We are all familiar with passwords, they are used everyday as a protective layer for our accounts and systems. As we stated in our previous article, passwords are notorious for being poorly utilised, leading to them being the common factor in data breaches.
In this article we will explore password managers further. They poise as a solution but require correct implementation to bolster their effectiveness.
What are password managers?
A password manager is essentially a software application designed to store and manage online credentials, such as usernames and passwords. Think of it as a bank for all your passwords to be securely stored within.
A password manager company, NordPass, conducted a study which found that the average internet user has around 100 passwords! This raises many issues. At the end of the day, we are humans not hard-drives! If a solution exists that requires us to remember just a singular password, surely this is more feasible and scalable than remembering 100?
Why password managers?
Although no solution is perfect, password managers help mitigate a lot of the threats associated with poor password security.
They are not “unhackable” however, password managers are extremely secure when used well.
They help create strong, unused and unique passwords that will mitigate many risks with passwords such as being generic and easy to guess - especially if your password has already been part of a data breach.
Also, it will stop you reusing the same password on multiple accounts. If a password becomes compromised, only one account will be linked to that password.
In addition to the security benefits, password managers help solve the issue of account lockouts forgetting passwords. We’ve all been there, trying to remember where you put the “!” in your password, eventually having to click the infamous “forgot password” button. You probably haven’t considered the time that adds up by having to reset a password. In a study conducted by Yubico, they found respondents spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords.
Password manager features like autofill make it very easy for logging in without needing to type a password in, it simply allows you to store a username, password and URL for a website. This means that when you visit a site such as LinkedIn, the password manager will automatically fill the relevant areas with your credentials for logging in.
Password managers are also very cost effective. The majority of password manager solutions are priced between £2 - £4 a month per user.
Storing everything in one place cannot be secure can it?
You may be worried about storing all passwords in one place. Like any company, they can technically get hacked. That said, even if an attacker were to hack a password manager, it is near impossible they could gain access to your passwords. That is because most password managers do not store or have access to your master password (the unique password you use to unlock your password manager) or the encrypted information in your password database.
The security of your password manager will also be determined by having a secure master password, this password is stored on a different server to your encrypted information, which provides another layer of security.
2 factor authentication (2FA) can be turned on to improve your security. You will have to type in a code each time you log in (usually through an authentication app or SMS/Email), but this will provide another layer of protection. Just be mindful this may become a tedious task - although a small price to pay to become cyber resilient!
Ultimately, It's about the comparative risks and likelihood. In the end, weak and reused passwords are more than likely to cause you being hacked compared to your password manager directly getting breached.
Like everything there are flaws:
It would be purely ignorant and impractical to classify something as a perfect solution. This can be said with password managers. They are not “unhackable” and can be breached, although the likelihood of this is very minimal.
Password managers can also be fiddly to set up and use, especially for “non-technical” people. A previous conversation we had with an organisation revealed they had adopted but abandoned their password manager due to not figuring out how to use it properly. What good is the solution if it cannot be adopted effectively? This isn’t to say we are at fault, simply some password managers are a challenge (speaking from experience) to use. However, this is something that can be fixed with simple instructional guides and videos.
Key Recommendations for using a password manager:
Set a strong master password. This should be something unique that you will remember and have not used anywhere else. Write your master password down and store it somewhere safe if you need to. You can try testers like this BitWarden one to help build a strong master password.
When setting passwords for websites you use, create a password 20 characters long with a mix of alphanumeric and symbols. Don’t forget you no longer need to remember your passwords, so you can make them as long and complex as you want. The majority of passwords have 8 or fewer characters, so this is more of a precautionary to bolster your password strength.
Ensure autofill is set up correctly (including a URL) so when you visit a website, the password manager fills in your details for you automatically, making it a nice time saver.
Set your vault timeout to a suitable time frame so that you do not have to constantly log in, we recommend a reset on browser refresh.
Most importantly, make sure once you have moved your passwords into the password manager, you go through them and change the passwords so they are long, unique and unpredictable. Having a password manager doesn’t improve your security if you don’t change the actual account passwords.