Spotlight: Password Managers

Posted September 6th, 2017 at 2:42 pm.

What’s a Password Manager?

“A password manager is a software application … that helps a user store and organize passwords. Password managers usually store passwords encrypted…”

Wikipedia

Why do you need one?

There’s a password for everything in your life.

You have a username and a password for places you shop, bank and credit card websites, email accounts, places you store files or photos, and any number of other sites and services.  You may also have passcodes for when you call some companies by phone.  In addition, you set “security questions” lots of places.

You also have credit card numbers, dates and security codes, addresses, and other frequently typed values you might want to securely store for reuse.

They should not be the same.

If you need to remember your passwords or create them on your own, you will choose things you can easily remember, and will often choose the same password for many sites.  If you use that password on one site with poor security (or which is fraudulent), any site where you use that password is compromised.  You might think “that’s not so bad, it’s not my bank password.”  But are they sites where you have a credit card stored?  How about social media sites? What information can an identity thief find from these sites?

“Many people — maybe even most people — reuse passwords for different accounts. Some people may even use the same password for every account they use. This is extremely insecure. Many websites — even big, well-known ones like LinkedIn and eHarmony — have had their password databases leaked over the past few years. Databases of leaked passwords along with usernames and email addresses are readily accessible online. Attackers can try these email address, username, and passwords combinations on other websites and gain access to many accounts.

Reusing a password for your email account puts you even more at risk, as your email account could be used to reset all your other passwords if an attacker gained access to it.”

-Chris Hofmann, https://www.howtogeek.com/169847/how-attackers-actually-hack-accounts-online-and-how-to-protect-yourself/

Your passwords need to be stronger.

Any 8 character password, no matter how complex or random, can be hacked in just minutes.  Security professionals are now recommending 16 or more characters.

How can you keep up with having many unique, long, complex passwords and keep them all safe?  That’s what a password manager does for you.  Most password managers will generate unique passwords for you, and store them safe so you never have to type them.

Can’t I save passwords in my browser?

CAN does not equal SHOULD.  Most browsers (Chrome, Internet Explorer, Firefox, Safari, etc.) will save passwords and other information.  In fact, some will either do so automatically, or offer again and again.  This doesn’t mean it’s a good idea.

  • Passwords stored in your browser may not be stored encrypted. Even if they are encrypted, it is often a simple encryption, and you can reveal them with little security or effort.
  • Browsers do not require a strong master password to access stored passwords.  While they have an ability to set such a thing, they don’t force it.  If you haven’t set your preferences with far more security than the default, your passwords are open to anyone who sits down at your computer.
  • Syncing to a browser’s password sync service may not be secure. Several browser manufactures have suffered hacks in this area, and while they have improved, their goal is convenience more than security.

In short, using your browser’s password storage is better than a post-it on your monitor, but not by much.  It can enable you to use more unique passwords (which is the most important thing), but it doesn’t necessarily protect those passwords very well.

How do I choose a password manager?

“A password manager should disappear until you need it, do its thing quickly and with minimum interaction, and require as little thought as possible (even when switching browsers or platforms). And the barrier to entry should be low enough—in terms of both cost and simplicity—for nearly anyone to get up to speed quickly.”

– Joe Kissell, WireCutter/EnGadget, https://www.engadget.com/2017/02/24/the-best-password-managers/

What are the important factors?
  • What computers/operating systems do you use?
  • Do you have a smartphone and/or tablet? What kind?
  • What kinds of accounts/rights do you have? What is stored in your accounts?
  • Do you need to keep work and personal passwords separate?
  • Do you need to share some accounts with someone in your household?
  • How easy is it to use?
  • Does it integrate with your browser/smartphone?
  • Does it need to be free? Cheap?
  • How secure is it?
  • Where is data stored?
  • Who holds the keys to the data/where is it encrypted?
That’s a lot!  What do experts say?
  • There are many options and many opinions depending on what you need and what you’ll put up with.
  • LastPass and 1Password show up on almost every list.  Please note that while 1Password is indicated as being best on Macs, it works very well in Windows as well.

This image shows the logo for 1Password, which is a password manager made by AgileBits, and costs $36 per year. The text in the image states,"A more powerful choice for Mac and iOS. If you're willing to pay a bit more for all the bells and whistles, along with excellent security, 1Password is the password manager to beat -- though not all of its features are yet available on Windows, and it doesn't work on Chrome OS. This image shows the Last Pass logo. The text in the image states," The best password manager for most people. LastPass has lots of great features, is easy to use, and supports virtually every platform and browser. Most features are free, and the Premium subscription is less expensive than the competition. $12 per year."

-WireCutter/EnGadget

What does LITS Support or Reccommend?

In short, LITS does not support or recommend any password manager.  We issue all community members only one credential which needs to be typed on login (about the only time a password manager isn’t so helpful).  While some community members have many other work passwords for which a password manager is a great idea, it’s not a broad need.  LITS staff members use a variety of solutions, including 1Password, LastPass, KeePass, and a variety of other solutions to best suit their needs.

The companies that provide these solutions have great help sites including both docs and video to get you started.

Any last thoughts?

Choose a strong, memorable master password.  You’ll need to type it every day, probably more than once.

You may have to try more than one password manager to find what’s right for you.  Be prepared to spend some time changing your habits and learning the new tool.

Great Reading and Viewing

 

 

Filed under: Announcements Tags: by Amy Pearlman

Comments are closed.