We all feel it. There is an extra level (or five) of pain that we need to go through to be safe online. As security specialists we are stoic… Or at least we complain and take the required steps. Passwords are a contentious topic, without a standard answer.
In a previous Insight I have pointed out the surprising number of people who would choose to use a password that they have been informed to be compromised. Another alarming statistic is the simplicity of the most commonly hacked passwords. Simple infractions, like reusing passwords, using predictable passwords or sticking hard copies of passwords to the devices they are for, are all commonplace. This is clearly because remembering dozens of unique passwords is near impossible. One solution recommended by the NCSC is using a password manager, though there are, of course, associated down sides. I would like to discuss these difficulties, and make some suggestions to overcome them. Let’s talk.
Password Managers are Hard to Use
The complexity associated with an individual password manager is generally directly associated with how secure they make you. Often, they come with the ability to integrate with your browser or mobile device to allow you to insert passwords without interacting directly with the manager. However, at the lightest side of the spectrum, you have Google Passwords, which comes built into Google Chrome, or Keychain that comes installed on your iPhone or Mac laptop. These are quick and easy solutions that will make you more secure than your peers in the accounting department (maybe not so much my peers).
This act alone will make you vastly less likely to fall victim to an un-targeted hack. Such attacks are applied in a scattershot method. The instigators of such crimes don’t hang around to attempt to breach your simple measures. They have already breached elsewhere, or given up. Truly, you only need to be better prepared than the least secure 10% of internet users, to avoid getting your password pwned.
Password Managers Tie You to The Device That They are Installed on
I believe, in this day and age, this is more of a perception than a fact. A lot of password managers are securely hosted online, thus you can install the same app across devices and get access to the same data. In the worst case scenario, where you’ve gone with a solution that doesn’t share data between devices, make that device your mobile phone. You bring that everywhere with you anyway don’t you?! If you are ever caught without it, password resets are generally fairly seamless. All you need is to have remembered the password for your primary email address, which is good advice in itself.
A Password Manager Puts All Your Eggs in One Basket
As much as you let it, but yes, there is a tendency to store all your passwords in the same password manager, and this is not a bad thing. In general, I’d say ‘don’t worry about it’. Unless you are an individual of particular interest to an attacker, no-one is going to put extra effort into breaking into your password manager. Professional software security companies have put their whole business into ensuring that it’s not worth the effort to break into your individual passwords.
Some managers also offer to take care of MFA (Multi-Factor Authentication) logins for you. Now that rings alarm bells for me! I keep well away from that personally, because it really is putting all your eggs in one basket. MFA is there to prove you are yourself by multiple different means. Having a single action to do so subverts that. I’m sure there are those who disagree with me, but that’s my two cents.
If you are someone who may be the target of a direct attack, for example you have access to government secrets, or customer bank account numbers, then you’ll need to take some extra steps. At this level I’d recommend doing your research and being sure of the professionalism of the company that you are trusting your passwords to. Many password managers come with options to secure themselves with MFA. For their efforts on both of these points, I’m a fan of NordPass, though the traits that attract me to them are hardly unique.
My Final Thoughts & Opinions
Security is hard, especially while you are on the defence but, much like everywhere else in life, we should be trying to improve. The commonly recommended steps for keeping safe online, password managers and MFA, go a very long way towards ensuring you never suffer a personal breach. The only thing that I have tried to say beyond that, in the previous few hundred words, is that the only passwords you should need to remember are the ones for your primary email address and your password manager itself. After that each of your passwords should be unique and stored in a manager, of some form. Even if it is the simplest one available to you.
We have had various Insights on the topic of passwords if you are interested in deeper thoughts on the topic.