January 10, 2014 – Until the issues surrounding biometric recognition are fully remedied, passwords will remain as the preeminent access control measure. But, with that being said, the process of creating and storing strong passwords does not need to be laborious. You see, the evolution of password managers has made it so that individuals can effectively manage an abundance of passwords, and they can do so by only having to remember a single, strong password. Now, you may ask yourself – what exactly is a password manager? Simply put, think of a password manager as a state of the art vault, and within that vault, you store all of your passwords.
The greatest benefit of utilizing such an approach is that you can use the password management system to create extremely strong passwords for all of your accounts. For example, as you can see in the screen shot, most password managers’ provide users with a random password generator. Using the random password generator, users can then create a unique, near uncrackable password for each of their respective password protected accounts. Furthermore, most password generators are customizable, thereby ensuring that your new password is in compliance with oft varying password requirements. As such, if you need a password that is 15 characters in length, that includes 2 digits and a special character, the random generator can accommodate such a request.
Then, after you have created your randomly generated passwords, you can utilize the program’s password management system to effectively store your passwords. As can been seen in the image below, most password managers will not only keep track of all your passwords, but they will provide you with information regarding: the strength of each password and the date the password was last updated. In doing so, users are provided the opportunity to ensure that their passwords are changed every 30-90 days, and that all passwords are considered strong. Furthermore, with each change, there is no new password to write down, as you only have to recall your master password. Thereby, unlike some of methods discussed in our last blog, effectively managing your passwords will no longer be a burden, and you won’t be limited to creating weak passwords that are easy to remember.
But, are they secure?
Now, while they are countless password managers on the market, today’s article is focused on web-based password managers. Why is that? Well, unlike other password managers, web-based password managers offer the greatest flexibility, and they ensure that you can retrieve any password as long as you have an active internet connection.
Unlike a local password manager, which stores the encrypted password database on your computer, web-based passwords manager’s stores your data on their servers. Now, the security concerns surrounding such a practice should be obvious, but with that being said, most web-based password managers have taken great steps to ensure that your data is protected.
For example, Last Pass, a popular web-based password manager, utilizes countless control measures to ensure that your data remains secure. To begin, like local password managers, LastPass never sends your master password to the LastPass servers. And, although data is stored on the LastPass servers, all of the encryption and decryption occurs locally. Therefore, even if an individual were to hack the LastPass servers, the data would be useless without your encryption key (e-mail and master password). Additionally, in response to keyloggers, which can read keystrokes and grant hackers access to your password, LastPass provides users with the option to utilize a virtual keyboard. When using a virtual keyboard, an individual enters their password by clicking the buttons of a virtual keyboard on their screen, thereby, bypassing the use of a traditional keyboard.
Additional factors to consider
For some, the trepidation surrounding storing a password in a cloud based environment may represent too great a hurdle to overcome, and that is completely understandable. However, if this is case, don’t discount password managers altogether. That is, there are local password managers, such as 1Password, that will allow you to effectively store your passwords without placing them in the cloud. However, whether you plan on using a local or cloud based password manager, it is extremely important to have a strong master password. Utilizing a password manager can be a very secure practice, but only if your master password is strong enough to withstand an attack. If you feel that you need help creating a strong password, please refer to our previous article on password strength.
Additionally, as is the case with all password storage mediums, it is important to have a failsafe in place for storing your password. Most password storage providers offer a failsafe option should you become incapacitated; however, for the time being, write your master password on a small piece of paper, and keep it with your other valuable pieces of paper – in your wallet.
Finally, regardless of the method you use, it is important to remember the need for protecting your data on multiple levels. That is, although password managers such as the aforementioned offer excellent security features, they do not replace the need for effective desktop security practices. Therefore, if you are going to use a password manager, it is important to employ the basic security measures needed in today’s cyber world, which includes: an active firewall and up-to-date antivirus software.
If you are unsure that your business is adequately protected, our Information Security Baseline Review is an ideal starting point for answering all of your questions, and providing you and your key managers with a basic education of both the threats your company’s information faces and what practical approaches you can take to protect it.
Remember, a false sense of security is worse than being unsure. We have a variety of tools and resources to help you. I encourage you to call to take proactive action.
About the Author
William Prohn CISSP, CISA, CGEIT, CRISC, CMMC-AB RP
Bill oversees all aspects of information technology for the firm, and provides consulting services to a wide spectrum of Dopkins’ clients. He has over 30 years of experience in accounting and business information systems. His specific interests include creating meaningful, practical management information using computer technologies, and the security of business information and systems.