Personal Security for the Savvy (or not) Executive #1 – Password Managers

If you ask any professional in the cybersecurity industry, “What are some simple things that I can do to improve my personal security?”, they will tell you 3 things almost everytime.

  • Use Two-Factor Authentication
  • Don’t re-use passwords
  • Use strong, random passwords

In future articles we’re going to explain exactly what is 2FA (Two-Factor Authentication), and how you can use it to improve your personal security; however in today’s article we’re going to be showing you the secret to achieving the last 2 bullet points of that list (and actually do it in reality).

Personal security is like your health in many ways, if you make good decisions consistently and don’t take shortcuts, you can save yourself many headaches down the road. Proactive, good decisions make everybody around you safer.

Password Managers

“What is a Password Manager, and why do I care?”

Good question, password managers were created primarily to address the two biggest problems in security, that are intensified by human behavior.

  • We aren’t all rain-man, it’s foolish to think that we’ll be able to remember 16 character random passwords
  • If we can remember random 16 character passwords, we’re expected to remember different ones for each account

The average person has about 90 online accounts. How likely is it that we will remember random passwords, and continue to for 90 different online accounts? You got it.

Very unlikely.

So what do we do instead? We come up with what we think is a really secure password. Pick a word, like the name of our pet or our favourite musician, and then attach some number to the end of it. Now to appease the password complexity gods we make the first letter a capital letter and throw some punctuation in there.

Dylan1973 – Your dogs name and your birth year.

This sounds like a great idea, nobody will guess this! Wrong. In fact, other people have also had this idea and have used this password before. So much so that it has ended up in public password directories, that means that this would take a total of 1 second to crack.

So how do we fix this?

We use a password manager. A password manager is exactly what it sounds like, it is a secure, centralized place where we can generate, store and access all of our passwords, to all of our accounts.

By using a password manager, we not only remove the need to even remember any password except our master-password (the password to our password manager), but we also have easy access to a way to generate new, secure passwords.

Some managers (such as 1password) will even alert us when services are involved in breaches, and sometimes even change the passwords automatically.

Which password manager should I use?

Below are some examples of password managers that are used by millions of people everyday. Your choice is going to largely depend on what your requirements are. Some of these might include:

  • Your operating system, Windows or Mac?
  • Do you need mobile support?
  • Do you want or need Auto-fill?
  • Do you want to host it yourself or have somebody else host it
  • How much do you want to pay?

If your requirements are quite simple, then you will likely get on fine with the 3 current leaders in this space:

Why does this matter?

I’m sure you have heard of one of the many breaches that has happened in the past decade. Maybe it was the MySpace breach, maybe it was the LinkedIn breach, there have been many. When these breaches occur, generally speaking the data that is leaked (usually usernames and passwords), ends up in the internet _somewhere_.

Malicious attackers find these databases, and they extract the weak passwords from the breaches, and then preform an attack called “password stuffing.” Password Stuffing is when an attacker takes usernames and passwords from breach data, and they try them against other services that the individual might be connected to.

Let’s use the Adobe breach as an example. Your email might be veryimportantperson@me.com and your password might be Dylan1973. The attacker knows that you used that username and password at Adobe, so they try it against iCloud or your Gmail. Now the catch here is that they don’t just do it for you, they create scripts to automate this process, and they do it for hundreds of thousands of people throughout the world.

If you were unlucky enough to have re-used your username and password at icloud.com, they will have full access to your account, and can then reset all your personal accounts since they now own your email.

Taken one step further, ask yourself what would happen if your password was re-used on your business accounts? Now project this risk exposure across your entire workforce. This is why many companies are now extending access to enterprise password management services (and training) to all employees.

Conclusion

Using a password manager is a great way to instantly improve your personal security, and protect yourself from things like password-stuffing attacks.

If you’re running a business and are concerned about the damage to your brand reputation that a data breach could cause, consider subscribing to a password management service that all employees can use and train them in best practices for using it. Their personal safety increases corporate safety.

So what are you waiting for? Get a password manager and improve your personal security instantly!