The Most Essential Security Measure You're Not Taking

There is no shortage of company data breaches occupying the news cycle in today’s digital age.

It is quite likely that at least one business for which you have an account has suffered such a breach. In these cases, it is possible that your password can be observed or recovered by attackers and made available to cybercriminals on the dark web. If your password is stolen like this, then you are at risk of someone impersonating you by accessing your accounts on websites and applications. For those that reuse passwords or use variants of the same password, this could mean losing access to email, online banking, healthcare, and social media accounts.

This can happen all at once and without your knowledge – which is quite a harrowing thought. Fortunately, the above scenario can be mitigated through the use of a password manager.

A password manager is a program that securely manages the usernames and passwords that you use to log in websites.

By that definition alone, it does not sound very groundbreaking; however, it is one of the most important tools for protecting your identity and keeping your accounts safe.

Let's talk about it...

Pros:

A Different Password for Every Website
If you use the same password (or variations of the same password) for every website and application, then you are placing yourself in the high risk, code-red danger zone. If an attacker were to steal your password from just one website, then every account—that shares said password—could be targeted and compromised. Do not assume that varying the number or the special character at the end of your base password is enough to keep you safe either—attackers can figure out those patterns too.

Herein lies the beauty of using a password manager: you can easily create and store a different password for every application and website. This means that each password, if stolen from one account, will not give the attacker access to any of your other accounts.

Long, Complex, and Fully Randomized Passwords
Password managers can generate passwords that no human or computer is likely to guess, brute force, or reverse engineer from a password hash (known as password cracking) in this lifetime or the next. Not only will all your passwords be different, but each one will be effectively invincible—unless, of course, the application is storing the password in plaintext or reversible encryption, but then again, there is no user-level defense for this poor coding practice.

No Need to Memorize
Sure, you could achieve the above benefits without a password manager, but you would need to store and remember every one of those long and unique passwords in your head, which is impractical, if not impossible. A password manager provides a secure, convenient mechanism for storing and accessing these passwords whenever you need them.

Safer Than a Word Document
It is tempting to simply write down all your passwords in a text document or spreadsheet for storage and retrieval. However, there are several flaws with this approach. To begin, anyone who logs in to your computer could view that document and steal your passwords. If your device is stolen, an attacker could remove the hard drive and still access the document without ever having to log in.

A password manager allows the user to “lock” the password database (also known as a vault) periodically or when not in use.

By locking the vault, all your passwords remain encrypted and unreadable, even if the hard drive were removed and examined. The user does this by setting a master passphrase to unlock and decrypt the vault. In this way, the user only has to memorize a single passphrase in order to access countless passwords.

Some individuals may be lulled into a false sense of security by the feature of encrypting/password protecting a Word document or Excel spreadsheet. This, too, falls short of a secure practice: Weaker encryption algorithms can be used in Microsoft’s implementation of this feature, making it easier to crack the master password and decrypt the document. Reputable password managers overcome this weakness through the use of strong encryption algorithms, multiple rounds of encryption, and salted hashing algorithms.


Peace of Mind Amid Breaches
With the assurance of using a unique, unrelated password for each web service, a breach of one service comes with the peace of mind that your accounts across all other services are totally safe . You need only change the one password for the breached service, and then you are good to go (note that a breach of your email account is an exception to this, as it can be leveraged to reset passwords to other services).

This peace of mind is best appreciated when experiencing the inverse scenario, where you find out a password has been hacked, and you need to log in to every account you can think of to change the passwords, always wondering if there was one account you forgot to change that may still get hacked…

Quick, Simple, and Faster than Typing
While a password manager sounds nice, some may infer that it takes a lot of extra time and effort to use. This is far from the case. Password managers are designed with ease-of-use in mind so that people are more likely to use them. Once you become familiar with the functionality and shortcuts of your password manager, retrieving and copying a password will take you less time than typing it out would have. Some password managers overcome this by offering browser extensions that automatically input your login information upon visiting a site.

Now that you are educated on the tremendous benefits of a password manager, let’s discuss a few of the drawbacks you may encounter.

Cons:

The Master Passphrase is Everything
As mentioned earlier, the password manager requires the user to remember one (and only one) password: a master passphrase that is used to unlock the vault of all the passwords. If you forget your master passphrase, all of your passwords will be irrecoverable.

To mitigate against this, it is recommended to memorize the password to your primary email address. That way, you can log in to that and receive emails to reset your passwords for many of the websites and applications that may have been lost in the vault.

Everything on One Device
The password manager stores all of your passwords locally on your device, but on the rare occasion that you need to perform a login without having that device nearby, you will be unable to do so. Furthermore, if your device is damaged, lost, or stolen, then you will lose your password vault and suffer the same consequences as forgetting the master passphrase. However, by performing periodic backups of the data on that device, you can have the assurance that you can recover all passwords that are present on the most recent backup.

Some password manager providers offer cloud-based, encrypted storage of the password vault and can sync passwords to multiple (even mobile) devices. This service negates the dependency upon a single device, but it introduces the risk associated with giving all your passwords to a third-party.

It Can Still Be Hacked
Yes, it’s true. A password manager is still a piece of software, and therefore it can be compromised. But this shouldn’t deter you, for several reasons. For one, it is far more likely that your weak and reused passwords will be exploited long before your password manager will be compromised. Second, in order to steal your password vault, an attacker would need to hack your device in some other way; at that point, the attacker has already achieved control of your computer. If the attacker did not have a password vault to steal from, they would simply steal from browser caches, future logins, or (perish the thought!) a text file of passwords.

Marginally Inconvenient
It is true that it is slightly faster to punch in a one-for-everything password than to generate and store unique passwords in a password manager. Some people find this process to be clunky, time consuming, and too much work at first, so it turns them off from using such a tool. Integrating a password manager into your daily workflow does take a little getting used to, but after a little practice, you’ll be able to use it with such speed and efficiency that you forget life before it.

Final Thoughts

With the many sophisticated, secure, and simple password managers on the market today, there is no excuse to not be using one. In a world where so much of our sensitive information is stored on servers available to anyone with an internet connection, password security is of vital importance. A password manager is a superior tool for protecting your accounts and keeping your information out of the wrong hands. Of course, the greatest security benefits are achieved by coupling strong passwords with multi-factor authentication, but that is a blog post for another day (in the not too distant future).

At SEVN-X, we are vendor agnostic in terms of product recommendations. That said, here are a few password managers that we use, all of which are available for free:

KeePassA trustworthy password manager with terrific documentation
MacPassA macOS port of KeePass
Avast PasswordsPraised for its user-friendly interface and optional paid features

Previous
Previous

Creating Better Passwords

Next
Next

Dollars and [Uncommon] Sense: The Cost of Physical Security Testing.