Password Managers: A Primer
Author: Kevin Kipp
"People are notoriously remiss at achieving sufficient entropy to produce satisfactory passwords." - Troy Hunt
Unfortunately, cyber attacks are on the rise. According to the Verizon Data Breach Investigations Report, around 75% all data breaches are caused by Phishing. (1) These attacks can lead to the loss of confidential information, including financial data and usernames and passwords.
To make matters worse, people generally use passwords that are easy to remember, and therefore easy for an attacker to guess. How many of us are guilty of using a variation of the following passwords?
Season + Current Year (Example: Winter2020)
Model of your Car + 1234 (Example: Civic1234)
Website Name + Graduation Year (Example: Facebook2016)
How many of us are guilty of adding a “1” or “!” to the end of our passwords (Example: iLoveMoney1!)?
I hate to break it to you: This doesn’t actually make them more complex. (2)
What is the answer?
While there is no fool-proof method to eliminate Phishing altogether, one way to reduce your risk is the use of extremely complex passwords that are randomly generated, and unique to each of your accounts. Since humans’ value convenience over security, and the only secure password is the one you can’t remember (3), we should all be using a Password Manager.
What are Password Managers?
Simply put, a password manager will generate and store unique and complex passwords for all of your accounts. Instead of having to memorize or write down multiple passwords, the password manager will save them for you in a secure vault.
Instead of weak, human-generated passwords like “Winter2020”, the password manager will generate something like this: “u!K)Xq8mRYxM3N=h5”.
To unlock your password vault, you only have to remember one password, known as the Master Password. It’s recommended that your Master Password be a passphrase (4), such as “Lunch@12!Sandwich@Noon”.
Which Password Manager should I use?
There are a few different options to choose from, but the most popular are:
They all have similar features and similar pricing, so it really just comes down to preference and which company you believe is the most trustworthy. All of these options have apps for Windows, Linux, MacOS, iPhone, Android, ChromeOS, and browser extensions for Chrome, Firefox, Safari, Edge, and Opera.
These applications can “sync” your password across different devices and automatically fill in your password for you when you’re browsing online. They can optionally alert you if one of your accounts is breached, and some can even automatically change your password for you.
You can also import and export your passwords between them, if you find one does not have the feature set you’re looking for. None of them are perfect, but they’re much better than not having one at all. (5)
About the Author: Kevin Kipp is a Cyber Security Analyst II at Tokio Marine HCC. He currently holds multiple industry certifications, serves on the GIAC Advisory Board, volunteers for CSNP, and is a lifelong learner. To read additional content by Kevin, visit his website Left Hand Tech.