Effective password management – how should it be done?

17.01.18  |  Cybersecurity, Passwords & Security

If there’s one thing that I’m sure most people would say is a necessary inconvenience, it would be password management.

Since the dawn of computing, people have been using passwords to restrict access to their important systems. But as time passes by, this basic security mechanism has become increasingly long in the tooth, and several recent high-profile exposés of its weaknesses have done it no favours. They’re so entrenched in everything that we do on our computers, they’re unlikely to go away.

So, what can be done?

Before we can go into that, we need to understand what’s wrong with them – or, more accurately, what is wrong with the way that passwords are used by most people:

Password re-use

We’d be willing to wager that anyone reading this article is, or has been, guilty of re-using the same password. We’ve certainly been guilty of this in the past. Many people have a “system” whereby they use a different password based on the perceived “value” of the resource to them. They may use a good, strong password for their banking services, but a weaker, easier to remember password for social media.

However, the truth is, that re-using the same password even once means that you may as well be handing out access to all of the accounts to a determined hacker. That password may have already been compromised, even if you’ve not been hacked. If any website with that password combination has been breached, those credentials are available to anyone who knows where to look. Sophisticated “botnets” continually crawl other websites attempting to log in with stolen details, which is a worrying thought.

You can check if your email address or login username has been compromised in any public data breaches at Troy Hunt’s excellent website. Most people will almost certainly be listed in this database at least once!

Weak passwords

There are a lot of misconceptions surrounding password strength. Often you’ll see advice saying that you should use uppercase letters, lowercase letters, symbols and numbers all in the same password. There is some truth to this, but the key element to a strong password is simple – length.

The longer a password is, the harder it is for computers to crack them. Even using a simple phrase made up of a few unrelated words can be a strong password (the classic example used everywhere for this is “correct horse battery staple”). If you are going to use a passphrase like this, it is best to change things up a little bit with uppercase letters, symbols and numbers as this can help prevent “dictionary attacks”. This is where hackers try millions of combinations of dictionary words to try and find a match.

We always recommend to our clients that a password should be at least 12 characters long. We use 16 characters as a base. That said, if your chosen password appears on this list of the top 1,000 passwords (and, according to that page, 91% of passwords found in data breaches do!) then you definitely need to pick another one.

I’m sure you’re now asking, “how am I supposed to remember a 16 character password?” – well, read on…

Poor password management

One of the reasons people re-use passwords so often is because no-one wants to have to remember a million different passwords for each of their accounts and services – and nor should you. Having to remember that many passwords is difficult for the vast majority, and leads to situations like that seen in the Operations Room at Hawaii’s Emergency Management Agency just yesterday. Hot off the heels of them mistakenly sending an emergency broadcast to millions of Hawaii residents warning them of an impending nuclear strike, they were interviewed on TV. You can clearly see they write their passwords on post-it notes and attach them to monitors in their office. Something that any IT professional is likely familiar with, and something that should absolutely not be allowed under any circumstances!

The answer to password management is to take the hassle away from you and use a dedicated password management tool.

Proper Password Management

The principle behind password managers is that you have one single password (called your Master Password) that you can remember. This should be very strong, as it is basically the key to your electronic front door. Gareth’s master password for his password management tool is nearly 30 characters long.

You then store all of your other passwords in the password manager. You use the tools it provides to automatically fill in login prompts on websites with the password that it has saved.

In an ideal scenario, all of the passwords in your password manager would then be completely random strings of characters. All password managers give you tools to generate secure passwords like this. It is a great way to ensure that none of your passwords are re-used. So, if one of them gets compromised, the damage is limited to just that account.

There are many different password managers available – 1Password, LastPass and Dashlane are three popular online password managers, while KeePass is an open-source tool that lets you store your passwords on your own storage, e.g. in Dropbox.

What else can you do?

There are a number of other elements to account security that can help you keep your accounts safe. Probably the most commonly known is two-step authentication. This is where you are sent a link via email to verify your login. A text could be sent to your phone containing a code that you must enter in order to login.

Enabling two-step authentication on your accounts is a great option. It doesn’t protect against that service being breached. But should someone manage to login to your account with the correct password, they can go no further. That is unless they have access to your email or phone. We always recommend enabling two-step authentication wherever possible.

What does the future hold?

Passwords have been around for a long time. As much as we’d like to see them go the way of the dinosaurs, it seems unlikely it’ll happen soon. In an ideal world, passwordless authentication would be the default method. For example, you would login with an email address and the service provider would send an email to you. Technically speaking, this is arguably less secure than using passwords. But until the vast majority of users stop using (and re-using!) weak passwords, it’s a better option.

Biometric security systems such as fingerprint scanners, face scanners and retinal scans are becoming popular. These have their own drawbacks. Apple’s FaceID system (found on the new iPhone X) has come under intense scrutiny since its release, with a number of shortcomings already being found. But, it is a good place to start when looking at alternatives to passwords.

Need any advice?

If you have any questions about effective password management, feel free to drop us a line.