Now Is the Time For a Password Manager
We gave people advice years ago on how to create strong passwords themselves. That advice is outdated, it's time for a password manager.
Authentication today isn't like it used to be in my day, sonny. Yup, when I was a kid we used to just turn the computer on and use it, none of this fancy "who are you and are you authorized to do this" crap. Nope, if the power was on the computer was yours to use.
Of course, back in "my day," the computers measured RAM in kilobytes, and hard drive storage in the 10s of megabytes. Networking involved a serial cable, and going "online" was, well, new. very, very new. Important records were on paper - even credit card transactions were often done with carbon paper, not a swipe. Your medical records where in the little book or folder your Mom had tracked your vaccinations in, and your paycheck was an actual piece of paper that you had to go exchange for actual currency somewhere else.
OK, it was a "simpler time." So maybe passwords today are more critical, and need more attention. In fact compromising accounts and taking them over - often through stolen credentials - is currently at least as big a threat as ransomware. So yes, good passwords are incredibly important, until we come up with and universally roll out something better.
Passwords Are a Delay Tactic
Yes, they really are. Frankly lots of cybersecurity is. Encryption is. The idea is often to delay the unauthorized or malicious user from accessing the system or data until after the data or system is no-longer relevant, or until the authentication mechanism has been changed. This means changing passwords regularly, especially if you don't have multi-factor authentication (MFA) in place is crucial. But it also means you need a password that can provide that delay. The good people at Hive Systems do a nice job of providing an annual visualization of this concept, expressed as the amount of time a it takes to brute force a password using the latest tools.
The times on these tables go down almost every year as hardware gets faster and software gets better at performing these attacks. Obviously the table shows that the more complex your password is the harder it is to brute force and the longer it can be considered reasonably safe. Unfortunately, more complicated passwords become harder to remember. In addition, brute forcing is also not the only way to get your password.
Password Reuse Woes
I assume you've heard the old adage that once two people know something it isn't a secret anymore? This is true for passwords as well. In fact, the proliferation of corporate breaches in the past ten years all but guarantee you've had your account information for at least one site. Looking across email addresses I've used in the past 15 years I've found at least 9 different breaches associated with my account data.
So the question for me now is: Did I use the same password for CafePress as I used for my bank? How about for my doctor's office? Because if I have, all the "bad guys" have to do at this point is guess what bank I use and try my email address and the breached password they have to try to log in as me.
This is why password reuse is such a bad idea. Heck, I don't even remember ever logging into "Luxotica," but apparently I did prior to March 2021, and they managed to lose my data. Not sure I ever got a notification from them - maybe if I did it ended up in the spam folder. Who can say for sure. But if I used the same password for that as I did for my EV charging account, somebody could be getting free juice on my dime for their ID3.
MFA Helps
There are various types of MFA, and each helps a bit, but each can be a hindrance as well. Typically there are a few different MFA solutions in widespread use.
- SMS Messaging - this is the absolute bare minimum MFA option. (There's a reason cell phone providers are such popular targets: taking over your phone's ID means being able to intercept your text messages) SMS messaging usually sends you a text with a code to type in to the website you're supposedly accessing. Getting these texts from a website you're not currently trying to log into is a good sign of a problem.
- Hardware Token - these days hardware tokens aren't generally like they were in the old days, they generally connect via NFC, USB, or even Bluetooth, and the validation is done electronically - no typing in a code. Great security, trouble if you lose it or it stops working properly.
- Software Token - this one is similar to the functionality of the hardware token. Other software token methodology can include push alerts that need to be validated and verified. Push notifications have been problematic as users can be subject to an "alert fatigue" attack where the malicious user floods the end user with authentication requests until just to silence their alerts they click "yes." On the plus side, you can carry your token across multiple devices. On the negative side, your token is potentially accessible from the cloud and from other devices.
- Software Codes - One of the oldest MFA solutions involves a clock-synchronized 6 digit code solution where the server knows what numbers your system is supposed to provide at any given time. Tried and true, but again, the software needs to exist somewhere and requires typing it in for each site.
Each of these options helps, and I strongly recommend using one whenever possible. Having a second authentication factor can really improve your online security for sites that allow it. But MFA is not an excuse for bad passwords, or password reuse.
So Get On To the Password Managers Already!
Look, I'm paying myself by the word, so just...no, you're right. Let's talk password managers.
A good password manager can assist you by minimizing the number of passwords you have to remember, and by generating unique passwords for every system you need a password for. They can even function as your MFA solution, modern ones anyway. Here are my recommended features for a good password manager.
- Always available on every system - A good password manager works while offline, on every device you own. In my world, that means it has to work on Linux, Windows, and MacOS for computers as well as Android and Linux for handheld devices. It has to work with a variety of browsers as well, including both Firefox and Chrome/Chromium.
- Makes creating new logins and updating passwords easy - After all, this is the primary function of a password manager. If the process isn't intuitive and easy, well, it's failing.
- Securely shares credentials with people I trust - It turns out that my family and I all need access to our USPS account. We all need access to our streaming accounts. But nobody but me better log into my Steam account. The ability to share some of those credentials while keeping others private is huge.
- Securely stores my data and credentials - One of the best known password managers got caught a few years back not only having been hacked, but in the realization that the way they got hacked means that the malicious actors could read your credentials. As a result I'd recommend avoiding that vendor. Which, sadly, isn't to say I can guarantee the others are any better.
- A well documented method of importing and exporting credentials - Chances are you'll want to change password managers at some point, and having to manually move all your credentials is not a task to relish. At all. So choosing a solution that has a well documented (secure should go without saying) password migration capability is a must.
And before you ask, I've used two of the most popular ones. Of them, I'd recommend 1Password. It works extremely well in my tech ecosystem, and ticks all of the boxes on the requirements I laid out above. Note: I am not in any way compensated for this recommendation, and my recommendation may not be the best choice for you and your particular situation. It is merely my own personal experience at the time of this writing. Use that advice as you will.
Getting Started With a Password Manager
Whether you're changing providers or starting from scratch, there are several things to do with your new best friend.
- Create a strong master password - Length trumps complexity, but both are important. The password has to be something you'll remember. Here's a little secret: if you need to write it down to help you remember it, do that. But once you've memorized it (say in a week or so) make sure you destroy the paper you wrote it down on. If you do write it down, don't actually write down what the password is for, just write it down all by itself.
- Safeguard any "emergency access" instructions and keys for recovering your password vault - Having a nice physical safe is a good place to put this information. I'll recommend sealing that info in a sealed envelope that you then sign your name or write something across the seal. (the envelope and writing won't stop someone from possibly accessing the data, but it will be clear evidence to you that someone has accessed it if the seal is broken or the envelope is torn) This is critical if you ever forget the password, or if someone you trust needs to access your passwords when you are incapacitated.
- Set the password complexity defaults to high requirements - There is no reason your password manager shouldn't be creating 20 character passwords containing all four categories of characters (lowercase, uppercase, numbers, and symbols) in every password. Make sure your password manager is set to these types of settings by default. Note: there will be times you'll have to "dumb down" these requirements because a website or service won't be able to handle specific characters, etc. Make those the exception, not the rule, for how you normally create passwords.
- Check for any known compromised credentials - This is the perfect time to identify any of your logins that have been compromised and take action on them! This is your chance to update passwords and set up MFA.
- Audit your credentials for reused passwords - Your password manager should be quickly able to identify where you've used the same password across multiple places (once you've added those places to the manager) and warn you about it. This is a fantastic opportunity to reset your passwords for all of those sites.
- Update your site passwords anyway - This item is most valuable if you're a new user to a password manager. Odds are the passwords you've previously memorized are out of date with current recommendations.
- Add MFA wherever possible - Some password managers will also be able to tell you when they can support MFA for a particular site or service for you. Even if they cannot, I recommend enabling MFA on any login that you are able to. Sometimes you have to go digging into the site to set it up, but this is a really good practice to get in the habit of.
- Stop making passwords yourself - I've run across people who have a password manager but who use it like a notebook that they use to securely store passwords they create, not trusting the system (or just not using it?) to make secure, strong passwords for them. If this is how you're going to use a password manager you'd be almost just as well off carrying around a notebook with a padlock on it to store your passwords in.
Regular Password Maintenance
A good password manager is an important step, but just like any tool how you use it it important. Just like putting in a camera system doesn't mean you don't have to lock your doors, using a password manager doesn't mean you can skip other security steps. However, let's just focus on a few password-related maintenance steps to minimize security incidents caused by credential issues:
- Change your passwords periodically - Yes, even if you have MFA. Yes, even if you are using really long, complex, passwords. Yearly isn't a bad idea.
- Close out accounts you no longer use - The "zeroth" law in cybersecurity is that you can't lose data that doesn't exist. Close out accounts you don't use anymore, and wherever possible ask the organization to delete your data. If you don't use Facebook anymore, close the account, don't just let it sit there. If you don't do business with the eyecare company anymore (see that breach screen-shot above) then close that account out.
- Don't share your passwords via insecure methods - Don't text them. Don't messenger them. And for the love of all that is good, if you violate this rule change your password ASAP!
- Check to see if that authentication works with MFA periodically - Just because the site didn't support MFA last year doesn't mean they haven't updated this year. Heck, it wasn't that long ago that most web browsing was done via plaintext (HTTP) and now almost all of it is encrypted (HTTPS). Times change, security capabilities do too.
Final Cautions
When choosing a password manager, be wary of a few thing:
- Do not let your browser be your password manager - most of them offer to do so. Disable this feature so you don't accidentally add passwords to the browser's password storage.
- Think twice before choosing a free password manager - security should not cost you money, but it turns out it does. At the end of the day a free password manager has to have a source of income in order to remain afloat. If you're not paying for it, what is that source of income? What are you trading away in the fine-print in order to get it for free?
A password manager is one of the best tools you and I have to protect ourselves online. Choose one wisely, use it continuously, and take care of yourself out there.