Two password manager makers on Tuesday announced new features that allow their users to minimize the hassle of resetting passwords.
One of the first things online users are advised to do after a data breach — and there have been more than few of those lately — is to change their passwords. Few users act on that advice, though, because creating unique, strong passwords and manually inserting them on more than a handful of websites is too onerous.
For example, only 39 percent of users changed their passwords or terminated accounts in the wake of Heartbleed, a widely reported software vulnerability that placed millions of user passwords at risk, based on a Pew study released in April.
“The frequency and the seriousness of these breaches have been increasing in the last 12 months, and what we’ve seen from consumers is consumer fatigue,” Dashlane CEO Emmanuel Schalit told the E-Commerce Times.
Consumers were advised this spring to change their passwords because of Heartbleed, Schalit explained, and they were warned again in August after the Cybervor breach, in which 1.2 billion online credentials reportedly were stolen by Russian hackers.
“People just don’t do it,” Schalit said. “There are many polls and numbers that show consumers have essentially given up.”
To add automatic password changing to the latest beta version of Dashlane, the company purchased PassOmatic, a password changer developer.
The new functionality lets Dashlane users select the websites to update, and the program automatically will create a new unique, strong password for each, automatically change it, and sync the changes across the users’ Dashlane-equipped devices.
Initially, the auto change feature works with just 75 or so websites, although they’re some of the biggest, including Amazon, eBay, Facebook, Google, LinkedIn, PayPal, Twitter and Yahoo. However, new websites are being added daily.
The feature is limited to the Windows and Mac versions of the program, but the company plans to add it to mobile versions of Dashlane in the first quarter of next year, Schalit said.
The company also expects to be adding scheduling to the feature, which would allow passwords to be changed automatically, say, every 90 days. Periodic password changing is a best practice for maintaining password security.
LastPass’s auto password changer is similar to Dashlane’s.
To auto change a password, a user need only check a box on the edit screen for a site’s credentials stored in LastPass. The next time a logon is performed, a new password will be created and the account updated.
The beta version of LastPass with the auto-changing feature has some limitations. It works only on desktops running Chrome, Safari or Firefox. There is no mobile version yet. It also supports some 75 websites, including Facebook, Amazon, Pinterest, Home Depot and Dropbox.
Its auto change functionality doesn’t work with sites that support two-factor authentication.
LastPass differs from Dashlane in the way it stores a user’s password information.
“All changes happen locally on a user’s computer, and the data is encrypted with a key that LastPass never has access to,” LastPass Marketing Manager Amber Gott told the E-Commerce Times.
“Our first priority is always the security of our user’s data,” she added.
Many users will welcome the arrival of auto changing in password managers.
“Passwords are a pain for you and I. They’re a pain for less technical users,” said Trey Ford, a global security strategist with Rapid 7.
“Moving a password to an almost transparent user experience like this is really great,” he told the E-Commerce Times. “It’s eliminating friction and frustration for users. It’s also making it easier to give less technical people better security hygiene.”
Programs like Dashlane and LastPass are designed to give users an opportunity to use strong passwords in their logon credentials, but they are not a substitute for security awareness.
“How do hackers get around these complex passwords created by these password managers? It’s typically through social engineering or malware that can read keystrokes,” said Matt Lane, vice president of operations for 41st Parameter.
“So, while passwords will become more secure and better managed through these programs, any businesses counting on password protection to protect their consumer accounts need to still have a layered defense approach,” he told the E-Commerce Times.
When announcing its auto change feature, Dashlane said that its ultimate goal was to make passwords irrelevant, to create a world where no one would need to know, type, remember or change their passwords ever again — but even in that world, passwords might live on.
“I don’t know if we’re ever going to get rid of passwords,” Rapid 7’s Ford observed. “I think passwords are something that we’re going to have to live with forever.”