Blog Post
Passwords might be your greatest security weakness.
The issue with passwords is that they’ve actually become the problem rather than the solution they were meant to be. Although for decades we have relied on passwords to protect our systems from hackers, they are no longer fit for that purpose.
The problem with passwords
Passwords were intended to protect sensitive information from bad guys who wanted to steal or exploit it. However, attacker capabilities have evolved over time while the concept of a password has more or less remained the same.
Creating and maintaining effective passwords is challenging for three core reasons:
- We're expected to memorize all of our passwords
- Computers are quicker at "guessing" passwords
- Attackers have automation and strategies to attack password databases or online accounts
Passwords and password management are challenging. We’ve all used a password too similar to the previous one or chosen the name of a loved one as a password. We’ve maybe even felt that adding a number to the end of the password would confuse an attacker (it won’t!).
Despite advancements that have made authentication technology like biometrics possible, they have other implementation challenges. Until those tools are ubiquitous, passwords are here for the foreseeable future.
For now, password managers are the superior solution.
What is a password manager?
A password manager is an application or mobile app to help secure and simplify your life when it comes to passwords. These tools have two primary jobs:
- It helps you create and securely store “hard to guess” passwords
- It ensures it's easy for you to retrieve these passwords as you need them
The benefits of a password manager
Usernames and passwords are the keys to your digital life.
If someone else has your password, they can disable your account—potentially blocking access to necessary services—take your money, or cause other damage.
Using a password manager will simplify your life, not complicate it. It's true that another app is yet another thing to manage. However, most people find these tools easy to use over time and are relieved not to have to track all this sensitive data themselves.
Plus, using the strong passwords generated by a password manager is an extremely important defense against various cyberattacks such as password spraying.
Are there risks to password managers?
Could putting all your passwords in a single place allow an attacker to access all your passwords in one fell swoop? It's true, in theory.
In practice, however, your passwords will be better protected by the technical security features of a professional manager app.
Besides, a person's account is far more likely to be compromised because they used a weak password, not because their password manager was hacked.
Which password manager should I use?
There are several great password managers on the market, while continuously improving their features and capabilities. If you're trying to decide which password manager to use, consider the following suggestions and questions.
Choose a password manager with a strong reputation
Is this password manager referenced by other vendors and clients? Does the developer engage positively with the security community? Have they had security audits of their software?
Do they have a logical business model?
This is an easy check—do they charge you a fair price for their software?
Are they committed to security?
Check if they publish their vision on software security. You want to see that they have thought about how their app may be attacked and if they've taken steps to mitigate those cyber risks.
Does the app suit your business needs?
Does the app have the right features? Does it support the operating systems or platforms you use?
How to use a password manager
As noted above, there are several managers on the market that will work well for most needs. For the purpose of clarity, we'll reference features in a specific password manager called 1Password.
Step 1: Choose a master password
Password managers require you to remember only a single password—your master password—and then encrypt and protect the remainder of your passwords. When you set up your account, make sure your master password is long and complex.
A common trick is to think about a phrase or statement that means something to only you. For example:
“I read about password managers on Field Effect in 2023, I now use one! OK?”
You could create a password that consists of only punctuation and the first letters of this sentence. So that would be:
“IrapmoFEi2023,Inuo!OK?”
Whatever strategy you use, your master password plays a significant role in protecting the rest of your stored passwords.
Step 2: Create a secure backup of your master password
If you forget your master password, your app provider cannot recover your account for you. Create a safe backup of your master password. If you write it down, store it somewhere secure. You don’t want someone easily opening a drawer and finding it.
If you are using 1Password: the first time you log in, you will be prompted to download your “Recovery Kit”. Download this file, print it, and put it somewhere safe.
1Password also includes the concept of a “Secret Key.” This item is as important as your password. If you do not have both, you will not be able to access your account. Ensure that you have a copy.
Step 3: Set up your devices
Most password managers will provide apps for many platforms, including desktop and mobile.
You can choose to keep all your passwords on one device (possibly your phone) and then use your phone's app to look up passwords for all your accounts (even when logging in via desktop).
However, it's often more convenient to install other apps and browser plugins to minimize how much of the heavy lifting you must do.
If you are using 1Password: Once you install your app, you will have the choice of using a local vault or a cloud vault. We recommend using the paid cloud vault since it will serve as a backup if you lose your device. Once the app is installed, you log in using your 1Password account, master password, and Secret Key. If you have printed off your Recovery Kit, there will be a barcode that you can easily scan to automatically fill most of these details in for you.
If you are using iOS devices: Apple has a service called “Keychain" which is essentially a built-in password manager. If you are using a separate password manager app, we recommend disabling Keychain so it doesn’t suggest passwords separately or prevent your password manager from inputting usernames and passwords for you.
Step 4: Fill in your data and update old accounts
Now that you have the password manager set up on your devices, it will sync data between them all. What’s left is to add your usernames and passwords.
We recommend that you update your existing accounts using a password generated by your password manager. These may be more secure than your existing credentials.
Password managers may have different options for generating passwords. You can review their support documentation to understand the options.
For example, you might get to select whether or not special characters (e.g., % or #) are used and how long the passwords must be. You might also be able to choose other password-generation strategies, like using words joined together (e.g., giraffe-building-orchestra).
Using a password manager in a business
Password managers are a great business tool. If someone chooses weak passwords in their personal life, they may do the same at work. If they use the same passwords at home and work, a compromise at once place could lead to a compromise at the other.
Equipping staff with a tool they can use at both home and work will make your business environment more secure. It enables your team to create and manage strong passwords for their corporate accounts.
Another way password managers help at work is by controlling and storing shared passwords. To be clear, it is always a better practice to use dedicated user accounts for each employee. In the case of a Windows domain, for example, you should never share accounts.
However, many businesses have some technology that does not support a multi-user environment, yet operationally requires multiple users. A password manager allows you to securely distribute shared passwords and remove access to those passwords if an employee leaves or changes roles.
If you are using 1Password: You can create multiple shared vaults. These vaults can be shared with all or some of your team’s users. When sharing vaults, keep in mind that those who have access will have access to all passwords.
Password best practices
We hear “password best practices” often. These are things like:
- Avoid reusing passwords across accounts
- Use hard-to-guess passwords
Avoid sharing accounts and passwords
In general, this should never be required. Invest in the correct number of user accounts for the applications you need so that you’re not reusing credentials.
Beyond the obvious risk of whoever uses your password could expose account details and data, it also makes it more difficult for the provider at the other end of the account to identify malicious logins.
Never auto-save your master password
Third-party tools like Apple’s Keychain will suggest storing your master password, but this is not a good idea. Never use an electronic capability to store your master password (especially not on your computer as a file).
Back up your password manager
If you have chosen a reputable password manager, they will implement an encryption scheme that stores your data securely on their systems in a way that nobody, including themselves, can access it. If you don’t back up your data and your device is lost or destroyed, you will lose your passwords.
Use the password manager’s suggestions
When you first start using a password manager, you may feel inclined to make up your own passwords and storing them in the app for later retrieval.
But the passwords generated by the tool are significantly more secure than what you're likely to come up with on your own. Plus, using this approach eliminates a lot of manual work.
Implement multi-factor authentication
You want to avoid the possibility that someone uses a standard username and password to access your password manager online. Most password managers prevent the use of this type of authentication anyway, however, it’s good practice to enable multi-factor authentication to protect your account.
Start using a password manager today
It's no secret passwords have flaws and may have outstayed their welcome. However, it will still be some time before we see better options fully adopted.
Some things in computer security are beyond the control of a regular user, but why not take advantage of those that are?