INVITATION TO CYBERSECURITY 238 than open-source, although there have been cases of these types of vulnerabilities “hiding in plain sight” in open-source software, too. For online password managers, another question of trust arises: is the vendor invested in maintaining strong cybersecurity? A company named LastPass was an early entrant into the online password manager space, and in 2022, they suffered a data breach. This allegedly resulted in some LastPass customers’ vaults being cracked, and some victims claimed they lost millions of dollars in cryptocurrency because their crypto keys were stored in their LastPass vaults. An alternative to online password managers is offline desktop software. In this model, the password vault is stored locally, either on a device’s hard drive or on portable storage, and it can only be opened by the password manager software. It is the end-user’s responsibility to manage software updates, backups, and security. A downside of this approach is accessibility. The password vault may not be available when it is needed. If the vault is stored on portable storage such as a thumb drive, physical security is a major concern. If the thumb drive is lost or stolen, even if a back-up exists, the lost vault is forever outside of the user’s control and could be subjected to brute-force and cryptanalytic attacks. A hybrid approach between online and offline is also possible. An offline password manager can be used but the password vault can be stored in the cloud just like other cloudsynced files. The vault can then be accessed from different devices that have the password manager software installed on them through file syncing or through the cloud storage provider’s web interface. The vault could also be shared between multiple systems, but overwrites are possible when edits are made. This approach could be seen as either a “best of both worlds” or “worst of both worlds approach.” The end-user has more control but the vault is online and potentially vulnerable. Table 9.2 Comparison of online and offline password managers. Web browsers can act as a type of password manager by remembering passwords. They can then conveniently pre-fill passwords on login pages. If the browser is linked to a cloud account, then users can access their passwords from any online device once signed-in.
RkJQdWJsaXNoZXIy MTM4ODY=