Passwords. Love them or hate them, we’ve all got them.
And we’ve all got LOADS of them. I have 586 passwords stored, for 586 different online services. That’s a lot. So how do I remember them?
In this post I’m going to go through the options I considered when deciding where to store my passwords.
Option 1: Use the same password everywhere
This makes life easy, right? I can just use MySuperSecretKidsNameAndHouseNumber as my password, and nobody will ever guess it.
And if I use this password everywhere, I’m never going to forget it. Simple. Done.
I think we all know this is a terrible idea – but not all of us know why.
The reason is that if one account get compromised, they basically all are – as you’ll be using the same username and password everywhere – and that’s one of the first things hackers try when they get your password…another service.
Remember MySpace? The dodgy profile we all had, with the dodgy background music? It quite famously got hacked. And all the passwords for everybody’s MySpace accounts are readily available on the Internet.
Who cares if someone has your MySpace password…but if that password is the same as your online banking one, or your email one….
Online services should store your passwords securely, but sometimes they don’t.
So – we’re agreed. We’re going to use a unique password everywhere. Now where to put 586 of them?
Option 2: Sticky notes on the monitor
Very convenient – I only have to move my eyes a few centimetres and there’s my password.
It doesn’t really scale though. 586 sticky notes is going to get messy fast – your office will become more sticky note than office.
Option 3: A little black book of passwords
This is the answer to my sticky note problem. I go and buy myself a nice notebook, and I neatly write my passwords in it. I keep it in my top drawer under my desk – I might even have a lock on that drawer.
This is the best option so far, but it’s not without fault.
If you work in exactly the same place, every day, you’ll always be with your passwords. But one day you might work from home, or you might go visit a client. And when you forget that password book you won’t really be working from home, you’ll just be at home, with no access to anything.
586 of them still won’t scale either – how will I remember which password is on which page?
The other problem with Option 2 and Option 3 is that we are only thinking of hackers as being an online thing.
There’s a very common tactic, where a hacker will gain access to your premises – posing as a potential client, or supplier, or maintenance guy. They’ll walk around, fully escorted of course (except when they nip to the loo, because they are adults and don’t need escorting to the loo do they?).
They’ll pretend they are texting on their phone…while all the time what they are actually doing is recording with their camera phone.
Those sticky notes are all on video now – and available to the hacker to use at his leisure. And the notebook? Well you probably leave that on your desk while you’re close by and only lock it away when you leave for the day – so that’s in the video too.
The final problem with both of these options is business continuity. If your office is burgled or catches fire, the passwords are gone – but your headaches are just starting.
Option 4: Store them in the browser
Storing passwords in your browser seems convenient.
All your passwords are at your fingertips, auto filled for you. They are just there.
The problem is, they are really not secure. With just a tiny bit of knowhow these can be extracted in minutes: Hacks Weekly #16: How to extract password from the browser? – YouTube
In fact, this technology has actually improved in recent years – but it’s still not great.
Apple users have keychain, which is pretty secure – but it’s not cross platform. If you work exclusively with Apple products, then it’s decent, but if, like a lot of people, you use a mixture of Apple/Windows/Android, then it’s not ideal.
The other issue with using web browsers, other than the glaring security problems, is that not all of your passwords are necessarily web based. You might have RDP passwords, server passwords, accounting system passwords, etc – these are more tricky to store (and then use) in the browser.
Option 5: A password manager
The words “password manager” strike fear in people.
But they needn’t.
They simplify your life. You store your passwords in it, and you install an app everywhere:
- An app on Windows
- A plugin in your browser
- An app on your phone
Then you can autofill your passwords, everywhere you go.
Once you’re confident, you can start using 30 character randomly generated passwords, and just trust your password manager to know them for you.
A password like that would take hundreds of millions of years to crack with today’s technology.
But…don’t forget what we talked about in Option 1.
That thirty character password may take a billion years to crack, but if I happen to find it in a database from when Canva got hacked in 2019, it’ll take 2 seconds to try the same username and password combination somewhere else…so use unique passwords.
My recommendation for a free password manager? Bitwarden. Why?
- It’s cross platform – you can install it on all your devices.
- It supports multifactor authentication.
- It’s open source – anyone can review it’s source code and look for bugs – which means loads of brainy people already have.
Bonus: 5 top tips for using your password manager
- Set up multifactor authentication – on the off chance someone got your password manager password they won’t be able to log in to a new device with it without your MFA token.
- On your mobile devices, set up biometric authentication (your fingerprint!)
- Use a complex passphrase as your password – this wants to be at least 16 characters, but the longer the better. Look around your room right now, and pick three things: StressballPhonestandand4businesscards! See how easy it is to create a secure yet memorable password?
- Make it convenient by installing it everywhere, on all your devices.
- Periodically export your passwords. This is important – don’t trust any online service exclusively with all your passwords. Take a monthly backup and store it somewhere in an encrypted zip file. That way if it ever disappears (or they ever decide they want to charge for it!), you aren’t held to ransom.
Getting started with a password manager
Getting started with a password manager for the first time can be a daunting task.
Take the plunge and do it!
Start by storing your existing passwords in it (even if they are all the same!). This will get you used to using it, auto filling with it, how it syncs between your devices.
Then set some time aside in your calendar. Put a meeting in your actual calendar, for 15 minutes a week, to change 5 passwords to secure random passwords.
You’ll be finished quicker than you think, and you’ll be much more secure than you were before you started.
Should you pay for a password manager?
It depends. For individuals and microbusinesses, a free password manager is often enough. And it’s certainly better than options 1 to 4!
At Always Networks we offer Keeper password manager.
It’s very secure, and very easy to use. And it provides lots of advanced functions that are really useful for businesses such as:
- Secure password sharing between staff members.
- Auditing, not just of login but of individual password access.
- Single Sign On (SSO) – so you can use your Microsoft 365 credentials to access it for example.
- Security scoring of your passwords.
- Dark web monitoring of all your passwords to identify any leaked passwords.
It is a fantastic business password manager, especially for growing businesses with multiple staff. If you want to talk to us about how a business grade password manager will improve productivity and security in your business, just contact us and we’ll be very happy to help.
Security Shield package
Our password manager is just one part of the multi-layered Security Shield package system we offer to protect businesses as much as possible with an economical solution.
User training, simulated phishing attacks, password management, content filtering, antivirus & EDR, offsite backups, email security and mobile device management, all these as a package for just £30 per user, per month.
With this comprehensive security package only the most determined of attacks have a chance of getting through. If your business is compromised, our package also ensures that you have the backups required to get you back up and running; and on your way to make your business better than ever
Keep your eyes open for a subsequent blogs which will explore and explain other features of our Security Shield package.