9. The Application of Cybersecurity: Principles and Practices 239 Table 9.2 Comparison of online and offline password managers. This is a type of password manager solution, but it may not be as secure as a full-featured password manager. There may not be a master password protecting the passwords, plus, the browser’s password security may be more vulnerable to attack. The bottomline on password managers is that they represent yet another security tradeoff. They make it feasible and convenient for people to use unique and uncrackable passwords for every website. This is a major security gain. However, they also suffer from the keys to the kingdom dilemma. If a single password is compromised (the master password), then all of a user’s passwords are compromised. The master password must be a strong password because password vaults are subject to cracking attacks just like password hashes. Another issue is that if the auto-fill feature is used with a password manager or a web browser, evil maid attacks are much more devastating. Once access to the browser is gained, then all of a victim’s online accounts could be compromised. This is one reason why password managers should only be opened when they are needed and closed immediately afterwards. An alternative to password managers is to write passwords down on paper. This is a valid security model because it eliminates the threat of the online hacker. It heightens the in-person threat, but for most people, the risk of physical theft or snooping is small compared to the online threat. However, it is also much less convenient—passwords are difficult to maintain and update on paper—and care needs to be taken to “backup” and safeguard the paper-based copy. 9.2.1.3 Use Multi-factor Authentication This text has mentioned multiple times the importance of multi-factor authentication. It heightens a user’s security profile substantially without requiring a significant amount of extra work. This is one area where the security versus cost tradeoff is clear—the costs are definitely worth it. Especially for important online accounts, for example email, social media, and any account involving financial information or health records, users should
RkJQdWJsaXNoZXIy MTM4ODY=