While we all know that strong passwords are important, we find it to be a chore. Most of us get lazy at home AND at work, and we reuse passwords, and don’t create, store and manage them way we should. Using strong passwords is like wearing a bicycle helmet. It’s protection for when bad things happen, often out of our control, and hopefully prevents the worst case scenario.
“According to the recent Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work.”
https://www.tracesecurity.com/blog/articles/81-of-company-data-breaches-due-to-poor-passwords
Passwords should be unique.
While most of us know this, most of us use the same password for multiple things. A unique password guards against sophisticated attacks used to compromise passwords. It’s very rare that people are individually targeted, unless they are considered “high value.” Most of the time, when passwords are hacked or stolen, they are caught in large-scale automated compromises of accounts or are part of a large online account service breach. When passwords are reused, there is a huge risk of many accounts being compromised at the same time.
“We observe that 17.0% of the 22 million email addresses in multiple leaks re-used a password at least once.”
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/46437.pdf
As a Security Assessor, I see quite a few password management strategies. They range from a pile of sticky notes or password protected documents, to all kinds of cute patterns for creating apparent randomness. The bottom line is that most people use a half-baked pattern scheme that isn’t quite random and neglect to securely store them. What prevents people from using unique strong passwords seems to be a multipart problem. Often people are not aware of the tools that exist, they perceive the time investment to switch too great, and are unclear as to what the term “good password management practices” really means.
Passwords should be strong.
There are many regulatory standards for creating strong passwords. Let’s look at the generally accepted minimum, based on my years of expertise. A strong password should have the following features:
- 12-16 characters at a minimum, longer is better
- A mix of characters, numbers, cases, and symbols
- Is truly random (no cute patterns, dates, sport team names, city names….)
- Is unique (no password reuse)
EACH and EVERY login should have a password that meets these criteria. And this is the issue — most people find to be way too much work.
Password Vaults put the good kind of lazy into password management
Password vaults are purpose-built tools that store your passwords in an encrypted database. They make it easy to find records and copy/paste the password so it doesn’t slow you down too much. Most importantly they provide password generators that randomly generate strong passwords for you. Some also provide password history, which has saved my butt more than once. There are a variety of very good online and offline vaults, free and paid.
Online Password Vaults
Online vaults generally run as a browser plugin and sync with a cloud service, which is great for backing up and syncing to multiple computers. Many also allow for securely sharing passwords with other people, which is great in an office or family environment. I prefer Lastpass https://lastpass.com, but there are many others out there including a solution for ownCloud https://www.owncloud.org/.
What is great about browser-based passwords vaults is they make it extremely easy to save passwords as you login to accounts. This makes it very easy to populate your vault over time rather than tackling it all at once. Many of them also have mobile apps so you can have full access from your mobile devices. Online password vaults also provide you the ability to download an offline backup, which I highly recommend you do periodically.
Offline Password Vaults
Offline password vaults are programs that store an encrypted database on your hard drive. That means you need to back it up somewhere else on a regular basis. Offline vaults are also a bit more time consuming, but there is a tradeoff. First, there are more open source (free) options for offline vaults. The other benefit is that they guard against the vulnerabilities that may exist with online password vaults that sync to a cloud service. Needing physical access to the file provides an added layer of security.
There are many options for offline vaults. KeePass is a very popular offline vault https://keepass.info/. I use a fork of KeePass call KeePassXC https://keepassxc.org/ which I believe has a slightly better interface and also lets me backup Multi-factor Authentication (MFA) codes. This allows me to use my KeePassXC vault as an MFA app in the event I don’t have my cell phone. Both are free and open source and run on Windows, Mac, Linux. Keepass also has mobile versions for IOS and Android. There are several other options out there for offline vaults.
You will have to remember some passwords.
Your password vault and probably your computer login are obvious ones. There’s always going to be a small number of things you have to login to/unlock all of the time. My goal for these passwords is to make them as random, and easy to remember as possible, using mnemonic devices. Below are some great articles for generating strong passwords that are easy to remember.
Diceware strategy: https://www.avg.com/en/signal/how-to-create-a-strong-password-that-you-wont-forget
Some additional approaches in the same vein. https://www.lifewire.com/8-character-password-2180969
Other methods could use https://what3words.com/about/ and randomly click locations on the globe. You can also cherry pick from a dictionary. The options are endless.
If you work in technology there really is no excuse.
Technology sectors have the best rates of adoption for strong password practices. The bad news is that somewhere between 40-60% of technology workers still choose to ignore password management recommendations.
If you work in an area that is both technical and you handle sensitive data, you may want to make use of split credential storage. I use one online vault for most things because of their speed and features. I have a few offline vaults to split the storage of my credentials and the second factor, and store them in different places. Many systems use cryptographic keys that are a type of file that requires a password to decrypt and use the key. For these, I will store the keys in one vault and the passphrase in another.
Don’t get too paranoid
Most of us just need a single, simple password safe. Just pick one and start using it. If you apply these principles and a password does get compromised, the damage should be greatly minimized. This is the ultimate goal, to contain any form of compromise to the least number of systems. So go pick your tools, create good passwords, and don’t put the password to your vault on a sticky note under your keyboard…memorize it!