During the past decade, the number of passwords we need to remember has grown exponentially. I am old enough to remember a time when I only needed to remember three passwords: one for work, one for personal email, and one for a forum of which I was a member. Now, at last check, I have more than 125 personal and business passwords, most of which are personal. Since we are all humans and we can only memorize so much, the proliferation of passwords has led to two things:
- We tend to use the same password across multiple sites
- We make passwords easy to remember
In this post we will discuss a solution for these two issues, and in a later post, I will discuss an overall solution for our password “problem”.
One solution to help us deal with the large number of passwords, and the increasingly complex security requirements that we must remember, is the password manager. For those that are not familiar, a password manager is an application that stores login credentials (username and password) for applications or websites. These credentials are stored in a “vault” that is protected with a password. This password should be complex (consists of more than 10 characters with a combination of special characters, numbers, and upper/lower case letters) and since this is the only password that you need to remember it should be a simple exercise to memorize this (theoretically). Password managers range from simple to highly complex with each offering a wide array of features.
Disclaimer: Any products discussed below are not intended to imply endorsement or recommendation by McConnell & Jones LLP.
Simple password managers include the following types:
- Password protected spreadsheets/documents – These are generally not recommended due to the limited protection that this type of vault provides (i.e., not encrypted, any item copied to clipboard remains until over-written, etc.).
- Web browser based – These are vaults that are built into your favorite web browsers (Chrome, Microsoft Edge, Opera, Firefox, etc.). Since most of your passwords are used on websites or cloud applications it makes sense to use this type of vault. The benefit of these password managers is that your stored username and password will be automatically entered into the login screen when you visit the site. It should be noted that there are a number of vulnerabilities in web browsers that put stored usernames and passwords at risk.
The next type of password managers are considered complex and provide a wide array of features that a person may or may not want or need.
These can be integrated into your mobile device, a stand-alone application, or part of a security suite:
- Mobile device based – These vaults have become more prevalent and provide more features recently as security concerns have grown. Some examples include Keychain (Apple), Google Password Manager, and Samsung password manager. These are native applications that utilize the security in mobile devices such as biometrics, Trusted Platform Module (TPM) chips, PIN codes, etc. to encrypt and restrict access to the stored passwords. These managers also have the ability to create strong new account passwords. The benefit of using these password managers is that they can automatically enter your login information when you visit a site on your mobile device.
- Stand-alone/Security Suite based – These password managers are the most feature rich of all password managers and they typically provide many benefits unseen in other managers. These vaults are protected/encrypted based on the password/key that you create therefore, the more complex the password the better protected your vault will be. Additionally, these managers will also offer to store other sensitive information (addresses, credit cards, data), have a customizable password generator, configure multiple vaults for multiple users, and the ability to share usernames and passwords with others. These are just a small sample of features that are available for use by these systems. Some examples of these password managers include Kaspersky, 1password, LastPass, KeePass, Norton, and NordPass.
Hopefully you can see that using a password manager is one tool that can be used to help with the problem of using the same password across multiple sites and using simple passwords. The decision to use a password manager is one that should not be taken lightly, and you should do the research on what features and benefits meet your specific needs.
As with many decisions, there are always tradeoffs among convenience, security, and risk.
Keep an eye out for my next post where I will discuss an overall solution for our password “problem”.
Chris Williamson serves as a IT Audit Senior Manager within McConnell & Jones’ Risk Advisory Services Team, where he helps organizations protect their data and their systems from cyber incidents. A CISA and Security+ certified professional, he started his IT security and auditing career at a CPA firm serving governmental agencies, next moving to a quasi-governmental agency and most recently at a Spanish construction/infrastructure conglomerate. He has expertise with both IT and OT installation, configuration, and protection. He can be reached at cwilliamson@mjlm.com