Password management

Why password management?

Passwords are everywhere in modern life. They have become the standard mechanism to confirm you are who you say you are. In an online world, your username identifies you, and your password verifies you; your password is secret information that confirms your identity. Once confirmed, you can continue securely onto your intended website / location.
Modern technologies use other security techniques too, like Multi-Factor Authentication (MFA) or biometrics (face-recognition or fingerprint), however passwords still remain a key security technique.

An image of a computer screen on 'enter your password'

Why password management is critical


There are three main reasons why it's critical to manage your passwords:
Your passwords are kept secure, preventing unauthorised access to and use of the password
Your passwords are available to you when you need them, whenever and wherever
You know which password is needed for which account on which platform, removing wasted time trying all your known passwords


Why are password managers necessary?


Password managers completely eliminate the problems you have with handling the large number of complex, unique passwords, keeping them secure from prying eyes but equally making them available all the time. Password complexity means that it's basically impossible for any individual to remember every single password. Password uniqueness means it's impossible to remember which site each password is associated with. Jottings in a notebook kept in a safe simply will not cut it for most people - you'll never have them when you need them.


Why password managers are safe?


Providers creating purpose-built password managers are putting their reputation on the line. Security is designed-in from the ground up. Developers continually update the software in response to emerging cyberthreats. The password manager database is encrypted. Access is protected by unique usernames and passwords and uses a complex password policy and MFA out of the box. Many track logins and information access to a separate logging facility, in case of misuse. 


Password security


Why password security is important


Passwords are the core protection against identity theft. More recently, identity protection has grown to incorporate multi-factor authentication (article), which takes the existing username and password pair and adds a second mechanism, but still the password is the cornerstone.


To be effective, passwords need to have two characteristics:

  • complex - by which it means 'hard to guess', to make it difficult for a black hat to gain access to the protected account
  • unique - so that gaining access to an account on one platform does not immediately mean that a black hat gains access to accounts on other platforms

Without both of these characteristics, you are going to be first in line to be a victim of identity theft.


How secure is your password


There are several online tools for checking the strength of a password, as well as several guidelines or 'rules' for creating one. There are also sites that will check to see if a given username with password has appeared in a data breach - the most well-known is https://haveibeenpwned.com/ - so you can see if  your account details are already known to cybercriminals.
Additionally, the best advice today is to use a secure and unique password and further protect your account by using MFA or biometrics if offered by the platform.


How to create a secure password

There are several suggestions or rules offered as key advice to generate a password. The main do's and don'ts are:


DON'T

  • Anything that's easy to guess - your personal information, like your name, phone number or postcode
  • Names of people close to you or celebrities
  • Any variant on the word 'password'
  • Obvious patterns, e.g. '123456'
  • Keyboard patterns, e.g. 'asdfgh'

DO

 

  • Base it on a phrase to make it memorable - like initial letters from a saying or a sequence of three words
  • Use at least 12 characters
  • Use at least one English uppercase character (A-Z)
  • Use at least one English lowercase character (a-z)
  • Use at least one numeric character (0-9) and or one symbol ($, #, %, !, etc) 
  • Make it unique
  • Store it securely


Example of strong password:


Red@sKy!487!Q


When should you change your password?


There are no hard-and-fast rules. Some providers insist on a periodic password reset, although an account protected by MFA arguably makes regular resets less necessary. However, it is generally advisable to change your password as a precaution whenever you think the information is no longer secret - such as a new account where the provider has sent you a password, or if you suspect that a black hat is trying to gain access to your account.


Where do I keep my passwords?


Everyone has their own favourite way of saving their passwords. There is no universal solution that works under all circumstances and there is nothing absolutely 'wrong' with any approach. 


A very common approach is to save your passwords within the browser. The best that can really be said is that it helps keep the passwords organised and accessible. Browsers are not especially secure applications, they generally rely entirely on the security of the device (computer or smartphone) itself; and browser password storage is a prime target if a system suffers a cyberattack.


Equally common is the paper notebook, with handwritten passwords. This has the considerable advantage of being completely immune to cyberattack because it is not digital. But it is cumbersome, mistake-prone, hard to arrange high availability and quite easy to get misplaced, damaged or stolen.


The most secure solution is a dedicated password manager, discussed below. Such applications are designed with security, manageability and availability foremost. Password databases are strongly encrypted and can be held on business or personal storage. Several reputable providers offer free versions of their product for personal use. However, full functionality often only comes at a price and they are generally more complex to set up and use.


Password reset


Why password reset


There are two main reasons to make password reset an option:

  • You believe your account password may be known by criminals and you want to change it before they access in and misuse your account
  • You really cannot remember your password and need access to the account

In both cases, having a mechanism to be able to reset your password is an essential security provision. The challenge for most providers is how to offer the option without compromising security. Most opt to use personal information to confirm your identity, based on the assumption that only you and they know such information. This is one reason to keep your personal information private. For an MFA-protected account, the provider can use it as a verification, which is easier, quicker and more secure.


What is a password manager?


At its core, a password manager (PM) holds a list of usernames, passwords, sites, and possibly other information about the accounts you hold and use, stored as a small database. The application manages and protects the database, confirms your identity when you attempt to access the information, keeps database copies synchronised, and often offers quality-of-life tools like browser integration to improve utility.


How do password managers work?


When you need to access one of your accounts, the password manager provides the information you need to be able to log in. In many cases, the PM provides some form of integration with your browser to auto-fill usernames and passwords, for ease-of-use. 


To gain access to the information, you log in to the password manager, and all reputable products protect themselves by implementing MFA and strong password policies. 


When you create a new or update an existing account, the password manager information gets updated - generally a manual process. Many password managers offer the ability to generate complex passwords.


A PM makes it easy to follow the main rules for passwords - security, complexity, uniqueness, availability and manageability.
Best password manager


As is typical with IT services, there is not one product that fits all requirements. Contact us to find out the best solution for your operation

FAQs


Which password manager should I use?


There are a range of password managers on the market, and capabilities change all the time. Some are ideal for mobile use; some suit big teams; some are self-hosted; some are free; some suit specific compliance requirements. It's all about understanding your needs, so contact us to discuss.


Is Google password manager safe?


Google password manager is an example of a browser-based password manager. The information is encrypted; plus it offers improved resilience and availability if it's synchronised with your Google account. However, there is no access protection to this information: browsers will provide the information if asked so if any of the linked devices is compromised then all the account data is compromised. Plus browsers are often loaded with other third-party plugins, and any one could introduce other security issues. Overall, it's probably better than keeping passwords in a text document called 'passwords', but the best solution is a dedicated password manager; many offer a highly secure browser plugin for improved usability.


Can password managers be trusted?


All the mainstream dedicated password managers have very strong security credentials. Installations are on supported operating systems; encryption is generally very strong; user-level protection - such as multi-factor authentication or biometrics - are used; the software is coded to security standards; and developers are inspected by third-party security specialists. When used correctly, password managers are amongst the most secure and trustworthy applications on the market.

Contact us today to find out more.

Sign Up To Our TechMoves Newsletter