Passwords might be your greatest security weakness.
The issue with passwords is that they’ve actually become the problem rather than the solution they were meant to be. Although for decades we have relied on passwords to protect our systems from hackers, they are no longer fit for that purpose.
Passwords were intended to protect sensitive information from bad guys who wanted to steal or exploit it. The problems are that we all have many accounts that need protecting and attacker capabilities have evolved over time while the concept of a password has more or less remained the same.
A big problem is that creating and maintaining effective passwords turns out to be a dilemma.Why? Because we are expected to memorize them all because computers are far faster today at ‘guessing’ passwords, and because attackers have automation and sophisticated strategies to attack password databases or online accounts while you and I are at work, at home and asleep.
Yes, yes, we know passwords and password management are a pain. We’ve all used a password all too similar to the previous one or chosen the name of a loved one or the company we work for as a password. We’ve maybe even felt that adding a ‘1’ at the end of the password would confuse an attacker (it won’t!). Passwords are cumbersome, no doubt about it. Despite advancements that have made authentication technology (like biometrics) possible, they have other implementation challenges. Until those tools are ubiquitous, passwords are here for the foreseeable future.
So, what are the solutions that will help today? – Password managers and password best practices.
We hear about “password best practices” to avoid password re-use between service providers and accounts and are told to use “hard to guess” passwords. These recommendations conflict with the realities of how difficult it is to keep strong passwords in our head and the reality of how many accounts we all have in our day-to-day lives. Password managers help here.
What is a password manager and why does it help?
Usernames and passwords are the keys to your digital life. If someone else has your password(s) they can cause a nuisance, take your money, or even disrupt your life for a period of time. It is important to understand and accept why it is smart to never reuse passwords. Even if you are never responsible for losing or giving away your password, the services you use may have inadequate security practices or get hacked and lose their data. The attackers will use this data and then come after you and your accounts.
A password manager is an application or mobile app to help secure and simplify your life with passwords. These apps have two primary jobs. The first is that it helps you create and securely store “hard to guess” passwords that are unique for each website or service you use. The second is to ensure that it is easy for you to retrieve these passwords whenever you need them.
Using a password manager will simplify your life, not complicate it. While it is true that another app is another thing to manage (there is a “startup cost” to password managers), most people find these tools easy to use over time and are relieved not to have to track all this sensitive data themselves.
What about the risks though? There are those that might identify that putting all your passwords in a single place could allow an attacker to access to all your passwords. While true in theory, in practice your passwords will be much better protected by the technical security features of a professional manager. In addition, the use of weak passwords online is far more likely to result in compromised accounts than the probability of having your password manager compromised.
Which password manager should I use?
There are several great password managers out there. What’s more, their features and capabilities are improving over time as well. Here are some guidelines to consider reviewing:
A strong reputation.
Are they referenced by other vendors and clients? Does the developer engage positively with the security community, and have they had security audits of their software?
Do they have a logical, sustainable business model?
This is an easy check – do they charge you a fair price for their software?
Do they have a commitment to security?
Check if they publish their vision on security, including their philosophy on software security. You want to see that they have thought about how their app and their platform might be attacked and how they’ve designed with those threats in mind.
Does it work for you?
Does the app have the right features and support the platforms you use (e.g. Apple iOS, Linux, and so on)?
As noted above, there are several managers on the market that will work well for most people and organizations. That said, for the purposes of adding clarity around some points in this article, we will reference features in a specific manager called “1Password”.
How to use a Password Manager
Step 1: Choose a master password.
Password managers require you to remember only a single password and will then encrypt and protect the remainder of your passwords. When you set up your account, make sure to choose a difficult and long password. This is your “master password”. A common trick is to think about a phrase or statement that means something to only you. For example:
“I read about password managers on Field Effect in 2019, I now use one! OK?”
You could create a password that consists of only punctuation and the first letters of this sentence. So that would be:
Whatever the strategy you use, ensure that you keep in mind that this detail is a significant part of what protects the remainder of your passwords.
Step 2: Create a secure backup of your master password.
If you forget your master password, it should be the case that your app provider cannot recover your account for you. Create a safe backup of your master password. If you write it down, make sure that it is stored somewhere secure. You don’t want someone opening a drawer and then finding it. Lock it up.
If you are using 1Password: the first time you log in, you will be prompted to download your “Recovery Kit”. Download this file, print it, and put it somewhere safe. Note that 1Password also includes the concept of a “Secret Key”. This item is as important as your password. If you do not have both, you will not be able to access your account. Ensure that you have a copy.
Step 3: Setup your devices.
Most password managers will provide apps for many platforms. Download the desktop, mobile and other apps that work for you.
You can choose to keep all your passwords on one device (probably your phone) and then use your phone app to look up passwords for all your accounts (even when you’re logging in via a desktop computer). However, it may be much more convenient to install desktop and “browser plugins” so that your password manager can do all the work for you. When you are presented with a login, your password manager will usually automatically detect what username and password to fill in and do that for you. Easy!
If you are using 1Password: Once you install your app, you will have the choice of using a local ‘vault’ or a cloud vault. We recommend using the paid cloud vault since it will serve as a backup for you in the event you lose your device. Once the app is installed, you will log in using your 1Password account, master password, and secret key. If you have printed off your “Recovery Kit”, there will be a barcode that you can easily scan to automatically fill most of these details in for you.
If you are using iOS devices: Apple has a service called “Keychain”. This is a great feature and is basically a built-in password manager. If you only ever use Apple devices, this might be a suitable option for you. However, if you are not using iCloud Keychain as your only solution, we recommend disabling it so that it doesn’t suggest passwords or make it more difficult for your password manager to input usernames and passwords for you. Check “Settings /Passwords & Accounts / AutoFill Passwords” and turn off “iCloud Keychain”. Ensure that your password manager appears and is selected.
Step 4: Fill in your data and update your old accounts.
Now that you have your password manager set up on all your devices, it will sync data between them all. What’s left is to add in your usernames and passwords. We recommend that you update your existing accounts using a password generated by your password manager. These will tend to be more secure.
Note that password managers may have different options for generating passwords. You can review their support documentation to understand the options. For example, you might get to select whether or not special characters (e.g. $, % and #) are used and how long the passwords must be. You might also be able to choose other password generation strategies, like using words joined together (e.g. “giraffe-building-orchestra”).
Using a Password manager in a business.
Password managers are a great business tool. If someone chooses weak passwords in their personal life, they will probably do the same at work. What’s worse, if they choose the same passwords at home and at work, a compromise at home could lead to a compromised account at work. Equipping staff with a tool they can use at both will make your business environment more secure. It will give your team the ability to create and manage strong passwords for their corporate accounts.
Another way password managers help at work is by controlling and storing shared passwords. To be clear, it is always a better practice to use dedicated user accounts for each employee. In the case of a Windows domain, for example, you should never share accounts. However, all businesses are likely to have some technology that does not support a multi-user environment, yet operationally requires multiple users. A password manager allows you to securely distribute shared passwords and to remove access to those passwords when an employee leaves or changes roles.
If you are using 1Password: You can create multiple ‘shared vaults’. These vaults can be shared to all or only some of your team’s users. When sharing vaults, consider that those who have access will have access to all passwords.
Password Do’s and Don’ts
- Avoid sharing accounts and passwords. In general, this should never be required. Invest in the correct number of user accounts for the applications you are using so that you’re not re-using credentials. Beyond the obvious risk of whoever uses your password could expose account details and data, it also makes it more difficult for the provider at the other end of the service/account to identify malicious logins.
- Never auto-save your master password. Third party tools (like Apple’s iCloud Keychain) will suggest storing your master password. Do not do this. Never use an electronic capability to store your master password (especially not on your computer as a file).
- Backup your password manager and database – including cloud backup. If you have chosen a reputable password manager, they will implement an encryption scheme that stores your data securely on their systems in a way that nobody, including themselves, can access it. The danger, if you don’t back up your data and your phone or device is lost or destroyed, is that you will lose all your passwords.
- Use the password manager’s suggestion for passwords. It is counter-productive to make up passwords on your own and then input them into your password manager to save them for later. Use the password generation feature – it will generate far more secure passwords.
- Protect your account with multi-factor authentication. You want to avoid the possibility that someone uses a standard username and password to access your password manager online. Most password managers will prevent the use of this type of authentication anyway, however, it’s good practice to enable multi-factor authentication(e.g. using a code from your phone) to protect your account.
Get your team to update today
To be sure, passwords are flawed and passwords may well have outstayed their welcome. However, it appears that it will still be some time before we see the light of better options fully adopted. Some things in computer security are beyond the control of a regular user, but why not take advantage of those that are? In a way, the persistently poor password practices of many other people give you a chance to be ahead of the pack.
Get your team to update passwords today and secure them with a password manager.