Password managers, why isn’t everyone using them already?

I am very surprised that people, still today, do not have sufficient knowledge of the existence of password managers. They make IT life so much easier for us!

Think about what us security people are preaching: “You need to have a unique password for every single account”. That’s pretty rough demand, especially if the password is supposed to be truly unique, not just a spin-off of a master password. Having this in mind, here is a statement I find it hard to dispute:

[important]It is impossible to remember all your different usernames and password combinations. Additionally it is impossible to create passwords that adhere to all the different policies, that all the different systems have in place. [/important]

Windows Live only support 16 characters. What if your password is 20 characters, then you have to keep track of another variance of your password. Additionally, some systems limit the use of special characters, or they force you to, in some way or another, use a different password. If you are like me, you are registered on so many systems all over the internet, that you wont be able to keep track off all your passwords, let alone your usernames.

Not just passwords, usernames too

Guys, girls and foreign species; listen! I currently have 144 DIFFERENT ACCOUNTS! For these accounts I have 20-30 different usernames. Yes, 20-30 different usernames! How is ANYONE suppose to remember all that information unless you are Sheldon Cooper from Big Bang Theory? Keep in mind, you are supposed to have a unique password per service as well. This means that just a slight variation of your master password is, in theory, not good enough, as an attacker could very well crack it by learning your algorithm for varying your password. The attacker already has your password in clear-text, so he can easily read it from one of hte compromised sites you have registered at. It is not good enough to only have variance protect against automated bot attacks.

If we are going to practice what we preach, then there is no other solution than have a password manager as far as I know. Mind you, this password manager may very well be a notebook (analog paper) instead of an IT system. This to make sure your mom, grandma and others, not so techie, can also keep up with the requirements today. A notebook? Really? Really!! What are you the most worried about? A burglar stealing your password notebook, or a thief online stealing your identity?

keep calm and carry

A take on password managers

So what is a Password Managers? Well, first of all a disclaimer: I am in no way, shape or form, involved in the development, sales or companies who own Password Managers. I just find them extremely useful, hence me sharing my thoughts with you.

Password Managers store all your accounts information in a secure and good way. The only thing you have to remember is one master password in order to unlock your little database.The database lets you easy search and then copy both username and password for the account you need. It also helps you easily generate unique and secure passwords. Lending a quote from the article linked beneath:

Password managers are a simple
way to securely store all of your
different passwords for each of
your different account

So the next time you type in your password, I’ll ask you “why you bother??”, instead use a password manager. It is easier, safer and quicker!

The password manager I use is called KeePass. I use this for both personal and business use. We also use this on the IT-Operations team. I have my personal KeePass database also connected on my phone (via Dropbox), so I can easily use the logins in my manager from my phone. I have also stored my pincodes for access control cards, cell phone pins and more in this password manager. Everything I have is safely stored in an encrypted database, protected by one, strong and unique password.

Keepass can be downloaded from here: http://keepass.info/
For further reading I suggest looking at SANS Securing The Human newsletter Ouch. They wrote a newsletter specifically for Password Managers. Here it is in English:http://www.securingthehuman.org/newsletters/ouch/issues/OUCH-201310_en.pdf

You can also find it translated to other languages here:http://www.securingthehuman.org/resources/newsletters/ouch/2013

Good luck in implementing your new Password Manager. It really is easy to get started with, and there is little to no excuse not to have this today!

PS: Honorable mention to Lastpass. I have not used it myself, but many of my friends recommend it. Supposedly a very good password manager!

Share
  • Tom-Kenneth Fossheim

    Lastpass is my personal weapon of choice. Wholeheartedly recommended, at least if the majority of the passwords are related to web apps. Integrates beautifully with most browsers for that lovely autofill experience.