We all know that authentication is vital to security, but passwords suck. Creating them and remembering them for every single web site or software system we use is a pain. Gone are the days of sticky notes on our monitor for all to see, and even password protecting a spreadsheet of credentials with a carefully obfuscated name on our computer isn’t safe — a simple Google search for “Excel 2016 password recovery tools” will show you why.
And we can’t just memorize and use the same password over and over again. Bad actors have access to lists of stolen passwords and usernames from prominent hacks like Yahoo! and Equifax and LinkedIn (check to see if you were compromised in any hacks) and are betting that we are too lazy to come up with a new password for every web site we login to. They are hoping we use that same password for Citibank that we use to get into our email account, so that they can too. If you have a unique strong password for every site or system you use, this type of attack on your data and personal information is dramatically reduced if not eliminated.
But then every web site and software application requires different password strengths and lengths and criteria. Some demand special characters, others won’t allow you to use them at all. With these discordant specifications, how are we supposed to easily come up with good passwords to use?
The time that it takes to create, secure and input all of our passwords has become downright untenable, but password managers can change that. There are software tools available right now which safely store your passwords and fill those credentials in for you automatically, or with the click of a button, when you log into a site. Any password manager worth its weight will create the strongest passwords to meet each and every varied application and site requirement. So why isn’t everyone already using one? Most people just don’t know about them yet. And if you are one of those people, the following information will change that. Let’s first understand what is out there and then discuss which of those options are the best.
Browser built-in password managers
Every major browser (Chrome, Firefox, Safari, IE and Edge) has the ability to memorize your passwords to a web site after you have entered them. They often ask you if you want to save the password you’ve just entered. They can be super convenient, but not secure — every one of them has been shown to be compromisable. Also, the functionality of these built-in managers are not robust and can sometimes be hard to manage, and they may not store passwords from non web-based apps, forcing you to manage passwords in different places.
We don’t advise using this approach as a rule of thumb. And the first thing we do when we setup a new browser or computer is to turn off password saving so that it won’t prompt the user and they won’t be tempted to use it.
Third party solutions
The natural next step is to look for commercial or open source solutions that will make your password persona safe and convenient. There are many choices, cloud based and locally installed.
The most well known and often free solutions are LastPass, 1Password and Dashlane, which all offer cloud based solutions. They all come with browser plugins that allow you to create large random passwords and then autofill your password into a web form when you need to login. This is like the native browser password manager except more sophisticated. This can be very convenient and it allows for one very important password policy to be implemented: creating different strong passwords for every site you visit. With a password manager, you can just create a super strong password and never have to worry about remembering it.
Your passwords are being stored on a database in the cloud that is guarded by the vendors technology, or at least you hope. This is a deal breaker for many. If you practice the Trust No One philosophy you are going to run from these solutions. Otherwise, you have to trust that they are encrypting your passwords somehow, that their employees can’t access your data, and that if their database is compromised, your data cannot be reverse engineered or searched against other password databases. You have to trust them with every one of your passwords. You have to determine how you feel about that and what the risk is. If you happen to browse a website that has been hijacked with malicious code, what’s to say your browser stored passwords or auto-fill process is not vulnerable to these outside forces. Again, measure your risk and decide from there.
Alternatively, there are locally installed password managers like KeePass. It is pretty popular and has matured over the years. It has the same functionality as the web based managers, it creates strong passwords, will store them and type them in for you, but it is, in our opinion, safer. It’s also open source which means the inside story of how it functions is open to anyone who cares to check. The EU-FOSSA (European Commission’s Free and Open Source Software Auditing project) completed a code audit in 2016. The main advantage is that you are 100% in control of your data. You don’t have to rely on someone else to protect your valuable passwords, except for you. It seems like a no brainer, just store it locally. But, remember that you are responsible for backing up your “vault” of passwords. If you use a cloud based solution like Carbonite, Backblaze, CrashPlan or something similar you have to keep in mind that your data is headed right back to the cloud, so be sure to encrypt your password vault BEFORE backing it up and be careful where you store your encryption keys. Finally, because it’s not integrated into the web browser, you might have one extra step to perform compared to LastPass for instance, although there are add-ons to Keepass to help do the same thing.
No matter what you do, you should implement a password management system that at the very least encrypts your passwords with a strong encryption key you control so no prying eyes can take a peek. You should most definitely get into the habit of creating new super strong passwords for every site you have to login to, no matter how inane the site is, and you might as well do it right and let the password managers create the passwords for you.
Web based managers generally have recovery options, but if you use a locally installed manager like KeePass, make sure you keep a good backup and don’t forget the master password, if you lose it, your passwords are gone forever.
With the irreversible theft of billions of account logins and passwords over the last few years, we all must rethink how we manage the multitude of passwords we have accumulated and must create. Whether you use a cloud based solution where your passwords are stored and managed by someone else or if you install local software that only you control, you should employ one of these approaches we covered and get rid of the unsecure spreadsheets and password files of yesterday. There is nothing holding you back, as many of the solutions are free or have free trials for the paid versions. Do it now, you have everything to lose.
This post was originally published on Medium.