Over these past few months, I've been all over the North East of England delivering talks on staying safe online, protecting yourself against phishing and keeping your passwords safe. My latest talk over at Jackson's Law Firm in Stockton saw attendees raise a few more excellent questions, particularly regarding password reuse, and how to keep your passwords both secure and memorable.
This follows up my last post on password hashing, which you should definitely read if you haven't already (it gives this article a lot of context).
Eliminating Password Reuse
Password reuse is a huge, huge problem. If you use the same password for a website belonging to a not-so-security-savvy company who stores it in plain text (something no website should ever do) as you do for your PayPal account, for example, the attacker that gets a hold of it will be able to compromise your account and steal your money. This is called credential stuffing, where an attacker finds as many passwords as they can that might belong to you and uses them to try to log in to your accounts across the web. If you use the same passwords everywhere, all it takes is one security breach for someone to lay complete siege to your entire online presence.
"But it's so hard to remember a different password for every website!"
Absolutely it is, and even harder to remember a secure password for every website. The fact is that human beings are nothing short of awful at coming up with secure, memorable passwords; it's just not how our brains work. A solution is at hand though. Enter the password manager.
Yes, a password manager is a piece of software that does a few things for you:
- It will generate random, secure passwords for you to use. It is mathematically impossible with today's technology, within the next million years, to guess a password like
GVOk45LAbNe5loRF. This is exactly the kind of password a password manager will generate.
- It will organise and safeguard these randomly generated passwords for you. All your randomly generated passwords will be securely encrypted under a master password that you choose and remember. Unless you have the master password, those passwords will be completely unreadable. Yes, even to the company that created your password manager!
- It will automatically fill these passwords in for you on websites you visit. If I set up my password manager for
facebook.com, next time I visit that website I'll use my master password to log in to my password manager, which will then log in to Facebook for me using the secure password it generated (which will look something like
XoR41TIvo47L1mWn; secure and unguessable).
Password managers represent the state of the art when it comes to password security online. I use one, all my security-minded colleagues use one, and I'll always, always advocate for their use to anyone that will listen. People joke about using the same password for everything (some will even quip "Yeah, I just use my dog's name and birthday for all my stuff, never been hacked yet!") but it's far less funny when you're on the phone to your bank, your e-mail provider, your mobile phone company etc. because someone has taken complete control of your online identity and is having the time of their lives with it. The time to act on this is before it happens.
"But I can't put all my passwords in one place! What if the password manager itself is breached?"
Digital security is always a game of risk minimisation. No matter how hard you try, you can never be absolutely one-hundred-percent secure against becoming a victim of cybercrime. What you can do, however, is make it so difficult for a potential attacker that they'll give up and look for a softer target. If there's a bag of gold hidden in Fort Knox and another one in a garden shed, any criminal will go for the one in the shed. If this analogy doesn't have you convinced, I'll make two points here in favour of password managers to help put your mind at rest:
- Yes, all your passwords are stored in one place, but the company behind your password manager is just that: a password manager vendor. For them, it makes business sense to hire the best security experts and implement the most thorough procedures to keep your data safe. After all, that's their whole business model. Your average company with a website is much less likely to be so security-minded.
- All good password managers will use state-of-the-art encryption such that only you are ever able to read your passwords. Encryption is complicated, but all you need to know is that without your master password (known only to you) nobody (including employees of the company that created your password manager) can see your passwords.
Okay, I'm Convinced
Excellent! In that case I'll point you in the direction of some tried and tested pieces of password management software, so you can decide which one is best for you:
- Dashlane - This is my personal choice. Why? It works across most devices, PC, Mac, iPhone, iPad, Android etc. and supports a multitude of features that just make things easier. These include signing in on compatible mobile devices using your fingerprint and two-factor authentication (if you don't know what that is, don't worry, I'm covering it in part 3) for greater peace of mind. The free version supports one device only, but if you sign up using this link you can get 6 months of premium for free which keeps all your passwords in sync across all your devices. Full disclosure, signing up using that link also gives me 6 months of premium for free, but I certainly wouldn't be recommending it unless I really did think it was an excellent choice.
- LastPass - Another excellent choice of password manager, and one that was put to the test when it was breached back in 2015. Despite the breach, only e-mail addresses and a few other minor pieces of information were stolen. The security measures in place over at LastPass worked as designed and kept user data safe; no passwords were stolen. I've used this one myself in the past, and couldn't have been happier with it. It has a generous free plan and a premium plan if you need the extra features.
- 1Password - Not one I've tried myself, but I hear good things about it. It integrates some of the latest features, including detection of whether or not a password you use has been breached previously (very exciting technology, which I write more about in part 3). It has a 30-day free trial, and it only $2.99 per month for the basic package after this (there are business and enterprise packages available too, with features to match).
To wrap up, if you're not using a password manager, you should be, whether it's for personal use, business use or ideally both. From my perspective, it's the most important step you can take today towards staying safe online. What if you've already been the victim of a breach, and how can you check? We'll cover that in part 3.