Users may find themselves inundated with advice from IT professionals on good (and bad) password hygiene. By now, most people understand the difference in security afforded from a weak password (e.g., “password,” “123456,” “Facebook1”) and a strong password (e.g., “&e9_qF2`”*8>av1”). But fewer users fully understand the dangers of password reuse. Those that do still often chose convenience over security, despite the risks.
Why? Quite simply, the sheer volume of passwords one needs to remember in today’s hyper-connected world can be downright intimidating. Personal browsing, home financials, and the workplace: to comply with password “best practices,” these three areas of daily use require difficult-to-remember unique passwords. The hoops to jump through are many. Ideally, each password contains a robust mixture of upper- and lower-case letters, numbers, and special symbols. Each password shouldn’t use “leet-speak,” or spelling out words using symbols (e.g., “Pa$$word” instead of “Password”) because hackers anticipate this sort of “obfuscation.” Finally, each password would completely change in a randomly-generated manner every 3-6 months (and in many cases much more frequently).
With that in mind, it’s easy to understand exactly what motivates a user to pick just one password. But the risks remain. Recent breaches at respectable, well-known sites with users numbering in the hundreds of millions have exposed cross-site password reuse as a critical security issue. People generally underestimate the ability of cybercrooks to take a data leak from one site and apply it across relatively huge swaths of the internet. But the increasingly professional services offered through criminal underground networks are able to do just that: take a batch of poorly protected passwords from, say, a LinkedIn breach in 2013 and cross-check accounts on GitHub today, gaining access to any accounts sharing the same e-mail address usernames and passwords.
If avoiding password reuse while maintaining high-quality credentials leaves you feeling a bit overwhelmed, rest assured that a tool exists to help you with the most complex password requirements imaginable. A password manager application acts as a secure repository for credentials (no more scribbling passwords on bits of paper!), ergonomically dispenses usernames and passwords (no more finger gymnastics typing out a password 20-characters in length!), provides randomly-generated passwords, and optionally prompts users to change passwords after a certain period of time has elapsed.
Essentially, a password manager is a program that handles all the difficult tasks of good password hygiene for the user. Users need to create one strong master password for accessing the manager, and the application will store and dispense all other passwords. Secure cut/paste and auto-type are two features many password management programs use to dispense credentials. The former ensures passwords don’t create a security risk by lingering on a clipboard while the later greatly eases and speeds the actual act of entering credentials.
Users freed from having to remember complex passwords unique to each login, coupled with a password manager’s abilities to securely paste or autotype credentials, should take advantage of random password generation features for maximum security. With no need to remember or manually enter credentials and the ability of many programs to quickly generate complex passwords, there’s no good reason not to use as strong a password as possible in all instances. Typically, password managers show the relative strength of any given password for reference. Use these tools to ensure passwords are as strong as possible. Sit back and let the program not only memorize that 64-character behemoth containing a mixture of letters, numbers, symbols, and cases, but also let it do the heavy lifting on typing it all out with only a few clicks. And unlike people, password managers never flub a keystroke when entering logins.
The drawbacks are few, but critical to understand before adopting a password manager. Foremost, this will be the receptacle into which all of a user’s precious credentials are placed. If the master password is forgotten or stolen, all may be lost or, worse still, compromised by hackers. Obviously, it’s crucial to set a password that’s as strong as possible, but still something easily remembered and typed. Even if it’s a pain at first to enter a stronger-than-usual password, it quickly becomes a daily routine...much like logging into Windows.
Another drawback hinges on portability. If a user allows the password generator to choose 64-character passwords, they’re very unlikely to remember them (if they even make an attempt). So anytime they’re parted from their password manager may mean the inability to access an account. Luckily, good password managers are highly portable. Many have corresponding smart-phone apps. Most also are light-weight and easy to transport and deploy via a flash drive or SD card. On-the-go business people already routinely use portable storage devices, so adding a small password manager is a simple and elegant mobile solution.
Setup becomes the main hassle involved with adopting a password manager. Collecting and entering a lifetime’s worth of login credentials can turn into a slightly daunting task even for those who don’t leave much of a digital footprint. Setting up auto-type options to work with various sites also can be a time-consuming process. Even so, the payoff once everything’s up and running greatly exceeds the time and effort of setting up a password management application.
Increased security, better passwords, unique random password generation, and ergonomic benefits should make adopting a password manager today a no-brainer. With a password manager integrated into day-to-day business processes, management can rest assured that credentials will remain both robust and unique and the perils of weak passwords or password reuse will never negatively impact the company.
Interested in exploring which password management system fits your organization’s needs but uncertain where to start? True Tech Consulting provides IT guidance and professional services for small- and medium-sized businesses. Contact True Tech Consulting today for a site evaluation.