PASSWORD MANAGERS: HOW AND WHY YOU SHOULD USE THEM
INTRODUCTION Find me a person alive who doesn’t have at least one online password, and I’ll eat my hat.
Passwords are ubiquitous—so much so that the average internet user in the US has around 130 password- protected accounts. Talk to a cybersecurity pro about passwords, and they’ll tell you two things: Every password should be unique, and there’s no way they are.
That’s a problem in the age of modern cybercrime: The theft of one password could open you up to dozens of password-related headaches as a hacker makes their way through websites testing your email address and password to find a match.
If you want to be safe on the internet, you need to add an extra layer of protection. Two-factor authentication should be used when available, but staying safe doesn’t stop there.
You need a password manager.
WHAT ARE PASSWORD MANAGERS?
A password manager is essentially an encrypted vault for storing passwords that is itself protected by a master password. To gain access to the passwords stored in the manager, a user has to know the master password; in many cases, a second authentication factor is required as well.
Password vaults can be used to simply store passwords for easy recall, but one of the best features of most password managers is their ability to generate passwords. A longer password is more secure and harder to crack, and the passwords generated by password managers are combinations of random numbers and letters that are very secure.
Another important feature of most password managers is the ability to automatically fill in passwords to stored sites. By using that feature, you won’t have to type anything but the master password, and it’s a good way to avoid having passwords stolen by keylogging malware.
A good password manager will also allow you to sync your data between devices so you won’t have to worry about losing data stored on your desktop if you’re using your smartphone.
In short, password managers should take the hassle out of your digital life by putting all your sensitive infor- mation into one secure, easy-to-access location.
Additional resources • Why most of what we know about passwords is wrong, and how businesses should respond (TechRepublic) • Video: Why you need a password manager (ZDNet) • Top 5: Things to know about password managers (TechRepublic) • Phishing is another problem solved by password managers (ZDNet)
HOW SECURE ARE PASSWORD MANAGERS?
Most password managers worth using utilize AES-256, which is generally considered one of the strongest forms of encryption available—so strong that the US government uses it to transmit top-secret information.
The odds of a hacker attacking your device and stealing data from your password management app are slim— and it’s even less likely that they’ll be able to decrypt that data. A security architect who has done the math found it would take one billion years to brute-force crack AES-256 encryption. But that time shrinks to zero if the hacker has your master password and you aren’t using two-factor authentication, so be sure to add that extra layer of security.
As with any technology, nothing is foolproof. Hackers have gained access to the databases of password management companies and made off with user data before, and it’s entirely possible that it will happen again.
What’s important to note isn’t the incidents that have compromised user security, though—it’s the alternative.
Take storing your passwords in a web browser, for example. Most web browsers will ask if you want to remember a password, but that data is stored in a completely unsecured manner.
In Chrome you can see every stored password, username, and website combination by opening Preferences > Advanced and looking for the Manage Passwords option under Passwords And Forms. Anyone who gains access to your computer would theoretically have access to all that information if they knew to look there.
What you shouldn’t do is store passwords on a sheet of paper, which is right on the top of every IT professional’s list of prohibitions. Also avoid using the same password for everything, which is another idea security professionals will advise you against.
Password managers are simply the best method of keeping track of all your internet logins. You won’t find a better way to safeguard your information, even with some perceived flaws.
Additional resources • On World Password Day, here are 4 tips to keep your online accounts secure (TechRepublic) • Password-sharing politicians prompt security row (ZDNet) • 10 tips to help reduce user account lockouts and password resets (TechRepublic) • The dumbest passwords people still use (ZDNet) • Face, fingerprint, passwords, or PIN: What’s the best way to keep your smartphone secure? (ZDNet)
HOW DO PASSWORD MANAGERS DIFFER?
The biggest difference in password managers comes down to where they store your passwords: on your local machine or in the cloud.
There are pros and cons to both options, many which are likely obvious:
• Storing your passwords in the cloud allows the passwords to sync seamlessly between devices. • Cloud storage eliminates the worry that you will lose your stored passwords if your computer crashes. • Storing passwords locally prevents data theft in the event of a cloud storage breach. • Local password storage could lead to a stolen computer being used to gain access to all your accounts.
Most password managers that use the cloud can have their sync functions disabled if you’d rather not take the risk of cloud storage. The same isn’t true for local storage options, though: If you seek out an option with a local password vault, you won’t be able to sync it to the cloud.
Additional resources • Almost half of IT security incidents are caused by company employees, report says (TechRepublic) • iOS 11’s most underrated security feature? A password manager (ZDNet) • How to deter hackers: Follow these digital safety best practices (TechRepublic) • 13 technologies that are safer than passwords (ZDNet) • Password Policy (Tech Pro Research)
SHOULD MY BUSINESS CHOOSE A PASSWORD MANAGER
OR SHARED ACCOUNT PASSWORD MANAGEMENT? There may be confusion about whether to use password managers or shared account password management (SAPM). Both are distinct and have different roles in the enterprise, and both can function side by side.
Password managers are designed to store and give easy access to individual accounts; these managers shouldn’t be used to store administrator credentials, shared accounts, or other business accounts that aren’t assigned solely to one user.
SAPM is designed to manage and control shared accounts. Depending on the SAPM management product, shared account passwords are either given out once a user signs in and are reset after logout, or the passwords are obscured from a user so they can use the privileged account without ever knowing the password.
It’s a good idea for large businesses with shared privileged accounts (domain admins, root, etc.) to implement an SAPM product along with a password manager. Corporate password management tools can store credentials for important websites and be linked to Active Directory, making the entire process a single sign-on.
The key to implementing password management in the workplace is making it as nonintrusive as possible. If users think a password manager or SAPM tool creates extra work, they’re likely to just ignore it.
Additional resources • Firms that force you to change your password are clueless says cyber security chief (TechRepublic) • Hate silly password rules? So does the guy who created them (ZDNet) • The end of passwords? Not in the near future (TechRepublic) • LastPass brings free password management to all your devices (ZDNet) • What is phishing? Everything you need to know to protect yourself from scam emails and more (ZDNet)
WHAT ARE THE MOST WELL-KNOWN AND POPULAR
PASSWORD MANAGERS? There is a wide range of password managers for business and home users, and many of these options offer similar features. These are some of the most well-known password managers.
• LastPass • Dashlane • 1Password • RoboForm • ZohoVault • KeePass You can take a closer look at the features of these password managers.
Apple users take note: macOS and iOS devices come with a built-in password manager—iCloud Keychain. If you’re considering a password manager, it’s worth looking at this option first, as it’s tightly integrated with the rest of the operating system—something third-party apps can’t boast.
Businesses interested in providing their users with a single sign-on (SSO) solution should look into the following platforms. SSO is the premier form of business password management that gives users one-click access to frequently used sites by logging in to a single platform.
• Okta • Auth0 • SAP Single Sign-On • OneLogin
Several password managers, such as Dashlane and LastPass, also offer SSO options for businesses. Connecting an enterprise SSO to personal password management is a great option for businesses that want to close the gap between platforms and make life easier for their employees.
Additional resources • The best apps to manage all your passwords (CNET) • iOS 11 means you never have to remember app passwords again (CNET) • How to install password manager Enpass and sync it with your Google Drive account (TechRepublic) • How to eliminate passwords? It can’t be done (ZDNet) • Amazon launches cloud SSO service for managing multiple AWS accounts (TechRepublic) • Okta enhances security, extends on-prem options for identity management (ZDNet)
CREDITS Global Editor in Chief ABOUT TECHREPUBLIC Jason Hiner TechRepublic is a digital publication and online community Editor in Chief, UK that empowers the people of business and technology. It Steve Ranger provides analysis, tips, best practices, and case studies Managing Editor aimed at helping leaders make better decisions about Bill Detwiler technology.
Editor, Australia DISCLAIMER
Chris Duckett The information contained herein has been obtained Senior Features Editors from sources believed to be reliable. CBS Interactive Inc. Jody Gilbert disclaims all warranties as to the accuracy, completeness, Mary Weilage or adequacy of such information. CBS Interactive Inc. shall Senior Editor have no liability for errors, omissions, or inadequacies in Conner Forrest the information contained herein or for the interpretations Senior Writers thereof. The reader assumes sole responsibility for the Dan Patterson selection of these materials to achieve its intended results. Teena Maddox The opinions expressed herein are subject to change Chief Reporter without notice. Nick Heath
