Password Manager - Yay or nay?


What is a password?

It’s that thing you must type to get into your stuff; It’s the bane of the Internet civilization.

Per Dictionary.com, a password is
a secret word or expression used by authorized persons to prove their right to access, information, etc.
Passwords were created with good intentions, but they quickly became one of the weakest forms of security in existence on the Internet. Simply having a password is better than not having one, but pretty much no service will allow you to have an account without setting a password.

Where did we go wrong?

Imagine if all someone had to do to gain access to your bank account and siphon money out before you had a chance to notice was to know the name of your favorite childhood pet or your birthday or anniversary? That kind of knowledge would come with relatively minimal effort on the part of the attacker. Most people have their date of birth (DOB) publicly available through one means or another. 

On another note, maybe you weren’t even that creative. Look at Keeper Security’s list of top 25 most common passwords of 2016:
  1. 123456
  2. 123456789
  3. qwerty
  4. 12345678
  5. 111111
  6. 1234567890
  7. 1234567
  8. password
  9. 123123
  10. 987654321
  11. qwertyuiop
  12. mynoob
  13. 123321
  14. 666666
  15. 18atcskd2w
  16. 7777777
  17. 1q2w3e4r
  18. 654321
  19. 555555
  20. 3rjs1la7qe
  21. google
  22. 1q2w3e4r5t
  23. 123qwe
  24. zxcvbnm
  25. 1q2w3e

First, if any of your passwords are in this list, please take a moment to slap yourself, but keep reading because I’m writing to show you how to make the whole password thing easier!

For the sake of argument let’s assume that you are smarter than this, and you use a “better” password with letters, numbers, and special characters – bravo! But wait, you use the same password for Facebook, your email, and your bank account. You just lost security points again.

Where people go wrong with passwords is one of a few things:

  • Using the same password or a very similar password across all accounts
  • Using weak passwords like the ones listed above
  • Keeping written password notebooks
  • Keeping passwords in a file on a device
  • Never changing a password once it is set
  • Cycling through previously-used passwords if they are required to change passwords every so often

So what comprises a good password? Read what Google suggests. For someone concerned about security, a lot of thought goes into making a secure password.

Enter the password manager.

What is a password manager?

According to a very reputable source (Wikipedia), a password manager “assists in generating, storing, and retrieving complex passwords from an encrypted database.”

The key word in that definition is encrypted. Rather than relying on your brain or your password file in your documents folder or password journal on your desk, maybe it’s time to consider using a proper password manager to manage your passwords.

What’s wrong with keeping passwords in a document or paper journal? Here are some scenarios to consider.
  • Your computer or phone gets infected with malware
  • Your computer or phone is stolen from your bag
  • Your computer crashes
  • You drop your phone in the lake
  • Your house burns down

Some of the examples are extreme, but they do happen. The last thing you want in the wake of disaster is to have to recover access to all your important accounts.

Here’s some of the benefits of using a password manager.

  • You need to remember one and only one password. (Did I mention one password? Just one.)
  • Generate unique, random passwords for each existing account you have and future ones you sign up for.
  • Simplified login process with autofill – no more digging around to find which password goes with which account.
  • Password auto-change feature – click a button to change your account’s password to a new one.
  • Secure password sharing – no more texting or emailing passwords back and forth.
  • Sync your passwords across multiple devices.
  • Store other sensitive information – not solely passwords.

Here’s my list of top five password managers for personal use. Note that some browsers, namely Google Chrome and Mozilla Firefox, have built-in password managers. You’re one step ahead if you already use one of those; I highly urge you to consider upgrading to a browser-independent password manager.
  1. LastPass
  2. Dashlane
  3. Keeper
  4. 1Password
  5. KeePass

You can also read about some comparisons between several of the top password managers on Tom’s Guide.

Should you use a password manager?

Some people are avidly opposed to storing “everything in one place” because of the risk of compromising all passwords at once by guessing/cracking the password that grants access to the vault. This concern is heightened when password managers are cloud-based. Read my previous article on cloud security for more details about why there is concern with cloud-based services. The password “jackpot” argument has been debated time and again by the security community. Many security-minded people agree that, for the general populace, the burden of remembering more than a few unique, strong passwords is too great.

The makers of LastPass (my personal password manager choice) have a very good explanation of how their technology works to keep your vault secure. For those interested in advanced-level details, read this as well.

Password managers alleviate the burden of remembering individual account passwords and have the added benefit of being an inventory of all your online accounts. With a password manager, you also won’t be as prone to use the same password across all your accounts.

Ultimately the decision rests with you, but be aware of the risks of lax password and account security in a world of ever-increasing breaches and surveillance.


Password Manager Do's and Don’ts

Do:
  • For your “master password”, use a passphrase instead of a traditional password.
  • Enable two-factor authentication
  • Keep the password manager application and all associated browser plugins up-to-date wherever you install them.

Don’t:
  • Use a weak “master password”
  • Forget your “master password”
  • Vault the same password for all sites in your vault

Need help?

Feel free to shoot me a message if you have questions or need help setting up a password manager.

Comments

Post a Comment

Popular posts from this blog

Cloud Services - Friend or Foe?

Image
The question has arisen many times in my profession, and my friends and family have even asked me:  "Is it safe to store this information in the cloud?"  To answer this question, we need to understand what the cloud is. Then we need to determine what kind of information you intend to store, and how important it is that the information remain private. The "cloud" - what does this nebulous term mean? Understanding the cloud Let's make sure we understand what the cloud is not . You're reading this article on a device such as a smartphone, personal computer, or tablet. Your device is not part of the cloud, but it is a client of a server that is part of the cloud. A word on client vs server Suppose you go to your neighbor's house and knock on the door, but no one answers. Your neighbor wasn't expecting anyone, and they don't let strangers in. On the other hand if you visit a restaurant, usually a host or hostess will greet you and
Read more

How someone tried to phish me

Image
A couple of weeks ago I received an email that looked like this. This email went straight to my spam folder which I check occasionally to make sure I don't miss anything important. This particular email appeared to have come from one of my relatives. Let's see what's inside the email. I have obfuscated the actual email address because it is the first and last name of a relative. So the email came from someone[at]kkfi[.]org. I don't recognize that domain, but a quick lookup tells me it belongs to a radio station. Checking the hyperlink in the email body, I found that only one Antivirus vendor has the link categorized as phishing. But one bad verdict was enough for me to not visit the link. You can see the verdict  here . So why did someone at a radio station try to phish me? Well, actually it's likely that it wasn't an individual at the radio station but someone else who abused their domain and/or mail server. Let's dig so
Read more

Google's "Smart Lock" and Android Autofill

Image
Have you ever heard of Google's " Smart Lock "? When I first discovered Smart Lock, it was just a feature of Android that allowed your device to remain unlocked as long as certain conditions were met - such as being at a specific location (say, at home), the front camera recognizing your face (you mean "Face ID" has been around for a long time? yes, and it never worked well and still doesn't work well, even on iPhone), your phone being on your body, or connected to a trusted device. Recently Google has added another piece of functionality to Smart Lock called Smart Lock for Passwords. I first noticed this inside the Netflix application probably one or two years ago when I was offered to automatically sign in because my login info at the time was saved in my Google Chrome password manager, but no other apps that I used regularly seemed to have this new functionality. Looking at the developer page for this feature, it makes sense as to why since it ap
Read more