The ease with which passwords can be guessed might frighten you. If it doesn’t, we’re afraid it should.
Most people fall victim to the password paradox. It’s there to protect your account, identity, financial information, and the overall operating system itself. The more secure, the better, right?
Yes – definitely. But most individuals can’t remember separate passwords for the hundreds of accounts across different systems and websites. Because of this, many use one password (and slight variations of it) for everything.
And people are still using passwords like ‘qwerty’, ‘123456’, and ‘1q2w3e’. The hackers know about all of those.
Password managers are arguably the most effective way to hold passwords to all your accounts in a secure fashion. Here’s what you should look for in one.
What is a password manager?
A password manager securely stows all your passwords for every web page you choose. When you log in, you recall your information and access your account.
Rather than remembering hundreds of passwords, you only need to keep one in mind: the one for accessing your password manager.
They’re the best compromise available at the moment. Using password managers, you can save different, random codes for getting into your various accounts.
A secure little book in which you write your passwords is also a reasonably safe option. This, though, is vulnerable in other ways. For instance, if someone breaks in or you have a dishonest employee, they might read all your information.
Things to look for in a good password manager
So, here’s the main focus of this page. What should you look for in a good password manager?
Here are a few of our thoughts.
✳ Security from third parties
Security from breaches is, of course, the most crucial part of a password manager. They should be known for cybersecurity.
When looking for one, we advise checking for recent security audits. You can rest assured that these are as protected as they get.
Even data protection companies like password managers are vulnerable to cyberattacks. For example, LastPass suffered a monumental breach last year, the extent of which is still unravelling.
(If you’re worried about the LastPass breach and used it in August 2022, update all your passwords immediately. Check their entropy using the Omni Calculator tool.)
Several other security factors also come into play. These include the following:
- Regular updates (for patches)
- Support for browser extensions that check for fake websites
It’s important to remember however that third party accreditation isn’t sufficient on its own. LastPass had / has a number of accreditations of both its data center environments and operations, but these didn’t prevent the breach it suffered in 2022. Security should be layered and while we recommend using a password manager, we also advocate that the username and passwords held in your password manager should not be your only security layer.
✳ The password manager vendor shouldn’t be able to read your passwords
The information stored in your password manager should only be accessible to you. The password manager absolutely must be able to read your passwords as it’s how you gain access to them. But the provider of the password manager, who stores your passwords securely in the cloud so you can access them anywhere, must absolutely not be able to access your passwords. To them, your passwords, URLs, usernames and all other information should be an encrypted (and meaningless to anyone without the decryption key) blob of data.
This is absolutely crucial and a big step towards protecting your passwords. It doesn’t mean you’re 100% safe against attacks targeting the password manager, but it goes a long way.
✳ Ability to save cloud and local copies of your information
Whilst ubiquitous, the internet isn’t always available. When it does go down you do not want to lose access to your passwords. You should choose a password manager that still allows you to access your encrypted password vault even if internet access is temporarily unavailable.
✳ It should support modern authentication methods
Choosing a password manager that supports modern authentication methods is important for several reasons.
Modern authentication methods such as multi-factor authentication (MFA) or biometrics (e.g. fingerprint) add an extra layer of security. With MFA or biometrics, your users need to provide a second form of authentication, such as a code generated by an app or a biometric scan, in addition to their password. This makes it harder for attackers to gain access to your systems, even if they manage to obtain your passwords.
For a password manager, requiring new logins to use MFA, adds an extra layer of security. Allowing biometrics as login method for subsequent logins to ‘unlock’ your secure vault improves the user experience as it saves the user having to enter a long password every time.
It is worth noting that Lastpass offered MFA for new logins to a user’s password vault. Unfortunately in the LastPass breach the attacker was able to bypass the MFA requirement and access the users password vaults via the LastPass backend. This is why no one security measure on its own is adequate.
Remember your password manager master password
In the end, the only thing you really need to remember for your password manager is the master password. This is what you use to access all your sensitive data. There’s no way to get in without it, so make sure it’s committed to memory.
Don’t save it online or on your desktop. That’s far more vulnerable than you might imagine. Commit it to memory if possible. If you need to write it down, keep it somewhere secure at home rather than work, as most hackers won’t be able to visit someone, and break in in order to steal their master password.
Most password managers offer a emergency access option, which allows you to nominate someone who has access to your account after an agreed period when you don’t decline their access request. This helps to deal with some of the more suspicious scenarios.
And you can print a list of emergency access codes to be stored securely, in case you lose your password. We’d advocate all these options.
It’s better to be safe than sorry…
If you’re worried about your password security, we’d recommend familiarising yourself with NIST’s advice around password managers. It sets out nine password best practices that will help keep your business and personal password-protected devices and applications safe.
Could your SME, church or charity benefit from an in-depth security review? Perhaps you’re thinking of bringing in password managers but aren’t sure where to start?
Whatever your needs, AMDH Services can offer a helping hand. As independent ICT consultants, we’ll provide a personal service tailored to you and your needs.
Why not get in touch with us for a commitment-free, friendly chat? You can use the form below, and we’ll get back to you as soon as possible.
