In an age where we rely on online services and accounts to an ever growing degree, it is increasingly important to maximize digital security. This can be done in a variety of ways. The topic this article will the focus on, our second in the series on entering the “one percent” of digital security, is password management. Find the first article here.
All accounts require some kind of identification, usually in the form of a username and password. Most people know that they should be using unique, strong and (hopefully) memorable passwords on all of their accounts. Even with these “memorable” passwords though, it amounts to a LOT of information that really, our brains just are not designed to be good at remembering.
Some examples of these accounts are:
- Email (personal, work, etc.)
- Social networks (Facebook, Twitter, LinkedIn, Snapchat)
- Cloud storage options (Dropbox, Google Drive, Box, Skydrive Evernote)
- Music and video streaming services (iTunes, Spotify, Netflix)
- Travel Websites (easyjet.com, lastminute.com, booking.com, kayak.com, etc.)
- Personal websites with sensitive information, such as internet banking, postal account, utilities accounts, insurances, etc.
The list goes on and on! If remembering passwords wasn’t hard enough, usually they have to be associated with a unique identifier, the requirements of which differ from site to site. For example, Facebook uses an email address or phone number to log in; Twitter, Instagram and Evernote require usernames (although Twitter now accepts emails as identifiers as well) and certain banking websites require assigned numeric identifiers (i.e., a user number that is assigned by the company).
Hence, most people certainly don’t remember unique, secure passwords for each individual site. Moreover, they do things that are specifically bad practices: using the same password across multiple sites; writing down the passwords on a piece of paper; or saving them in an unsecured Excel or Word file, to name a few.
The Security - Convenience Compromise
While having strong and unique passwords raises our security, it certainly negatively impacts convenience in accessing all of these accounts. One can think of this as sliding scale of security vs. convenience, as shown below:
As we approach one end of the scale, so we move away from the other. Having to reset one’s password is a frustrating affair, especially when one is forced to do it for multiple sites and is forced each time to try and create a new strong and unique password.
But there’s hope!
Luckily for us, this growing dependency on connected accounts and frustration with creating and remembering passwords has been recognized. There now exist a number of useful tools which help us not only manage our ever-growing mountain of passwords, but also extend their functionality to providing us with several other useful features. These tools are called (perhaps unsurprisingly), password managers, but their functionality extends far beyond typing a password into an Excel sheet.
What do they password managers do?
As the name suggests, password managers are systems specifically designed to store and manage your passwords for you. They provide a secure repository of passwords, either locally on your device, or online, stored in the cloud. Certain systems go further, creating a kind of “digital wallet”, where sensitive information such as bank account numbers, PIN numbers and passport copies can be stored in a secured, encrypted vault.
You may, in fact, have already used a password manager in the past. Web browsers such as Internet Explorer or Firefox have little pop-up boxes asking you if you would like the browser to store the password for you. That is the browser’s built in password manager in action. Dedicated password managers work the same way, albeit being much more secure and extending this service by offering cross-platform access to your passwords, as well as password suggestions and form autofill options.
Sorry, auto-what?
Autofill. This is a feature whereby when you need to fill out a form, for example creating an account on amazon.com, the password manager will do it for you. Where you need to fill in all the fields of First Name, Last Name, Address, Telephone Number, etc., the password manager will fill in the blanks from a pre-created template. It boils down to you filling in a sample form just once and saving it in the password manager. After it has been saved, you just tell the password manager to fill all subsequent forms using the chosen template. This can save a great deal of time when one has to fill in the information over and over again.
So how secure is my information?
This is an excellent question. After all, no-one wants their information floating around freely on the web. All the better-known password managers provide encryption. More specifically, E2EE, or “End to End Encryption”, which is most secure encryption method generally available. Simply put, it means that if your passwords are stored in the cloud, they are encrypted before ever leaving your device. So even if the company suffers a breach, none of the information can be read. Think of this as bank vault of safety deposit boxes – even if the bank’s vault is compromised, your information is safe within its own little box, away from prying eyes.
As an alternative though, some password managers are installed directly onto your machine and are basically a little password-protected program that lives only on your computer. You log in to the program and it stores, retrieves and fills your passwords for you. Should the company be hacked, your passwords have never left your computer, so are completely safe. The danger with this type of method is the same as that of having an on-site back-up: if the computer gets stolen then your passwords go with it, unless you have already synced them to a different device.
Whether you opt for a cloud storage option or the syncing option, one of the big advantages to modern password managers is the ability to use them across devices. This means that if you create an account on your computer and use your password manager to store a password, you can then use the same password manager next time around to log into your newly created account on your tablet or phone. This is a huge advantage as it avoids dependence on having the passwords in one place and needing to refer back to that single device in order to look them up for future access. Rather, your passwords are either automatically or manually synced across all authorized devices
I’m still not sure if I want to…
The bottom line is: using a password manager, even at its most basic level, is more secure than using common words or word combinations for a password. The most widely used password worldwide is “123456”, followed closed by “password”.
Even passwords we think are secure are not really, and this is due to the predictability of human behavior. Without getting into the nitty gritty, it comes down to us humans creating passwords based on things we find easy to remember. Our names, or names of loved ones or pets, bands, sports teams, movies, etc., are all predictable and so are poor password choices. Even combining words or adding capitals, if done in a predictable fashion, doesn’t help, so TheExpendables3 is still a terrible password.
Alright, I’m in! So how do I get started?
First off, you need to choose your password manager. There are several excellent free options available, but once you get comfortable, you may want to opt to upgrade to a premium version of the service. Luckily, most have free trials or are offered as what’s called “freemium” ware, whereby you are provided access to a complete yet limited range of tools, and becoming a premium member will unlock additional features.
For an up-to-date list of password managers, including reviews of the services and features available, check out PCmag UK’s list of Best Password Managers of 2016. One notable absence from this list is the superb 1Password, which has been a stable of Mac users for years. If you’re a Mac user, this is also worth consideration.
Next up, you’ll want to set up your account and start storing passwords on it. This is easy to do as usually all it requires is logging into a site while your password manager is active and it will prompt you to save the password automatically. Different providers offer slight variations on this, but the idea is to get all of your passwords into the password manager.
What is slightly more tricky, but which your password manager can help with, is updating existing passwords and replacing them the complex passwords generated by the software. Don’t worry about having to remember the passwords or being intimidated by what they look like, the password manager is here to do the heavy lifting for you. Just remember to save to updated password into the manager once it has been changed (most will provide and pop-up prompt).
Finally, enjoy your increased digital security and the efficiency of auto-filling forms and passwords! When shopping for a service, be sure to check out their little instructional videos, usually on their homepage and usually around a minute long. They will do a much better job of explaining the uses of each system and how best to get started with it!
http://gizmodo.com/am-i-an-idiot-for-still-using-a-password-manager-1711673486
https://blog.agilebits.com/2011/06/21/toward-better-master-passwords/
https://blog.agilebits.com/2012/08/19/more-than-just-one-password-lessons-from-an-epic-hack/
http://www.guidingtech.com/47530/1password-over-lastpass/
http://thehackernews.com/2016/07/best-password-manager.html
http://www.cracked.com/article_19284_5-seemingly-innocent-ways-you-risk-your-identity-every-day.html
Photo credit: Ridvan çelik via istock.com (standard license)
