To Password Manager or Not to Password Manager, That is the Question

Surely you have heard this many times before: “Make sure your passwords are as random and nonsensical as possible and save them all in a password manager to keep them secure.”

That seems like pretty sound information, right?

Just lock all your odd combinations of letters, symbols and numbers in a password manager like Lastpass or Dashlane (and YES, you should have waaaay more than one password. Don’t want to bother? Read our article In Search of Secure Passwords and you’ll sing a different tune…) and voila! You’ll never have to worry about weak passwords ever again and it will be a cinch to create and store unique passwords for each site you use.

No more ILovemyMom21….??

And in truth, it’s very solid advice. Using random, unique passwords is one of the most important aspects of a smart cyber-security plan. Sure, using the same old ILovemyMom21 password for all your many logins is easy but it’s anything but secure. Humans are predictable and we tend to stick with obvious word combinations that make sense to us. Then we combine those words in even more obvious ways. And the bad guys and their software count on our predictability. Password-cracking software can make over 300,000 guesses at your combo per second, so it’s going to figure out that you love your mom, sooner rather than later.

So clearly you need one of those weird looking passwords like m_h!S&n2tad_iFdih4da!Wi. But since there is no way for a normal person who isn’t training for the World Memory Championship (Check it out, it’s a real thing, we promise) to remember all that, you need to store them in a place they will be remembered and safe. That’s where password managers come in. Password managers store and lock all those passwords in an online vault, tucked away behind one master password. They even help create those crazy, illogical combinations. And then they auto fill them in on your sites when you log in.

Too Bad it’s Not Perfect

Sound good so far? Well, in theory, this is a smart way to handle all your passwords. But as with anything on the internet, secure password storage is a multifaceted issue and this is an imperfect solution. Password managers, like most internet-connected stuff, can be breached if someone tries hard enough. In fact, in the last 4 months, two of the biggest players in the password manager-o-sphere were hacked or otherwise compromised.

LastPass

First, in June of this year the popular password manager LastPass was hacked. The initial reports surmised that user accounts were not accessed and therefore it wasn’t as horrible as it could have been. Later reports confirmed that user email addresses, password reminders, password hashes and salts were breached.

Need a translation?

“Password hashes” take plain passwords and run them through a set process to create a scrambled value in place of the data. Then “Salts” come along to add in a unique element to that value, scrambling it up yet again. To illustrate, if two people use ILovemyMom21 as a password, applying a hash would result in the same gibberish value for both. Add in salts and you come out with two totally different gibberish values because each one gets their own unique element sprinkled in. So the algorithms that encrypt the passwords were compromised, but not the passwords themselves and no encrypted information, ie, user’s passwords, was breached. But it certainly was a wake up call for the industry.

KeePass

And just last week, researcher for security research firm Security-Assessment, Denis Andzakovic, developed a tool called KeeFarce, a play-on-words of the name of a common password manager, KeePass. The tool was not developed for malicious purposes, but rather to highlight what hacker could, in theory, do and to be used as an assessment tool by businesses to understand how secured their passwords are.

The free tool, which runs exclusively on Windows, extracts password, usernames and urls (uniform resource locator, or simply put, the address of a given webpage) out of memory and then saves that information to a file on the would-be hackers’ computer.

The tool isn’t only for KeePass – it can be used on many different programs, but it needs to be run on a computer that the hacker has access to – one that he has already infiltrated, all which underscores the importance of keeping hackers out of your computer by installing a strong security program.

Uh, So Should We Forget About Password Managers?

Now what you SHOULDN’T take away here is that password managers are a waste of time and effort.

Think about it this way – a breached system without a password manager is in no way better off than one with a password manager and in general, you are much safer with a password manager. According to ArsTechnica.com “on the whole, they provide more benefit than risk when used correctly. That’s because password managers allow average people to generate and store virtually crack-proof passcodes that are unique for every site.” So, yes, you should be setting up an account on the password manager of your choice. PCmag.com has a great article detailing the best password managers and their features.

And then after you have your new program up and running, there are a few things you can do to keep your information as safe as possible even in those doomsday scenarios:

1- Make sure the master password you choose for the password manager is rock-solid – it truly is the gateway to all your information.

2 – Change that all-secure master password often because you never really know when someone may have accessed your information. It’s okay to be a bit neurotic here – change it often to stay on the safe side.

3 – Some security experts recommend leaving your most sensitive information such as your bank logins out of your password manager and memorize them. Hopefully nobody can hack your brain for that information.

4 – There are experts who suggest forgoing the digital password scene all together and recommend a more primitive approach – writing them down. No, don’t write them down on little Post-its all over your office. Instead, take two notebooks, using one for Logins and ID details and the other for passwords and any other pertinent information. Use serial numbers to match logins to passwords. And then hide those notebooks well.

5 – A strong defense is your best line of defense. Set up a strong anti-malware program that keeps your information out of the wrong hands in the first place.

So go forth and set up your password manager or get out those two notebooks, or start reading books on how to memorize EVERYTHING. Just stop using bad passwords like ILovemyMom21. Trust us, it’s worth every bit of effort.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s