Sophos Cloud Optix
This 5 minute fix will show you how to choose and use a password manager.
Thanks to Duck and his video below, we now know all the rules for creating and using passwords. No more excuses!
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
In the video, Duck advises you to “consider using a password manager”. Let’s dig into that to see how we can use them to our benefit.
A long time ago, I used to have all my passwords in an encrypted text file.
As the number of online services grew, so did my file. Finding, updating and using my passwords became increasingly cumbersome.
Fortunately, it wasn’t long before the first password managers came along.
In the video, Duck lists 3 popular examples – LastPass, KeePass and 1Password.
There are many other options available so you are bound to find one to fit your needs.
How do they work?
Password managers provide a variety of services.
They serve as a secure place to store all of your passwords so you don’t have to remember them.
They increase your security by not allowing you to put the right password in the wrong site (i.e. a phishing site) or giving your passwords away to a keylogger.
They make password generation much easier by letting you specify your parameters and randomly creating strong passwords on your behalf.
They also let you easily create and manage individual passwords for every site you log into.
Other handy features can include things like two-factor authentication (2FA), secure notes and secure sharing.
I use 2FA – true two-factor authentication using a Yubikey – with my password manager on both my laptop and my Android device.
Some are now supporting the new FIDO Universal 2nd Factor (U2F) authentication system as well.
Secure notes are where you can store other types of information that you might need.
For example, this is where you can store things like bank account information, passport information, and software license keys.
Secure sharing allows me to share my password with another user and select whether I will allow them to see or modify the password. This way I can share a password with my wife but the password remains a secret – in many cases even from me!
The quality, security and feature set will vary with each password manager.
Some considerations
Where are your passwords kept and who holds the key? Some password managers store the information locally, while others store it in the cloud.
This might be important to you if you prefer to keep the information under your control and not risk it getting stolen in a potential breach.
How is the information protected? Regardless of where it is stored, is it encrypted?
→ I’m not going to go into a lengthy discussion about the different encryption algotrithms and their relative strengths and weaknesses. Rather, when it comes to making sure your password manager provides adequate protection, I would suggest doing some research around the subject, and if possible, consult someone you know who is knowledgeable on the topic.
Does the password manager have a timeout feature that logs you out after a period of inactivity or when you close your browser?
Can you “authorize” devices? Many allow you to decide which devices are permitted to access/store the password database and where they can be accessed (based on geo-IP).
While I don’t explicitly endorse any particular password manager, I currently use LastPass.
Prior to using it I reviewed the security elements and feature set. It satisfied my needs and supported all my platforms.
I compared it to other available products and it also came highly recommended by peers in the industry whom I trust.
I suggest you do the same thing when choosing your password manager.
Get yours today!
Image of sticky notes on computer courtesy of Shutterstock.
I couldn’t agree more.
Password managers are like cell phones. You don’t truly know you need one until you get it, and then you can’t imagine how you managed without it.
I think there are two big deterrents when it comes to people adopting password managers:
1) The daunting task of switching everything into it.
2) The fear that if it gets compromised, or the master password to it lost or stolen, you’ll have the all-eggs-in-one-basket problem.
My advice, for what it’s worth:
1) Take the first step and install one. Thinking about it but not doing it is actually much more effort than jumping in and giving it a go.
2) Put one or two passwords into it that you use frequently and ‘kick the tires’ for a bit. Don’t do the whole big project of moving your life into it until you’ve got used to it, it’s set up how you like, you know where it works well and where it works less well.
Then weirdly and by osmosis if it’s the right tool for you you’ll begin sliding other things into it without really noticing. Bingo — you are now password-managed!
I don’t endorse any specific product either, but consider adding Dashlane to your list of products to check out. Personally I’ve had good success with it.
Final advice: Always keep the password for your primary email account, bank and one or two other very important accounts written down and hidden away securely. So you’re not totally up the creek if your chosen password manager breaks/goes out of business/whatever. And obviously pick a nice long pass phrase for the master password of the manager itself. That’s it!
Gavin
Gavin’s advice is right on. Start slowly. I had an irrational reluctance to let the password manager remember all of my strong passwords, even though I knew I could always use each site’s password recovery process if necessary. Now I’m all in. I use Dashlane and I am happy to endorse and recommend it. I also used LastPass in the past and found it to be solid.
I couldn’t disagree more. I’m just waiting for the ‘password manager hack’ news alert.
I couldn’t disagree more. I’m just waiting for the next big hack story which will at some point involve one of these password managers, who now have a whole host of attack vectors as they are no o all mobile / tablet devices. Gotta love the cloud…. haven’t you? It’s all down to convenience and laziness. … Waiting for the big hack story.. (Duplicate comment?.. Well post the thing up then!!!!!)
So use KeePass (mentioned in the article) and keep the DB on a usb stick. No cloudy risk there.
If you find password managers bad, what do *you* use to avoid duplicating your passwords?
I agree with Gavin, but use mSecure. I prefer the 1 time purchase vs. the never ending subscription.
John Shier writes “They also let you easily create and manage individual passwords for every site you log into.”
Uh-oh! Can’t use one then. AT&T (my service provider) and Yahoo! (my email provider) use the same password database. One password, two domains.
If you install Lastpass you don’t have to let it dictate all or any of your passwords. You can override it and use the same password of your choice for both AT&T and Yahoo. Lastpass will save it, and reproduce it if you log into Last Pass on a different browser or device. You can even reject all of the Lastpass suggestions and use 1234abcd for every site if you wish. The application will alert you to the danger of using the same password for lots of sites, but turns a blind eye to two or three sites or users that share a password. For example a joint bank account can have the same password for each user.
I find Roboform easy to use.
So — the weak link becomes the Master PSW, correct? Break it and you have the keys to the kingdom? Stolen media, lost media — I don’t like the idea of a single point of failure like that. What about one’s own encryption within a PSW Mgr — do any allow a scheme with options like, “This PSW goes with the line above (or below) it — not with the site it’s listed for . . . or something subtle like that to provide just another layer of security if you lose the thumb drive or your notebook or mobile device. Help me out here, folks — are there such options??
You could consider not entrusting your most precious keys to the password manager. Perhaps then you would need to remember 9 pwds plus the master pwd…much more tractable as a memory challenge than remembering 100 pwds.
As we said in the latest Chet Chat podcast (SSCC 177, still being edited as I write this :-), if all you do with a password manager is get out of bad habits (weak or repeated pwds) for the many “not so important” sites on which you have accounts, that’s good. Better, perhaps, to have 50 sites protected with a single, strong master pwd (that is never shared with any of those sites) than to have “password123” as your actual pwd on any of them.
A bit like carrying a bunch of keys for front door, back door, garage, shed and safe but labelling them “Back door, Garage, Shed, Safe and Front door.” Oh, and if you carry a car key on the same bunch, with a Porche key tag, that’s rather a give-away if yours is the only Porche in the car park!
I use Lastpass and it works very well, I use it for all my everyday sites – I may be over cautious but I don’t use it for any sites I make purchases on or leave credit card details, these I memorise or write down and keep in a safe place.
I wouldn’t go back to not using a password manager, too much hassle.
I downloaded last pass and somthing went wrong and now I cannot delete it and it is screwing up some sites. Any help would be appreciated in getting rid of it. Thank you very much
Just click on the star in the toolbar and select “Log out”.
I don’t even know how many different websites, apps, and other things I’ve accessed over the years that necessitated or suggested passwords – perhaps a hundred or more – but I’ve stored them all in PasswordSafe by Jeff Harris for a long, long time on my PC, in Windows and Linux. Then, when I went mobile a couple of years ago, I installed his app, renamed as PasswdSafe. It’s always been free, and allows me to sync to either Google Drive or Dropbox for access from all my devices. I love it and would be lost without it.
NICE