Find me a person alive that doesn’t have at least one online password, and I’ll eat my hat. Passwords are ubiquitous–so much so that the average internet user in the US has around 70-80 different passwords. Talk to a cybersecurity pro about passwords, and they’ll tell you two things: Every password should be unique, and there’s no way they are, especially considering the most popular password in 2019 was 12345, followed by 123456, and 123456789.
That’s a problem in the age of modern cybercrime: The theft of one password could open you up to dozens of password-related headaches as a hacker makes their way through websites testing your email address and password to find a match.
If you want to be safe on the internet, you need to add an extra layer of protection. Two-factor authentication should be used when available, but staying safe doesn’t stop there.
You need a password manager.
SEE: Password Management Policy (TechRepublic Premium)
What are password managers?
A password manager is essentially an encrypted vault for storing passwords that is itself protected by a master password. In order to gain access to the passwords stored in the manager, a user has to know the master password; in many cases, a second authentication factor is required as well.
Password vaults can be used to simply store passwords for easy recall, but one of the best features of most password managers is their ability to generate passwords. A longer password is more secure and harder to crack, and the passwords generated by password managers are combinations of random numbers and letters that are very secure.
Another important feature of most password managers is the ability to automatically fill in passwords to stored sites. By using that feature you won’t have to type anything but the master password, and it’s also a good way to avoid having passwords stolen by keylogging malware.
A good password manager will allow you to sync your data between devices so you won’t have to worry about losing data stored on your desktop if you’re using your smartphone.
In short, password managers should take the hassle out of your digital life by putting all your sensitive information into one secure, easy-to-access location.
- Why most of what we know about passwords is wrong, and how businesses should respond (TechRepublic)
- Video: Why you need a password manager (ZDNet)
- Top 5: Things to know about password managers (TechRepublic)
- Phishing is another problem solved by password managers (ZDNet)
- Extra security or extra risk? Pros and cons of password managers (TechRepublic)
How secure are password managers?
Most password managers worth using utilize AES-256, which is generally considered one of the strongest forms of encryption available–so strong that the US government uses it to transmit top-secret information.
The odds of a hacker attacking your device and stealing data from your password management app is slim, and it’s even slimmer that they’ll be able to decrypt that data. A security architect who has done the math found it would take one billion years to brute-force crack AES-256 encryption–that time shrinks to zero if the hacker has your master password and you aren’t using two-factor authentication, so be sure to add that extra layer of security.
As with any technology, nothing is foolproof. Hackers have gained access to the databases of password management companies and made off with user data before, and it’s entirely possible that it will happen again.
What’s important to note isn’t the incidents that have compromised user security, though–it’s the alternative.
Take storing your passwords in a web browser, for example. Most web browsers will ask if you want to remember a password, but that data is stored in a completely unsecured manner.
In Chrome you can see every stored password, username, and website combination by opening Settings and looking for Passwords under Autofill. Anyone who gains access to your computer would theoretically have access to all that information if they knew to look there, and while you need to know the password for the Google account signed in to Chrome to view the passwords you can still see usernames and their associated websites, greatly reducing the amount of work that needs to be done to compromise an account.
What you shouldn’t do is store passwords on a sheet of paper, which is right on the top of every IT professional’s list of prohibitions. Also avoid using the same password for everything, which is another idea security professionals will advise you against.
Password managers are simply the best way to keep track of all your internet logins. You won’t find a better way to safeguard your information, even with some perceived flaws.
- On World Password Day, here are 4 tips to keep your online accounts secure (TechRepublic)
- Password-sharing politicians prompt security row (ZDNet)
- 10 tips to help reduce user account lockouts and password resets (TechRepublic)
- The dumbest passwords people still use (ZDNet)
- Face, fingerprint, passwords, or PIN: What’s the best way to keep your smartphone secure? (ZDNet)
How do password managers differ?
The biggest difference in password managers comes down to where they store your passwords: On your local machine or in the cloud.
There are pros and cons to both options, many which are likely obvious:
- Storing your passwords in the cloud allows the passwords to sync seamlessly between devices.
- Cloud storage eliminates the worry that you will lose your stored passwords if your computer crashes.
- Storing passwords locally prevents data theft in the event of a cloud storage breach.
- Local password storage could lead to a stolen computer being used to gain access to all your accounts.
Most password managers that utilize the cloud can have their sync functions disabled if you would prefer to not take the risk of cloud storage. The same isn’t true for local storage options, though: If you seek out an option with a local password vault, you won’t be able to sync it to the cloud.
- Almost half of IT security incidents are caused by company employees, report says (TechRepublic)
- How to deter hackers: Follow these digital safety best practices (TechRepublic)
- 13 technologies that are safer than passwords (ZDNet)
- Password Policy (TechRepublic Premium)
Should my business choose a password manager or shared account password management?
There may be confusion about whether to use password managers or shared account password management (SAPM). Both are distinct and have different roles in the enterprise, and both can function side by side.
Password managers are designed to store and give easy access to individual accounts; these managers shouldn’t be used to store administrator credentials, shared accounts, or other business accounts that aren’t assigned solely to one user.
SAPM is designed to manage and control shared accounts. Depending on the SAPM management product, shared account passwords are either given out once a user signs in and are reset after logout, or the passwords are obscured from a user so they can use the privileged account without ever knowing the password.
It’s a good idea for large businesses with shared privileged accounts (domain admins, root, etc.) to implement an SAPM product along with a password manager. Corporate password management tools can store credentials for important websites and be linked to Active Directory, making the entire process a single sign-on.
The key to implementing password management in the workplace is making it as non-intrusive as possible. If users think a password manager or SAPM tool creates extra work, they’re likely to just ignore it.
- Firms that force you to change your password are clueless says cyber security chief (TechRepublic)
- Hate silly password rules? So does the guy who created them (ZDNet)
- The end of passwords? Not in the near future (TechRepublic)
- LastPass brings free password management to all your devices (ZDNet)
- What is phishing? Everything you need to know to protect yourself from scam emails and more (ZDNet)
What are the most well-known and popular password managers?
There is a wide range of password managers for business and home users, and many of these options offer similar features. These are some of the most well-known password managers.
Apple users take note: macOS and iOS devices come with a built-in password manager–iCloud Keychain. If you’re considering a password manager, it’s worth looking at this option first, as it’s tightly integrated with the rest of the operating system–something third-party apps can’t boast.
Businesses interested in providing their users with a single sign-on (SSO) solution should look into the following platforms. SSO is the premier form of business password management that gives users one-click access to frequently used sites by logging in to a single platform.
Several password managers, such as DashLane and LastPass, also offer SSO options for businesses. Connecting an enterprise SSO to personal password management is a great option for businesses that want to close the gap between platforms and make life easier for their employees.
- The best apps to manage all your passwords (CNET)
- How to install password manager Enpass and sync it with your Google Drive account (TechRepublic)
- How to eliminate passwords? It can’t be done (ZDNet)
- Best password manager to use for 2020: 1Password, LastPass and more compared (CNET)
- Amazon launches cloud SSO service for managing multiple AWS accounts (TechRepublic)
- Okta enhances security, extends on-prem options for identity management (ZDNet)
Editor’s note: This cheat sheet has been updated to include the latest information.