In a previous post, we’ve talked about the fact that cybersecurity should start with your people and one of the key elements of any cybersecurity policy should be the use of robust passwords. The days of ‘abc123’ and ‘pa55word’ SHOULD be long gone, and if they aren’t then I’m afraid you are asking for trouble. Secure passwords should be at least 12 characters long, have a combination of upper and lower-case letters, numbers and symbols and they should also be unique for each site.
However, the list of the top five passwords shows that most people aren’t following this advice!
Top 5 | Most common passwords
- password
- 123456
- 12345678
- 1234
- qwerty
Constantly coming up with new, secure passwords isn’t that difficult – the more random they are the harder they are likely to be to crack – however trying to remember all of these random combinations of letters, numbers, and symbols is clearly a different matter. This is where you can help staff with the use of Password Manager software. This is a simple and very effective form of protection that you can implement easily, and it needn’t cost much either.
Firstly a Password Manager helps by generating strong, unique passwords for each application – the strength of the passwords will help shield against traditional password attacks such as the dictionary, rainbow tables, or brute-force attacks. As well as helping to generate the passwords a Manager will remember the passwords for you; meaning you don’t have to try and memorise them or write them down.
One of the main arguments against a Password Manager is that you’re keeping all of your login data in one place. If a hacker was successful in compromising the password manager then ALL of your passwords are compromised. At first glance, this might seem to be a deal-breaker but the actual risk of compromise is far less than reusing a single password across multiple sites. Whilst the use of passwords managers is not 100% safe (nothing is!) in the opinion of most security experts the benefits outweigh the risks.
You’ll be aware that browsers such as Google Chrome offer some inbuilt functionality that remembers passwords and fills these in automatically for you; however, the better password managers will typically offer multiple benefits over the built-in functions. These include encryption, cross-platform and cross-browser synchronisation, mobile device support, secure sharing of credentials, and support for multifactor authentication. In some cases, usernames and passwords must be copied from the password manager into the browser. Whilst this reduces the ease of use it does increase the level of security by requiring entry of the master password before accessing stored login information.
Many password managers will allow you to automatically populate your password vault by capturing your logins using a browser plug-in and storing these credentials. Other options for populating your password database include importing a spreadsheet or manually entering your login information.
Using the stored credentials is typically automated using a browser plug-in which recognizes the website’s username and password fields, then populates these fields with the appropriate login information.
Some password managers use local storage with others relying on cloud-based services, and still, others taking a hybrid approach to storage and synchronization. Some of the options that use local storage will support synchronization through Dropbox or similar storage service.
There are dozens of Password Managers available so how do you pick the right one?
Deciding which password manager is best for you will come down to the features you want and the ease of use, as well as to whether you’re comfortable with a cloud-based password manager that stores your passwords on the Internet.
You need to check reviews and look into the details of the companies behind the services, you are looking for a substantial organisation behind the software rather than a free solution run by one man and his dog.
There are some household names that are not hugely expensive and some genuinely free options that might do the job – some of the main options include:
Lastpass – https://www.lastpass.com/
Probably the market leader, the free version provides basic functionality including 1-click login, auto form fill, cross-browser sync and secure password generation. The premium version costs just $12 per year – payable upfront – and adds support for mobile platforms and two-factor authentication for YubiKeys and USB drives.
In March 2017 Lastpass did discover a security flaw with its program that could have let hackers steal passwords. The “major architectural problem” was discovered by a security researcher at Google and forced LastPass to urge users to be careful using its service. However, LastPass alerted users about the problem soon after discovering it, and again when it was fixed.
Roboform – https://www.roboform.com/
A limited free version provides an encrypted password store for ten logins and an auto-fill function. The Roboform Everywhere for Windows, Mac and Mobile version costs $19.95 per year, with savings available for longer subscriptions, and this adds in cloud-based synchronisation across mobile devices.
1Password – https://1password.com/
From $2.99 per month you get decent import options, a secure password generator and the ability to store more than login data (such as software licence keys, notes, and credit card details), coupled with strong encryption and an intuitive interface. A 30-day free trial is also available so you can see if 1Password suits you.
KeePass – http://keepass.com/
Whilst it may take some customisation to make it suitable for business use Keepass is a completely free option. Uses local rather than cloud storage, so also a good option if you are concerned about cloud storage and supports the use of YubiKeys for two-factor authentication. As the software is open source there are also numerous third-party plugins to add features.
Password managers aren’t a magic bullet against individuals who are looking to steal your data and shouldn’t be regarded as a replacement for other essentials, such as security software and large doses of common sense. But used alongside other elements in a multi-layered approach they can be a cost-effective addition to your online security.