Password Management – why do I care?
Let’s face it, password management is an annoying pain. Unfortunately until better solutions become common it’s a necessary one. Why? Because:
- Passwords are generally the first line of defence of your digital life (At home think photos, banking, social media, etc. At Sotic, it’s our whole business!).
- People (myself included) tend to pick bad passwords so that we can remember them. Research found that 86% of a large sample were Terrible!
- … or when we do pick good passwords we can only remember a few, so we reuse them on many sites. Been there, done that. Also not a good idea.
The answer… use a password manager
So how do you reduce security friction; get max security for least hassle? My advice – use a password manager. For many readers this will be familiar ground, but if you haven’t yet seen the light this advice can be a digital life saver.
It used to be considered good practice to make users change their password frequently. I think that just leads to forcing people to either write the password down or adopt an easy-to-guess pattern (I mean, we’ve all been there, right?). Instead I recommend creating strong unique passwords for every service that needs them, and storing them in a secure password vault in a specialist service/application. A side benefit of a good password manager is that they will help highlight weak passwords, reused passwords, compromised accounts, etc. They also usually include functionality to create strong passwords. What’s not to like!
Don’t just take my word for it; plenty of others are promoting the same approach. Respected tech magazine Wired says GET A PASSWORD MANAGER. NO MORE EXCUSES. and the response from the UK National Cyber Security Centre (part of GCHQ) to “Should I use a password manager?” was Yes. Password managers are a good thing.
Alright – I’m convinced already! But what should I pick?
There are plenty of password vault apps on the market, paid and free. Try and pick one that has plenty of advocates and is actively maintained. My own favourite is 1Password; great on OS X and iOS, well designed and easy to use. The team also has a strong reputation on focussing on security first. Lastpass is also well regarded and has a free version, Dashlane is increasingly popular, and KeePass is Open Source. If you haven’t already why not give one a whirl? Go on, try one now…
Got your secure vault setup? Protect it with a really good password!
So with our eggs in one basket, better make sure it’s got a great lock. Your next step is to secure your vault with a strong master password. You will have to remember this one (but just this one – that’s the point!), and it’s worth some effort to make it good. To help you there are great guides out there to creating a strong password such as from 1Password or the government CyberAware initiative. A strong password makes it much harder for the bad guys to crack. ( If you want, see how scary fast it can be to brute-search for passwords). For all other passwords I just get my password manager to auto-generate them.
If you are anything like me then if your setup isn’t easy to use you just won’t stick with it. So if you’ve got a mobile device with a fingerprint reader see if you can configure the app to work with this; it’s a great way to take away a lot of the pain of frequent master password entry.
For more detailed implementation advice try this great how-to guide from The Verge, or this informative deep dive with a strong 1Password focus from the SweetSetup.
It’s fine to stop here; the above will really up your security game. Hungry for more? Fantastic – read on…
Getting more advanced – 2FA
2 Factor Authentication (2FA) introduces the idea of requiring another element to authenticate to a service. So if a password is ‘something you know’ then a secure device is an example of ‘something you have’ and a fingerprint is an example of ‘something you are’. Adding this additional factor helps protect against a remote attack – the bad guys getting your password is no longer enough to compromise your account.
So, 2FA is a fantastic extra precaution. Use it on any account that supports it which you consider important, including e-mail (as e-mail often controls password reset for other services). The NCSC provide some 2FA service links in this excellent password advice note. How most easily to do this? Well phone SMS is often a default option, but my preference is to use an app for that! Authy is really good, and free. Google authenticator app works well for their service, and Microsoft Authenticator for their services such as Office365 etc. 1Password can also provide 2FA in the form of one-time passwords. This is really seemless if you already use their app.
Use of an app isn’t as ultra-secure as a genuine separate device, but I reckon it’s fine for most of us mortals who don’t work for government organisations based in Cheltenham. (If you’d like to dig deeper on this point, you might enjoy this MacWorld article. And if you do want to go a step further check out YubiKey and Duo.)
With 2FA it’s important to avoid locking yourself out (if say your phone is lost or damaged… arghh!). Security vs usability is an eternal trade-off, unfortunately. So you should prepare recovery options in advance. Lifehacker have an article with great advice. Bottom line is – generate and keep service recovery codes safe, and consider more than one 2FA device. (Oh, and Authy and 1Password offer encrypted backups).
So if you’ve got this far you have no excuse – turn on 2FA and go generate those recovery codes now.. 😉
Thanks for reading.