Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks.However the system must store information about the user passwords in some form and if that information is stolen, say by breaching system security, the user passwords can be at risk. Since most people need to log in to dozens of different accounts, the uniqueness requirement virtually mandates a reliance on password managers — management software like LastPass, Roboform, and Dashlane. These programs securely store all of your passwords in one place, and grant access to all of your sites and services with a single master password.
The advantage of password-based access controls is that they are easily incorporated in most software using APIs available in many software products, they require no extensive computer/server modifications, and that users are already familiar with the use of passwords. While passwords can be fairly secure, the weakness is how users choose and manage them, by using:
simple passwords – short in length, that use words found in dictionaries, or don’t mix in different character types (numbers, punctuation, upper/lower case), or are otherwise easily guessable.
passwords others can find – on sticky notes on monitors, in a notepad by the computer, in a document on the computer, whiteboard reminders, smart device storage in clear text, etc.
the same password – using the same password for multiple sites, never changing account passwords, etc.
shared passwords – users telling others passwords, sending unencrypted emails with password information, contractors using same password for all their accounts, etc.
administrative account logins where limited logins would suffice, or administrators who allow users with the same role to use the same password.
It is typical to make at least one of these mistakes. This makes it very easy for hackers,crackers,malware and cyber thieves to break into individual accounts, corporations of all sizes, government agencies, institutions, etc. It is protecting against these vulnerabilities that makes password managers so important.
Password managers can also be used as a defense against phishing and pharming. Unlike human beings, a password manager program can also incorporate an automated login script that first compares the current site’s URL to the stored site’s URL. If the two don’t match then the password manager does not automatically fill in the login fields. This is intended as a safeguard against visual imitations and look-alike websites. With this built-in advantage, the use of a password manager is beneficial even if the user only has a few passwords to remember. While not all password managers can automatically handle the more complex login procedures imposed by many banking websites, many of the newer password managers handle complex passwords, multi-page fill-ins, and multi-factor authentication prior.
Password managers can protect against keyloggers or keystroke logging malware. When using a multi-factor authentication password manager that automatically fills in logon fields, the user does not have to type any user names or passwords for the keylogger to pick up. While a keylogger may pick up the PIN to authenticate into the smart card token, for example, without the smart card itself (something the user has) the PIN does the attacker no good. However, password managers cannot protect against Man-in-the-browser attacks, where malware on the user’s device performs operations (e.g. on a banking website) while the user is logged in while hiding the malicious activity from the user.