by Brian Kelley
You’ve heard the horror stories of passwords being stolen for years now. From email scams to illegal data mining, it seems that no password is ever safe. Also, each new app or service requires one more username and password that needs attention and protection. It puts everyone at the crossroads where sophisticated hacking meets too many angles of attack.
This security dilemma is making password managers more desirable by the day. It doesn’t just save you a ton of headaches; it’s at the point where you can’t afford to go without one. The essential feature of all managers, not knowing your passwords, naturally cancels out inadvertently exposing them. Such a minor behavioral change for such a significant impact!
Letting the password manager remember your credentials for you is easy enough, but not all password managers afford you the same features. There are quite a few different types out there that meet a variety of needs.
Where Are My Passwords?
It’s a good question. If passwords aren’t in your head, where are they? If you store them in a database, how are they safe from intruders? Since no single security solution accounts for every variable, there are many different approaches on how to store passwords.
There are two main types of password managers available today: web-based services or locally installed software.
The biggest advantage to web-based services is that you can access them from multiple devices. Another useful aspect is that this is used as an alternative to single sign-on techniques. For personal use, almost any free password manager can do the trick.
Locally-installed password managers install your password data on the actual device you’re using. While the differences in security between cloud-based and local storage aren’t too significant, there’s comfort in keeping your data off as many publicly used networks as possible.
But if you’re responsible for banking or handling medical records, a whole set of security requirements need to be met. Security standards such as SWIFT or HIPAA have stricter regulations about where data is stored. Any manager that operates with cloud-based computing is usually out, no matter how many safeguards are in place.
It all comes down to who you can trust to protect your data. And since password managers themselves had their cloud storage breached before, the ability to store passwords locally is worth considering.
Password Generators
It’s sad and frustrating to see the same non-passwords top the list of worst passwords. Weak credentials such as ‘123456’ or ‘password’ remain popular because convenience almost always trumps security.
Weak passwords are a big enough problem for personal computing, but a wide range of services routinely fall victim to breach or malware infection because of these weak credentials. This is a problem that necessitated password managers in the first place. Now they’re the best method to end this potentially damaging practice.
The biggest contribution that password managers could make to everyone’s security is the random password generation feature. After all, if you don’t have to remember the passwords, it also makes sense not to come up with them either. With a password generator, there’s no excuse not to trade in ‘123456’ for a stronger, random ‘b4tX3$0n2V9hfR’.
Password Sharing
Passwords, in spycraft terms, work best when they operate on a “need-to-know” basis. Simply put, a secret between two people is not a secret. When someone else knows your password, your responsibility to protect it is now their responsibility, which is always a risky gamble.
Sharing passwords with someone used to be a dubious proposition, but the way password managers function can make this process quite a bit safer. Some managers allow secure sharing of specific passwords or entire password directories. Be sure to consider how effective the administrative controls are once you share passwords. It should be a one-way interaction that allows you to revoke access anytime.
Be Able to Access Your Passwords Across Devices
We don’t need to tell you that smartphones are integral to everyday life. More and more we utilize mobile devices over personal computers to perform everyday functions. That said, a locally installed password manager on your computer isn’t doing much when you need that password on your phone.
A good local manager will sync your devices for you, but it usually comes with a price. This is one of the advantages web-based password managers offer. You can usually access it from any device, making it useful for certain situations where your smartphone would come in handy.
Two-Factor Authentication — Always
Master passwords are the most common means of unlocking your password manager. There are a choice few that offer security tokens such as smart cards or USB sticks instead. Regardless of what you use to unlock your directory of strong passwords, the reason why you wanted to strengthen your passwords in the first place because they aren’t strong enough on their own.
If you’re going to have one password or key to protect your device, the need for a second authentication factor is crucial. Your efforts to protect your passwords are futile without it. Most services offer some form of dual-factor authentication, giving it that one extra step that stops most hacks.
And of course, there’s secure and not-so-secure approaches two-factor authentication, so consider your choices carefully when signing up for a new manager. While 2FA that utilizes your (locked and encrypted) smartphone may be perfectly acceptable for personal use, certain users require more robust secondary authentication.
