Password Managers

By: Walter Rey, Systems Administrator - Cybersecurity

With all the websites, services, and subscriptions available out there, the average user has between 150 – 200 accounts or more! Managing that many accounts is challenging, especially if we want to follow best practices: have secure passwords, and not reuse passwords between different services or systems.

The problem with reusing passwords is that, once one of those websites/services gets breached, the bad actor may be able to decipher the account passwords. Then they will try that same set of credentials (email and password) and different combinations of that password in as many sites as they can to see if the user has reused those credentials elsewhere. This way, they can obtain easy access to many of their victims’ accounts, including banking and other personal services.

Password Managers can be a great asset to users. Once you have all your passwords stored in it, all you need to remember is a single password to access the dozens of credentials you may have. Password Managers can also assist with generating complex passwords, so you don’t reuse the same credentials among different services. Therefore, if the credentials for one of your sites/services get compromised, all you need to do is change the affected site’s password. You don’t need to worry about where else you may have used that same password, which could put your other accounts at risk of being discovered and abused. Password Managers can also detect if your passwords were exposed as part of a security breach and are available on the Internet. The Password Manager will notify you if they are at risk so you can change them right away.

Of course, putting all your eggs in a single basket carries some risks as well. For example, if someone can get a hold of your Password Manager credentials, they will have access to all your passwords. However, that is not much different than having all your passwords written in a notebook on your desk. The solution in this case is to always use a very strong password and enable Multifactor Authentication (MFA) or Two-factor Authentication (2FA) in your Password Manager solution. This will help prevent unauthorized access if bad actors can gain access to your account password, as they would still need access to your second factor code to complete their sign-in to your account.

There are many Password Manager providers out there, but some of the most secure, feature-rich, and robust solutions are:

BitWarden

LastPass

Keeper

Dashlane 1Password

Important features to look for in a Password Manager are:

1. Support for multiple systems like Windows, Linux and mobile phones like Android and IOS (iPhone). This way you can have your passwords always available and in sync regardless of which device you are using.

2. Ability to generate complex passwords.

3. Ability to share passwords with other users. This will allow you to securely share credentials with family or friends when needed, and to stay in control when passwords are updated, or when access needs to be removed.

4. Dark Web Monitoring: This feature can notify you when your passwords have been discovered on the Internet from other security breaches and are part of a password dump available to anyone to exploit.

5. Auto-fill credentials when you visit a matching site based on the URL visited. This also helps you identify potential phishing attempts as the Password Manager will not auto-fill your credentials if the URL (website address) does not match what they have recorded for that set of credentials.

6. Geolocation access blocking. Some services provide the option to select which countries you want to allow sign-ins from. This will minimize the risk of anyone trying to brute-force your password by guessing it, or even if they have already gained access to your account password, they may not be able to sign-in to the account because of their location.

Regardless of which Password Manager method you choose, here are some best practices you should always follow when creating and managing passwords:

1. Use long passwords, at least 16 characters (use a passphrase and include numbers and special characters). Alternatively, choose an auto-generated, complex password from your Password Manager.

2. Do not reuse passwords among sites/services. Even slightly modified passwords should not be used. When bad actors get ahold of a set of credentials, they will try those credentials and similar combinations of it on multiples sites/services.

3. If available, always enable MFA or 2FA on all accounts. This will provide another layer of security if the password gets compromised. This is especially important for the Password Manager account.

4. Avoid consecutive patterns in your passwords like 12345 or QWERTY, etc.

5. Avoid sharing your passwords with anyone unless necessary, and in such cases, try to use the sharing feature in your Password Manager as it would securely share the password, and keep it up to date if changed later.

6. Do not write down your passwords or leave them unsecure on your desk or anywhere anyone else could have easy access.

7. Never share your Password Manager account password with anyone, only share the individual password entries that you may need to give other people access to.