Do you know what proper password management looks like?
In a nutshell, there are four best practices for keeping your passwords secure:
- Each account should have a unique password.
- Each password should be randomly generated.
- Each password should be regularly updated.
- Multi–factor authentication (MFA) should be enabled for each account.
Following these principles will protect your firm’s credentials from the bad guys. But here’s the issue…
Password management—without the right technology—isn’t easy. No one wants to memorize two dozen (or more) distinct passwords. Because recall of complex codes isn’t practical, most people use a shortcut that’s riskier, but more convenient.
Typical password management
Sometimes, a person will create a strong password that contains letters, characters, and numbers. Unfortunately, he or she will use that single password across every site. This increases cyber risk, because once a hacker figures out the password, all accounts become compromised.
Other individuals have passwords that differ from each other but record these codes in books or on sticky notes placed on computer monitors. The problem is, these methods require no authentication to view sensitive information. A security breach is as easy as opening a notebook or walking into a room.
What’s the answer to the apparent dilemma between convenience and mitigating your risk?
It’s called a password management tool.
Password management made easy
A password management tool is an application that provides a centralized location to safely store the passwords for all your online accounts.
At Proactive IT, we recommend LastPass, one of the most used and most secure options available. Free for individuals, LastPass has created a plug-in for virtually every internet browser and mobile device and can help you meet three of the best practices outlined above:
- Unique. Because this plug-in saves your data, there’s no need to repeatedly use a memorized password.
- Random. LastPass will actually provide random, long, and complex passwords on demand.
- Updated. Not only does the app prompt you to update your passwords, but it also saves any changes you make.
(LastPass can also hold credit–card data, Wi-Fi passwords, etc.)
With this software, the only password you’ll need to memorize is the one you use to access your tool—your master password. Because this credential provides access to all your other passwords, you’ll need to keep it in your head and ensure it’s a strong password.
But no matter what management app you use, MFA is a must. Just because you don’t record your master password doesn’t mean it can’t be stolen (think a keylogger). MFA will provide an important protection against this risk.
Why doesn’t everyone use password management software?
If a password manager is so helpful, why do people still resort to sticky notes or other methods that don’t align with best practices?
Perhaps one reason is there’s a lack of awareness. Not everyone knows about a password management tool.
But there’s also the issue of trust. The fact remains that you’re giving one organization all your passwords. However, while there’s no guarantee that you won’t be hacked, in general, using this tool mitigates your risk. Here are some things to consider:
- Conduct your due diligence. Learn whether the organization you’re researching can offer evidence of robust security. Study the methodology.
- Think about vested interests. Realize that reputable companies are highly incentivized to keep your data secure. One breach, and they forfeit their credibility.
- Look at the track record. I’d imagine cybercriminals have password–management data in their crosshairs. If a vendor has a long, compromise-free track record, that says something.
- Remember MFA. If you’re still feeling unsure, don’t forget that MFA can help if passwords are stolen.
It’s up to you to weigh the positives and negatives and determine whether using a password management app is an acceptable risk. Hopefully, this Tech Tip will help you make a decision. (If you have further questions, feel free to call 704-464-3075 or write us at info@weareproactive.com.)
By the way, did you catch the previous Tech Tip? If you didn’t, go here to read Sterling’s advice about finding sent emails in Outlook.
About Brad Link
Brad serves as our Senior Network Engineer and technical team lead. He designs and implements numerous IT solutions, and our clients benefit from his expertise in networking, cybersecurity, Microsoft products, and more. While you might find him conducting virtual CIO work or product research, he spends a good chunk of his day answering everyone’s questions about everything.