Passwords might be your greatest security weakness.
The issue with passwords is that they’ve actually become the problem rather than the solution they were meant to be. Although for decades we have relied on passwords to protect our systems from hackers, they are no longer fit for that purpose.
The problem with passwords
Passwords were intended to protect sensitive information from bad guys who wanted to steal or exploit it. However, attacker capabilities have evolved over time while the concept of a password has more or less remained the same.
Creating and maintaining effective passwords is challenging because:
- We're expected to memorize all of our passwords
- Computers are getting faster at "guessing" passwords
- Attackers have automation and sophisticated strategies to attack password databases or online accounts.
Passwords and password management are a pain. We’ve all used a password too similar to the previous one or chosen the name of a loved one as a password. We’ve maybe even felt that adding a ‘1’ at the end of the password would confuse an attacker (it won’t!).
Despite advancements that have made authentication technology like biometrics possible, they have other implementation challenges. Until those tools are ubiquitous, passwords are here for the foreseeable future.
Until then, password managers are the better solution.
What is a password manager?
A password manager is an application or mobile app to help secure and simplify your life when it comes to passwords. These apps have two primary jobs:
- It helps you create and securely store “hard to guess” passwords, thus lowering the risk of various attacks such as password spraying.
- It ensures it's easy for you to retrieve these passwords as you need them.
What are the benefits of password managers?
Usernames and passwords are the keys to your digital life. If someone else has your password, they can cause a nuisance, take your money, or even disrupt your life for a period of time. Even if you have not voluntarily given away your credentials, the services you use may have inadequate security practices. If they are hacked, your login information may be compromised.
Using a password manager will simplify your life, not complicate it. It's true that another app is yet another thing to manage. However, most people find these tools easy to use over time and are relieved not to have to track all this sensitive data themselves.
Are there risks to password managers?
Could putting all your passwords in a single place allow an attacker to access all your passwords in one fell swoop? It's true in theory. In practice, however, your passwords will be better protected by the technical security features of a professional manager app.
In addition, the use of weak passwords online is far more likely to result in compromised accounts than the probability of having your password manager compromised.
Which password manager should I use?
There are several great password managers on the market, while continuously improving their features and capabilities. If you're trying to decide which password manager to use, consider the following suggestions and questions.
Choose a password manager with a strong reputation
Is this password manager referenced by other vendors and clients? Does the developer engage positively with the security community? Have they had security audits of their software?
Do they have a logical business model?
This is an easy check—do they charge you a fair price for their software?
Are they committed to security?
Check if they publish their vision on software security. You want to see that they have thought about how their app may be attacked and if they've taken steps to mitigate those cyber risks.
Does the app suit your business needs?
Does the app have the right features? Does it support the operating systems or platforms you use?
How to use a password manager
As noted above, there are several managers on the market that will work well for most people and organizations. For the purpose of clarity, we'll reference features in a specific password manager called 1Password.
Step 1: Choose a master password
Password managers require you to remember only a single password—your master password—and then encrypt and protect the remainder of your passwords. When you set up your account, make sure your master password is long and complex.
A common trick is to think about a phrase or statement that means something to only you. For example:
“I read about password managers on Field Effect in 2022, I now use one! OK?”
You could create a password that consists of only punctuation and the first letters of this sentence. So that would be:
Whatever strategy you use, your master password plays a significant role in protecting the rest of your stored passwords.
Step 2: Create a secure backup of your master password
If you forget your master password, your app provider cannot recover your account for you. Create a safe backup of your master password. If you write it down, store it somewhere secure. You don’t want someone easily opening a drawer and finding it.
If you are using 1Password: the first time you log in, you will be prompted to download your “Recovery Kit”. Download this file, print it, and put it somewhere safe. 1Password also includes the concept of a “Secret Key”. This item is as important as your password. If you do not have both, you will not be able to access your account. Ensure that you have a copy.
Step 3: Set up your devices
Most password managers will provide apps for many platforms, including desktop, mobile, and more. You can choose to keep all your passwords on one device (likely your phone) and then use your phone app to look up passwords for all your accounts (even when logging in via desktop).
However, it's often more convenient to install other apps and browser plugins to minimize how much of the heavy lifting you must do.
If you are using 1Password: Once you install your app, you will have the choice of using a local vault or a cloud vault. We recommend using the paid cloud vault since it will serve as a backup if you lose your device. Once the app is installed, you log in using your 1Password account, master password, and secret key. If you have printed off your “Recovery Kit”, there will be a barcode that you can easily scan to automatically fill most of these details in for you.
If you are using iOS devices: Apple has a service called “Keychain" which is essentially a built-in password manager. If you are using a separate password manager app, we recommend disabling Keychain so it doesn’t suggest passwords separately or prevent your password manager from inputting usernames and passwords for you. Check “Settings > Passwords & Accounts > AutoFill Passwords” and turn off “iCloud Keychain”. Ensure that your password manager appears and is selected.
Step 4: Fill in your data and update old accounts
Now that you have the password manager set up on your devices, it will sync data between them all. What’s left is to add your usernames and passwords. We recommend that you update your existing accounts using a password generated by your password manager. These tend to be more secure than what you may already have.
Password managers may have different options for generating passwords. You can review their support documentation to understand the options. For example, you might get to select whether or not special characters (e.g., % or #) are used and how long the passwords must be. You might also be able to choose other password-generation strategies, like using words joined together (e.g., "giraffe-building-orchestra”).
Using a password manager in a business
Password managers are a great business tool. If someone chooses weak passwords in their personal life, they may do the same at work. What’s worse, if they choose the same passwords at home and at work, a compromise at home could lead to a compromise at work.
Equipping staff with a tool they can use at both will make your business environment more secure. It will give your team the ability to create and manage strong passwords for their corporate accounts.
Another way password managers help at work is by controlling and storing shared passwords. To be clear, it is always a better practice to use dedicated user accounts for each employee. In the case of a Windows domain, for example, you should never share accounts.
However, many businesses have some technology that does not support a multi-user environment, yet operationally requires multiple users. A password manager allows you to securely distribute shared passwords and remove access to those passwords if an employee leaves or changes roles.
If you are using 1Password: You can create multiple shared vaults. These vaults can be shared with all or some of your team’s users. When sharing vaults, keep in mind that those who have access will have access to all passwords.
Password best practices
We hear about “password best practices” often:
- Avoid reusing passwords between accounts
- Use hard-to-guess passwords
Avoid sharing accounts and passwords
In general, this should never be required. Invest in the correct number of user accounts for the applications you need so that you’re not reusing credentials.
Beyond the obvious risk of whoever uses your password could expose account details and data, it also makes it more difficult for the provider at the other end of the account to identify malicious logins.
Never auto-save your master password
Third-party tools like Apple’s Keychain will suggest storing your master password. Do not do this. Never use an electronic capability to store your master password (especially not on your computer as a file).
Back up your password manager
If you have chosen a reputable password manager, they will implement an encryption scheme that stores your data securely on their systems in a way that nobody, including themselves, can access it. If you don’t back up your data and your device is lost or destroyed, you will lose your passwords.
Use the password manager’s suggestions
It is counter-productive to make up passwords on your own and then input them into your password manager to save them for later. Use the password generation feature—it generates far more secure passwords and eliminates a lot of the work for you.
Implement multi-factor authentication
You want to avoid the possibility that someone uses a standard username and password to access your password manager online. Most password managers prevent the use of this type of authentication anyway, however, it’s good practice to enable multi-factor authentication to protect your account.
Start using a password manager today
It's no secret passwords are flawed and may have outstayed their welcome. However, it will still be some time before we see better options fully adopted.
Some things in computer security are beyond the control of a regular user, but why not take advantage of those that are?
Get your team to update passwords today and secure them with a password manager.