Effective password management – how should it be done?

17.01.18 | Cybersecurity, Passwords & Security

If there’s one thing that I’m sure most people would say is a necessary inconvenience, it would be password management.

Since the dawn of computing, people have been using passwords to restrict access to their important systems. But as time passes by, this basic security mechanism has become increasingly long in the tooth, and several recent high-profile exposés of its weaknesses have done it no favours. They’re so entrenched in everything that we do on our computers, they’re unlikely to go away.

So, what can be done?

Before we can go into that, we need to understand what’s wrong with them – or, more accurately, what is wrong with the way that passwords are used by most people:

Password re-use

We’d be willing to wager that anyone reading this article is, or has been, guilty of re-using the same password. We’ve certainly been guilty of this in the past. Many people have a “system” whereby they use a different password based on the perceived “value” of the resource to them. They may use a good, strong password for their banking services, but a weaker, easier to remember password for social media.

However, the truth is, that re-using the same password even once means that you may as well be handing out access to all of the accounts to a determined hacker. That password may have already been compromised, even if you’ve not been hacked. If any website with that password combination has been breached, those credentials are available to anyone who knows where to look. Sophisticated “botnets” continually crawl other websites attempting to log in with stolen details, which is a worrying thought.

You can check if your email address or login username has been compromised in any public data breaches at Troy Hunt’s excellent website. Most people will almost certainly be listed in this database at least once!

Weak passwords

There are a lot of misconceptions surrounding password strength. Often you’ll see advice saying that you should use uppercase letters, lowercase letters, symbols and numbers all in the same password. There is some truth to this, but the key element to a strong password is simple – length.

The longer a password is, the harder it is for computers to crack them. Even using a simple phrase made up of a few unrelated words can be a strong password (the classic example used everywhere for this is “correct horse battery staple”). If you are going to use a passphrase like this, it is best to change things up a little bit with uppercase letters, symbols and numbers as this can help prevent “dictionary attacks”. This is where hackers try millions of combinations of dictionary words to try and find a match.

We always recommend to our clients that a password should be at least 12 characters long. We use 16 characters as a base. That said, if your chosen password appears on this list of the top 1,000 passwords (and, according to that page, 91% of passwords found in data breaches do!) then you definitely need to pick another one.

I’m sure you’re now asking, “how am I supposed to remember a 16 character password?” – well, read on…

Poor password management

One of the reasons people re-use passwords so often is because no-one wants to have to remember a million different passwords for each of their accounts and services – and nor should you. Having to remember that many passwords is difficult for the vast majority, and leads to situations like that seen in the Operations Room at Hawaii’s Emergency Management Agency just yesterday. Hot off the heels of them mistakenly sending an emergency broadcast to millions of Hawaii residents warning them of an impending nuclear strike, they were interviewed on TV. You can clearly see they write their passwords on post-it notes and attach them to monitors in their office. Something that any IT professional is likely familiar with, and something that should absolutely not be allowed under any circumstances!

The answer to password management is to take the hassle away from you and use a dedicated password management tool.

Proper Password Management

The principle behind password managers is that you have one single password (called your Master Password) that you can remember. This should be very strong, as it is basically the key to your electronic front door. Gareth’s master password for his password management tool is nearly 30 characters long.

You then store all of your other passwords in the password manager. You use the tools it provides to automatically fill in login prompts on websites with the password that it has saved.

In an ideal scenario, all of the passwords in your password manager would then be completely random strings of characters. All password managers give you tools to generate secure passwords like this. It is a great way to ensure that none of your passwords are re-used. So, if one of them gets compromised, the damage is limited to just that account.

There are many different password managers available – 1Password, LastPass and Dashlane are three popular online password managers, while KeePass is an open-source tool that lets you store your passwords on your own storage, e.g. in Dropbox.

What else can you do?

There are a number of other elements to account security that can help you keep your accounts safe. Probably the most commonly known is two-step authentication. This is where you are sent a link via email to verify your login. A text could be sent to your phone containing a code that you must enter in order to login.

Enabling two-step authentication on your accounts is a great option. It doesn’t protect against that service being breached. But should someone manage to login to your account with the correct password, they can go no further. That is unless they have access to your email or phone. We always recommend enabling two-step authentication wherever possible.

What does the future hold?

Passwords have been around for a long time. As much as we’d like to see them go the way of the dinosaurs, it seems unlikely it’ll happen soon. In an ideal world, passwordless authentication would be the default method. For example, you would login with an email address and the service provider would send an email to you. Technically speaking, this is arguably less secure than using passwords. But until the vast majority of users stop using (and re-using!) weak passwords, it’s a better option.

Biometric security systems such as fingerprint scanners, face scanners and retinal scans are becoming popular. These have their own drawbacks. Apple’s FaceID system (found on the new iPhone X) has come under intense scrutiny since its release, with a number of shortcomings already being found. But, it is a good place to start when looking at alternatives to passwords.

Need any advice?

If you have any questions about effective password management, feel free to drop us a line.

↞ Previous article Next article ↠

Cookie	Duration	Description
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__atuvc	1 year 1 month	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.
__atuvs	30 minutes	AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_3253734_2	1 minute	Set by Google to distinguish users.
_gat_UA-3253734-2	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
at-rand	never	AddThis sets this cookie to track page visits, sources of traffic and share counts.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
uvc	1 year 1 month	Set by addthis.com to determine the usage of addthis.com service.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
loc	1 year 1 month	AddThis sets this geolocation cookie to help understand the location of users who share the information.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
m	2 years	No description available.
xtc	1 year 1 month	No description