Should You Worry About Malware While Using a Password Manager

Software is everywhere these days: in spaceships, toasters, refrigerators, and, undoubtedly, laptops, Desktop PCs, tablets, and smartphones. It makes our lives simpler by enabling us to work and study more effectively, communicate with the ones we love, and make online purchases/reservations in the blink of an eye; however, at the same time, it may cause a great deal of harm if hacked by cybercriminals. Buggy software with intentionally left backdoors is more prone to hacking and causing both security and privacy-related problems to users, but, according to specialists, there are certain risks to using any piece of software, meaning that even the most legitimate applications, including password managers, can, theoretically, be hacked as well. Software developers build applications focusing on top-grade security, but no piece of software can be made completely safe. As Michael Scheinholtz says, "the safest jet is the one that does not fly, the safest car does not run, and the safest boat never sets out to sea."

Is it safe to use a password manager?

The safety of software people use on a daily basis highly depends on the overall condition and security of the system it is installed on. Also, it depends on HOW the piece of software is attacked. The same can be said about the safety of password managers, which, in fact, are becoming more and more popular with the continuous increase in the number of logins and passwords people have. Unfortunately, the Internet Security Report of Q2 2018 released by WatchGuard clearly shows that poor password management is still at the top of the list of the biggest security threats.

As has been observed by specialists analyzing trends, some people procrastinate switching to password managers even though they realize that it is surely one of the most convenient and secure ways to manage passwords because they are simply afraid to entrust their login/password combinations to software that can be possibly hacked by cybercriminals. Instead, they prefer keeping their passwords written down on a secret page on their notebooks or, even worse, yellow sticky notes. Needless to say, this is not a secure practice. Keeping passwords listed in alphabetical order in a text file on your PC is no better because it would be even easier to access it by cybercriminals in case of the cyber attack. Just like any other application, a password manager may get hacked if malware sitting on the system transmits the stolen master password to cybercriminals; however, for the majority of people, the benefits of using a password manager outweigh all the possible risks.

Citadel malware is back with a bang

IBM's Trusteer security department has recently released a report claiming that Citadel, a malicious application that was originally released to steal information from affected Windows computers, can now grab master passwords, i.e., passwords that unlock password managers as well. This suggests that login and password combinations of even the most secure password managers might end up in hackers' hands if this particular malicious application infects the computer the password manager runs on. Luckily, no attempts to steal master passwords using Citadel have been detected so far, but you must still be extra cautious if you, as we hope, use a password manager.

The previous versions of this nasty malicious program dubbed Citadel have mainly targeted personal bank credentials, but the latest release is designed to monitor affected PCs to find out about the installation of a password manager too. Once the active password manager is detected, the keystroke logging is turned on in order to capture everything the affected user types using a keyboard. Unfortunately, it means that it does not take long for the attackers to get the master password that unlocks the password management software too. As a consequence, they may gain access to all logins, passwords, and other personal details, including credit card details, personal identification code, and the telephone numbers, if these details are saved on the hacked password manager. While you can hardly ensure complete password manager protection against malware all alone, you can use an antimalware scanner to prevent harmful computer threats, Citadel included, from entering your system in an illegal manner. Installing a security application is what you should do in the first place after you switch your device on for the first time. An active security application will ensure maximum password manager's protection against malware attacks too.

The password system is no doubt the most commonly used way of authentication these days. Users are asked to set master passwords for their password managers too to hide saved passwords and other information from prying eyes but, at the same time, access saved items easily when needed. Unfortunately, this means that the tool's security depends on the password's strength. Unfortunately, it seems that many users still do not realize that passwords are as important as keys to their front door and can unlock a great amount of personal information – the password 123456 continues to be at the top of the worst passwords list.

According to research carried out by SplashData, nearly 10% of people use at least one of the 25 passwords labeled "the worst" these days, and almost 3% of people use weak numeric passwords. Some of them are well aware of the importance of password complexity but do not quit the bad habit for one reason – they cannot remember complex passwords and, on top of that, find it quite tiresome to type them in whenever they want to access their online accounts. Please make sure you do not set a weak master password for your password manager, be it Cyclonis Password Manager or another tool, because your password manager's protection against malware, including the newest version of Citadel, will be equal to zero in such a case.

Password managers are not created equal for sure. Some of them are simply more secure than others. Cyclonis Password Manager is one of those tools developed with utmost care focusing on users' privacy and security. It not only uses a master password to prevent unauthorized people from accessing it, but it also keeps users' passwords and other saved personal information in a vault encrypted with the AES-256 encryption standard, which is also used by the American government. That says a lot about the tool's security. Of course, if you set it to remember the master password for your convenience (yes, users can check the box next to Remember my master password and keep me logged in on this device until I manually log out), you will reduce the safety of your passwords and other sensitive information considerably. Essentially, the password manager will no longer require the master password, which means that anyone you share the device with could access all saved details without difficulty.

If you suspect that losing passwords would be the end of the world for you, please keep the master password and adjust the tool's settings so that it would log out and ask to re-enter the password after some time of inactivity. Doing so will ensure that unauthorized people cannot access your private data once you leave your keyboard to bring a cup of coffee. You should set the shortest possible time for your Clipboard (Settings> Advanced> Clipboard) too so that copied passwords could not be accessed by others. Last but not least, set your tool to require the master password to view/edit all saved private details. Yes, protecting passwords against people near you is as important as ensuring password manager protection against malware.

The majority of top-notch password managers available on the market today, including Cyclonis Password Manager, use a more sophisticated authentication method called two-factor authentication together with passwords. It requires knowing a password and entering the second factor, for example, a unique code received via email. As a consequence, even if the ordinary password gets hacked, cybercriminals cannot access saved sensitive information. If you happen to use Cyclonis Password Manager, open the Advanced tab under Settings and then change Off to On. You could also choose whether you want the password manager to ask an additional authentication (it will be sent to you via email) every time you log in or only when you log in from a new device. The choice is yours, but the first option is no doubt safer and can surely help you to improve your virtual security to a great extent.

Generally speaking, all applications, even those declared to be the most secure in the world, can be hacked at some point, so it is up to you whether you are ready to accept the possible risks. In terms of password managers, even though they are, technically, not unhackable, it is no doubt one of the most secure ways how both ordinary users and companies can manage their passwords today. Of course, it is a must to use trustworthy tools developed by a reliable company. Also, users should not forget to take certain security measures themselves to ensure their password managers' protection against malware. These include using a strong master password, practicing secure web browsing habits, downloading all software from reliable sources only, and, finally, keeping a powerful antimalware application enabled 24/7 to keep keyloggers and other threats that could hack the password manager at bay.