess or crack. They can
remember an unlimited number of passwords.
6
They are fast, efficient, provide easy to use interfaces, and most include additional
functionality such as auto-fill to speed up or eliminate the data entry required for an
online purchase or account registration.
CHONOGRAM
A comparative study of open source third-party software for managing account password. Three
days
Installations and Configuration, of the open source password management. Three days
Report writing 1 week
REFERENCE
VA Software, (November 1999). The Complete Open-Source and Business Software Platform. Referred
from https://sourceforge.org/ .
Bruce Schneier, Crypto-Gram. (1999-09-15). The official website of KeePass. Referred from
https://keepass.info/ .
Sans Institute Reading Room, (March 25 2009). Password Management Applications and Practices
referred from https://www.sans.org/reading-room/whitepapers/bestprac/ .
7
ABSTRACT
Passwords are fundamental for information security. They are used as a first-line defense in
securing almost all our electronic information, networks, servers, devices, accounts, databases,
files, and more. Most of us now have a multitude of passwords we need to somehow keep track
and remember. This article will provide an overview of how password management software
applications work, a comparative study of five password management systems (LastPass,
Dashlane, Keeper, 1Password and Keepass) and finally the latest recommendations for secure
password management practices, the security they provide, and the benefits and risks of using
them.
8
RESUME
Les mots de passe sont fondamentaux pour la sécurité d'information. Ils sers comme une
première ligne de défense contre les attaques de presque toutes nos informations électroniques,
réseaux, serveurs, artifices electronique, comptes, bases de données, dossiers et plus. La plupart
d'entre nous maintenant ont des multitude de mots de passe que nous devons d'une manière ou
d'une autre prendre la note et nous souvenir. Cet article fournira un aperçu comment l’
administration de mot de passe avec des applications de logiciel travaillent, une étude
comparative de cinq systèmes d'administration de mot de passe (LastPass, Dashlane, Keeper,
1Password et Keepass) et finalement le plus récent recommandations pour les pratiques
d'administration de mot de passe sûres, la sécurité qu'ils fournissent et les avantages et les risques
en leur utilisants.
9
TABLE OF CONTENT HERE
10
CHAPTER I
1. Introduction
In today’s era, IoT (Internet of things) has become much popular around the world. Almost all
devices, which are known as smart device, can connect to the Internet and access data from any
corner of the world. And whether we like or not it in order for us to use these services, we need
some levels of authentication to have access to the services offered by these devices. Examples
of the services include; web services like UBa students account, Administrative platforms,
moodle.org, Gmail, Facebook, Yahoo mail etc. One of the most common methods of
authentication now our days is through passwords: where a user needs to provide a username and
a password before he/she uses certain services. Facing the threat of cybercrime now ours days,
there is a need to creating and managing passwords to be as secure as possible. So we see that the
password is the sentry that guards the mass of sensitive data such as; our accounts (students,
staff), credit cards, addresses, and social security numbers. Just imaging that a school likes
COLTECH using a manual account password management system or not even using an account
password management system at all, how dangerous and inconvenient is this?
2. Problem Statement
There are two main problems then. First is how to create strong passwords for online accounts
and secondly how to manage these account passwords (remembering these passwords and
keeping these passwords safe).
We all can bear witness that Password compromise is the root cause behind many cyber
breaches. Research has proven that two out of three breaches involved attackers using stolen or
misused credentials because many people still do not follow secure password management
practices.
From my study, I’ve come to realization is that; most students, staff, and generally internet users
rely on memory alone to keep track of their passwords. Just the fact that one rely totally on
memory is a clear proof that they are not following secure password practices, because if they
can remember all of their passwords then they must be creating simple passwords, or reusing
passwords for multiple accounts, or both.
1
3. Solution to the Raised Problem
Password management software applications are one answer to the problem because they fulfill
all the secure password management requirements. They help us create complex passwords that
are very difficult to guess or crack for all our online accounts whether student, staff, ecommerce
sites, etc. They help us remember an unlimited number of passwords. They are pretty fast,
efficient, easy to use, and most include additional functionality such as auto-fill to speed up or
eliminate the data entry required for an online purchase or account registration. We therefore see
that password management applications offer convenience that we need to manage our different
passwords.
Secure password management requires that unique passwords be used for each and every
account. Passwords must be both long and complex; comprised of numerals, mixed case letters,
and special characters. Passwords should not be words, or be names of anything which could be
associated with their owner. Finally, passwords must be changed frequently.
These first passwords were simple and easily stored, since sophisticated hacking networks and
password-cracking programs did not yet exist. But the system was also easily duped. In 1962,
Allan Scherr, a Ph.D. researcher with access to CTSS, printed out all of the passwords stored in
the computer, so he could use CTSS for more than his four-hours-per-week allotment.
Cryptographer Robert Morris, who inadvertently created the infamous Morris worm, developed a
one-way encryption function for his UNIX operating system, known as "hashing," which
translated a password into a numerical value. The actual password was therefore not stored in the
computer system, making the information less readily accessible to hackers.
2
In the last decade, startups and researchers have proposed appropriately futuristic methods to
strengthen passwords, or replace them entirely. These range from password management systems
like LastPass, KeePass, Dashlane 1Password and Keeper to personal data lockers, which
centralize and encrypt passwords and other personal data.
Sadly, most of us still use terrible passwords. Could you believe that in 2019, someone is using
‘password’ or maybe ‘123456’ as his/her password? Well that’s what most of us still do.
5. Literature Review
Before we proceed into covering our topic, first we’ll make a run through some keywords
used under password management.
5.1. Password
A password is a string of characters that gives you access to a computer or an online account.
5.4. Dropbox
Dropbox is a free service that lets you keep a cloud copy of anything within the Dropbox
folder on your desktop. That folder is then accessible across computers and devices. Any
change to that folder is synced across every connected computer.
5.5.Authentication
Authentication is a process by which a user proves his identity to a system normally when
logging in.
3
physical object, or a measurement of some physical characteristic (biometric) of the living
human user. In other words, something the user knows, or something he has, or something he
is.
5.7.Multi-factor authentication
Multi-factor authentication means authentication using multiple factors. For example, a user
might sign into a system with a combination of two things he knows, or a combination of
something he knows and something he has, or perhaps something he knows, something he
has and something he is. Adding authentication factors makes it more difficult for an attacker
to impersonate a legitimate user to gain access to a system.
5.9.Typo squatting
Typo squatting, also known as URL hijacking, is a form of cybersquatting (sitting on sites
under someone else’s brand or copyright) that targets Internet users who incorrectly type a
website address into their web browser (e.g., “Gooogle.com” instead of “Google.com”).
When users make such a typographical error, they may be led to an alternative website
owned by a hacker that is usually designed for malicious purposes.
4
5.10.3. Social Engineering
The art of gaining sensitive information or unauthorized access to a system or account by
taking advantage of human (users) psychology. It is also known as the art of deception. In
reality, companies are typical targets of social engineering and it is more challenging to
manage by IT organizations. Why? Because it relies on the fact that users are:
5
6.1.3. Storing passwords using browsers
Another group of internet users store passwords on browsers. Example Chrome, Firefox, and
Internet Explorer all have built-in password managers. But both Chrome and Internet
Explorer store passwords in plaintext on the device. Mozilla Firefox, however, does have an
option which allows you to encrypt your saved passwords and to protect them using a master
password. This is very similar to how Password Managers store your password, except that
Firefox will not create new passwords for you, and has very limited syncing capabilities.
And the beauty of using password managers is that we’ll only need to remember a single
password called “Master Password”, which is the password used unlock our vault. All our
login information will be locked down and, at the same time, remain right at our disposal.
There are so many password management applications to choose from today. Choosing the
best depends on our needs. Here are some password management applications tested and
approved to be excellent by Top security experts, International Standard organization, Life
Hacker, and Digital Trends: Lastpass, Dashlane, 1Password, Keeper and KeePass. All five of
these applications provide the following features, except where noted.
6
Create unique passwords
These password management applications can provide unique passwords for each
account. They have the capability to create and save an unlimited number of passwords.
All of these five password managers can create secure passwords which provide
protection from password cracking attacks, such as brute-force, dictionary or rainbow
table attacks.
The applications will store passwords using very strong encryption rather than just in
simple plaintext. This means that even if they are stolen they are still useless to an
adversary unless he can decrypt them.
Password managers will store our passwords, user ids and their URLs altogether in the
password database. This will help to alert users about phishing attacks because the user id
and password for a site will not be provided by the application unless the URL is an exact
match of the saved URL.
Using a password manager, there is no need to type your user id and password, once it
has been saved in the password database. The password managers will do the login
automatically when a login is required.
The password database can also be used to save other personal information, such as credit
card numbers, PINS, name, address, telephone number, etc. This additional feature
provides a convenient way to secure your other important information online.
7
Auto fill forms
The password managers can also auto fill information on common forms. For example,
common information which is needed to make purchases online, such as credit card
information, name, home address, and email addresses can all be auto filled from the
database.
All, except Keepass, offer the ability to synchronize user passwords across all his/her
devices.
Multi-Factor Authentication
All of these managers offer some means of multi-factor authentication.
Password Sharing
All of these password managers except Keepass offer the ability to share
passwords with spouse, friends or family. Passwords are shared securely using
TLS for transport and are sent in their encrypted form only.
8
6.3. Password Managers Mobile Phones
All of the password managers I have listed previously run almost on all mobile platforms
(BlackBerry, Android, iOS, Tablets, etc.). Depending the platform we’re using, one of these
password managers will be suitable to run on it.
Secondly certain password managers can also help protect us from certain phishing attempts.
We might not notice that the site we want to login into has been typo squatted but our
password manager will. Imagine we open an ecommerce site and our password manager
doesn’t do the auto-filling of our credit card details, it simply means we’re on a cloned site.
For the sake of security and convenience, absolutely everyone should be using a password
manager.
9
CHAPTER II
After reviewing and analysing the questionnaires (see Appendix A) I took out to some
individuals ( COLTECH staff, students and internet users), it was very clear that so many people
out there still do not follow secure password management practices. There were two groups of
people; (See Appendix A for raw data collected)
Those who know the importance of secure password management but still do not follow
secure password management practices
And those who didn’t even know the importance of secure password management
To better understand the security of password management system, I came out with a password
management scheme sample.
User
Manager
Web Application
Collaborator User
10
Fig1: (a). Password Management system authentication to a web application (b). Password
Management system sharing with a collaborator
This model shows the basic functionality of every Password Management Software.
Password Manager
11
9.1.Manual Auto-filling
With manual auto-filling, the user needs to interact with input components like keyboard and
mouse as show below.
Page
Load
User Interaction
9.2.Automatic Auto-filling
With automatic auto-filling, the user needs not to interact with any input devices. Upon loading
of the browser, the password manager automatically fills in the form as show below.
Page
Load
User Interaction
12
10. Methodology for Random Password Generation in Password Managers
A random password generator’s objective is to produce random password that are difficult to
guess and crack during attacks. Generally, random passwords have various benefits over user-
chosen password where it enhances security and confidentiality. This methodology has been
created to generate random password which consists of both upper & lower case letter, digits
from 0 to 9 and special characters (~!@#$%^&*-_+=), with fixed length. The password
generator algorithm selects a random character from a random character list and forms the
password, which is combination of numbers, lower & upper-case letters and special characters.
Procedure:
Step 2: Create random character list with numbers, upper & lower-case letters.
Step 5: Random Password Generator chooses any of the three character set.
Step 6: The index position of any one of the characters from the random character set is returned.
Step 7: Append the characters selected through the index, one by one.
Step 9: End.
See Appendix B for implementation of Random Password Generator in both C++ and PHP
programming languages.
13
11. What to take into consideration when building a password manager
There are people who believe that they shouldn’t trust software which they have not build or
participated in the development. There are so many questions to ask and answer when
developing a password management system.
ii. What is your key derivation function? Will you use something like PBKDF2 to
resist password cracking attempts?
iii. How much sensitive data remain decrypted at any time online?
iv. What measures does the system use to prevent data loss? Does the backup system
perform any integrity check on the data prior to making the backup?
vi. Are there obfuscation (intentionally making it hard) techniques for sensitive data
(such as decryption keys) that may need to reside in the app’s memory for a while?
vii. Will your system automatically lock or does it require you to take action to
lock/close your data?
viii. Can you eliminate or minimize the use of Copy and Paste of sensitive data?
ix. Most important, are you ready to keep researching on newer techniques and
update your password management system?
14
12. Common Attacks on Password Management systems and their defense
Sweep attacks are vulnerable mostly when password manager auto-fill username and
password field automatically when a webpage loads. It occurs when a target user connects to
the Wi-Fi hotspot controlled by the attacker.
So when the user launches a browser, the browser is redirected to a standard hotspot landing
page asking for user consent to standard terms of use. This is common behavior for public
hotspots. The use not knowing that the landing page contains invisible elements that
implement the attack.
By the time the user is taking a look at the fully loaded landing page, most of their
credentials would already be gone; about ten passwords can be extracted per second.
Somewhat similar to sweep attacks, a Wi-Fi router in a coffee shop (for example) is all that is
needed, when you connect to it all your passwords could are in the attackers palms.
These attacks require only temporary control of a network router and it is much easier and
thus more likely to happen in practice. The user needs not interact with a website, to say the
user connected to the Wi-Fi router is completely ignorant of what is going on.
12.4. Defenses
The main proposed defense is secure filling, which requires a modified browser (and
modified password managers to work with the modified browser).
1. The password manager to store the action present in a login from when username and
password were first saved
15
2. When a login form is auto-filled by a password manager, it becomes unreadable by
JavaScript (hence the requirement for a modified browser).
3. If username or password fields are modified (by the user or JavaScript) while an auto-fill
is in progress, the auto-fill aborts clearing the password from the password field and
making the field readable again.
4. Once a form with auto-fill is submitted and after all JavaScript code that is going to be
run has run, the browser checks the form’s action matches the stored one and only
submits if so.
16
Chapter III
13. Comparative Study Of Five Password Management Software’s
We will now take a study on each password manager in details taking note of the security
they provide, the technology it uses for security, its additional features its advantages and
disadvantages, and the report breaches it has endured.
13.1. KeePass
13.1.1. Overview
KeePass (KeePassX is the version Mac or Linux) is a free open source password manager,
which helps you to manage your passwords in a secure way. All your numerous account
passwords are locked to one database and you only have to remember one single master
password to unlock the whole database. KeePass is really free, and more than that: it is open
source (OSI certified). You can get you’re a copy from https://keepas.info
17
13.1.2. No built in Synchronization
Unlike Lastpass and Dashlane, Keepass uses a local database only. There is no web
application to log into, and it does not support the synchronization of passwords over the
internet. Passwords can be shared using a USB drive, or other methods such as Dropbox,
however.
Keepass offers a choice as to how the password database is protected. The choice is a
master password, a key file, or both.
Keepass offers a secure desktop option which if enabled will turn off tracing software
such as keyloggers when prompting for the master password of key file.
Keepass allows for more details in the configuration of generated passwords. It can
generate special passwords and keys that the other password management applications
cannot.
13.1.4. Security
The password vault are encrypted using the best and most secure encryption algorithms
currently known (AES and Twofish).
Keepass uses SHA-256 to derive the encryption key and AES 256 and Twofish for
encryption. If the master password is used in conjunction with the key file, then the formula
is as follows: SHA-256 (SHA- 256 (password), key file contents). The number of iterations
defaults to a value of up to 6000 depending upon the device, but this number is configurable.
18
13.1.6. Breach Report
The tool called KeeFarce can be used to crack KeePass without need to know the master
password that controls the KeePass account. Many hackers have used these methods to get
user credentials.
Completely free
Disadvantages
13.2. LastPass
13.2.1. Overview
LastPass is a very popular cross-platform and award-winning password manager that stores
all of its data in the cloud on LastPass servers. It works on all the major operating systems
and web browsers. LastPass can automatically save logins, help generate safe and secure
passwords and automatically fill in your passwords when you visit a site. It also allows users
to share passwords with each other through a secure means.
19
Fig 6: LastPass interface
13.2.2. Pricing
LastPass is free to use for a single device. But to synchronize your account on all your
devices you will be charged $12 a year. You can get you’re a copy from
https://www.lastpass.com
Lastpass has many additional features that are not offered by the other password management
applications. Three of them are as follows:
i. Multifactor authentication
20
Physical Grid
USB
Fingerprint
A One Time Password (OTP), as the name implies, is a password which can only be used
once. These passwords are to be used instead of the master password when there is more of a
risk that the master password may be stolen. Lastpass recommends using them for access
from a public computer or a public network.
Recovery of the password vault is a feature that allows users to recover their password vault
in case they forgets their master password.
13.2.4. Security
The master password is used to derive the encryption key for the password database. The
password database is referred to as the vault. The vault is protected using very strong
encryption (AES 256 bits). The only person that knows the master password is you because
.Lastpass does not know it.
Lastpass uses Password-Based Key Derivation (PBKDF2) with SHA-256 to convert the
master password into an encryption key.
Lastpass uses SHA-256 as the hashing algorithm, the user id as the salt, and a random
number as the seed value. The number of iterations is a configurable value that for windows
currently defaults to 5000.
21
13.2.6. Breach Report
Lastpass password manager has suffered a breached in the years 2011 and again in 2015.
Neither of these compromises was deemed to be critical, because the actual passwords stored
in the password databases were not exposed.
The free version has really no great difference with the premium version
Your passwords are encrypted so that even LastPass can’t get into your passwords
Two-factor authentication
Disadvantage
The paid version doesn’t offer enough over the free version, which might cause
problems for the company in the long run
13.3.1. Overview
Dashlane is a newer password manager. It has application for almost every platform,
extensions for every browser, and can store passwords locally.
22
Fig 7: DashLane Interface
13.3.2. Pricing
Dashlane is free for a single device. But if you want to synchronize your passwords across
multiple devices then the current cost is $39.99 per year. You can get you’re a copy from
https://dashlane.com
Password Changer
Dashlane has a password changer feature which allows all the passwords in the database
to be changed automatically. Dashlane can login to each website on behalf of the user,
and change the password.
Emergency Contact
Dashlane also allows you to set up an emergency contact that can gain access to your
passwords in the case of emergency or death. The sharing is setup for future after a pre-
23
defined waiting period. If there is no activity on the share request before the end of the
waiting period, then the passwords will be shared with the emergency contact.
Breach Notification
Dashlane sends an email notification if any of the websites in the password database has
been breached.
13.3.4. Security
The Dashlane security premise is similar to Lastpass. The password vault is protected by an
encryption key which is based upon a master password known only to the user. The master
password is never stored or sent. Its uses AES 256 bit encryption.
The encryption key, like Lastpass, is derived using the master password with PBKDF and
SHA-256. The number of iterations is not configurable and is about 10000.
Communication between the browser and Dashlane is secured using AES256 with the
OpenSSL.
24
Disadvantages
You can’t sync passwords over multiple devices without paying a fee
Expensive, especially if you already have a VPN. The built-in VPN lacks the
ability to choose the server country
Does not work well with Internet Explorer. Although, if you are still using Internet
Explorer
13.4. Keeper
13.4.1. Overview
Keeper is less well known but has a strong focus on security and supports most devices and
browsers. It integrates with Duo for one-tap authentication. It can also stop people from
logging into your account from other parts of the world (which is good until you forget to
change it when you go on vacation).
25
13.4.2. Pricing
Encrypt vault for every user folders and subfolders, shared team folders, Access from
unlimited devices $30 annually billed. The free tier of service for Keeper limits your usage to
only a single account without any syncing, but you’ll get a 30-day free trial to determine
whether the paid service is right for you.
13.4.4. Security
It starts with client-side AES-256 encryption, which means your data is encrypted and
decrypted locally. Keeper never sees any of your information and it’s never sent to Keeper’s
servers without being encrypted first.
You can set anywhere from 1,000 to 100,000 rounds of PBKDF2 hashing before sending
your unique key to Keeper to unlock your vault. The more rounds of hashing, the less likely a
hacker can brute force your password.
26
This is known as a zero-knowledge model, meaning you, and only you, know what’s inside
your vault. Likewise, Keeper never receives your master password or stores it locally. It is
the single key to unlock your information and only you know it.
That means Keeper can’t unlock your account in the event you forget your master password.
You can add up to five emergency contacts who can access your account after an amount of
time you specify. Emergency contacts must have a Keeper account and RSA key pair to
accept the invitation.
When sharing anything in your vault with another user, both parties will also need an RSA
key pair. This ensures that, even if your information is accidentally sent to someone else,
only the intended recipient will be able to decrypt it.
Advantages
Excellent security
A wide range of supported devices, including Blackberry and Windows Phone
Allows you to designate an emergency contact
Can lock out people in other parts of the world, which can protect you in the event
of a breach
One-tap authentication
Disadvantages
27
Does not have PIN numbers to access apps, forcing you to type in the master
password all the time if your phone or tablet does not support biometrics
13.5. 1Password
13.5.1. Overview
1Password from Agile Web Solutions is a great way to manage, create and securely access
my passwords from a Mac, iPhone, iPad or Android device.
The application has plugins for all the major web browsers Safari, Firefox and Chrome, and
you can also pull up your passwords from the application itself.
13.5.2. Pricing
28
Does not offer a free version. It has a trial version of 30days. Total cost annually is $36. You
can get your copy from https://1password.com
Travel Mode
1Password gives a possibility to remove sensitive data from your devices when you travel
or when on vacation and ability to restore them when you come back.
13.5.4. Security
1Password manager uses AES-GCM-256 encryption, to protect the password vault.
1Password also uses PBKDF2-HMAC-SHA256 for key derivation which makes it harder for
anybody to guess your master password.
29
Will create passphrases as well as random passwords
Disadvantages
Does not have automated password updates
Does not support Internet Explorer
Have to install a separate extension for each browser you use
Can only import passwords from Chrome, LastPass, Dashlane, and RoboForm
No password updating
Requires a separate authenticator application to operate its own two-factor
authentication
13.6. Features Comparison chart
Other Platforms Linux, Chrome Linux, Chrome OS, Chrome OS, Linux / Mac OS
that support it OS, Apple Watch, Chrome OS, Linux, Apple Linux, X
apart from Firefox OS, Apple Watch Watch Windows
Windows Surface Phone,
(Windows, Mac,
RT, Windows BlackBerry
iOS, Android)
Phone
Browsers that Firefox, Maxthon, Chrome, Fire Chrome, Firefox, Chrome, Chrome,
support it Opera, Internet fox, Opera, Opera, Internet Firefox, Firefox, Opera,
Explorer, Edge, Internet Explorer, Edge, Internet Safari
Maxthon, Chrome Explorer, Opera Explorer, Edge
Safari, Edge,
Opera
30
forms receipts forms
Data accessibility Yes, with ads for Yes, Yes, only for Yes No
on the web non-Premium subscription premium
subscribers accounts only subscribers
31
Security audit Yes (except Yes
e.g. Password Yes version 6 for
Yes Yes
Windows)
Encryption Uses standard Uses standard AES256 with the Uses standard Uses standard
Method AES-256 bit AES-GCM- OpenSSL AES-256 AES and
encryption on your 256 encryption encryption Twofish 256-bit
data. encryption on
your data.
Interface Simple Interface Easy to use sleek and elegant Has a Complex user
user interface user interface modernized interface
user interface
To set up an account, you’ll use your email address and will need to come up with a master
password a long, random, complicated one (Note this is the only password you’ll need to
memorize).
32
Next, you’ll have to let the password manager know about your various accounts by setting
up the bookmark (site URL, username, and password). Also you’ll be able to either import
passwords you’ve stored in your browsers or have the manager store your username and
password the next time you log in to a site, or enter the information manually.
33
16. Conclusion
We see that in today’s world, more and more of our transactions are sent over the internet
and there is nothing we can do to reverse that. And as the world is becoming a global village,
it will never been more important for each and every one of us to follow safe and secure
password management practices. Like I mentioned earlier Passwords are the sentry that
guards our online information including bank accounts, emails, medical records and more.
I recommend that we should use password management applications to manage out accounts
passwords because it’s the most practical and secure way for us to follow secure password
practices. Although they are not infallible and like all other software applications they are
susceptible to attack, I fully do believe that it is much safer to use a password management
application than not to use one. So far we have reviewed five popular account password
management systems, yet, there are many others to choose from. And please take note when
choosing password management software’s make sure it follows the principles I have
covered in this study. I recommend LastPast and Keepass password manager for it has
withstood the test of world top hackers. I hope by know we’ve understood how to better
manage our account passwords and also best security practices when managing them
accounts.
34
Bibiography
1. Sans Institute Reading Room, (March 25 2009). Password Management
from https://en.wikipedia.org/wiki/Password_manager
4. Betters E, (2013, October 11). Password Managers Explained The Best
35
Appendix A
Questionnaire
Part ONE: This Section is all about your person knowledge on password management
Memorize them
3. How often do you change your passwords? After every 1 month after every
3 months after every 6 months. Never unless stated by online site.
4. What kind of passwords do you often use for your account safety?
Simple Passwords (e.g. 123456, password, date of birth, your name, your number)
36
6. Have you ever used one? YES NO Give its name____________________
10 02 04 03 01
100% 20% 40% 30% 10%
Questionnaire Simple and After How long do they Account breach Name of password
number Complicated change account password management software they use
01 Simple Never None None
37
04 Simple Never None None
Appendix B
38
The figure below is sample running program on the terminal in Ubuntu 16.04. The user selects a
choice by entering a value either 1(to generate password) or 2 (Exit). Then the user still has to
enter the length of which he wants his/her password to be.
39
The figure below is another implementation of a password generator this time using PHP server
side scripting language. It gives the user the ability to select the characters to be includes in
his/her complex password.
The figure below is sample running program on Apache and MySQL servers in Ubuntu 16.04.
The user selects a choice by clicking on the various checkboxes to select what type of characters
to be included in his/her generated password.
40
41
42