Password Management
What do you do for password management and what does the future hold for passwords?
Ok – this is going to be a highly dubious and ill-researched article, mostly because the world of passwords is on the cusp of change and secondly because at NCompass we have to deal in thousands of passwords. It makes our life somewhat different to a regular user.
I am not going to go into the does and don’t of password management and memory, don’t always use the same password, don’t record your passwords on paper or in a computer file, do use unique and long passwords etc.
The fact remains the single factor in making a password secure is length, not all those funny characters that many websites force on you. Each character multiples the strength of a password by its factor, so 256 characters and it going to be pretty darn impossible to crack.
Equally, it’s worthwhile noting how most passwords are broken into, brute force, usually… a piece of software will start with the letter A and try aa, then ab, ac and so on until is goes through every permutation possible. There’s every reason to suppose that over 90% of passwords are broken into this way. Usually, the software will also have a list of common passwords to try first and then it’s pure guesswork.
Memory
If you can – memorising works best. It was as far back as 1967 when James Goodfellow patented the PIN code, the story goes he was working on 6 digit system when his wife or mother suggested 6 digits were too long, so he reduced it to a 4-number code to make it easier to remember.
A hundred different methods have been established to try and make it easier to remember passwords, but settling on some systematic memory skill usually works best. the trouble is trying to stick to it.
Memory is the ideal, but in this day and age of dozens of passwords, it’s hard to keep to memory.
Phones and Browsers
It’s fair to suggest most passwords are needed when navigating the Internet, the days of the Famous Five answering a knock knock on the Door are almost gone, phones and browsers both have password-saving technologies and these days they are pretty reliable. I suspect at some stage someone said don’t use them, however, they are secure. It’s necessary these days to break into a computer or iPhone first and then often you have to pass another barrier to get to the passwords.
The key is to click save whenever offered. Phone and Browsers will prompt you when they recognise a new password.
One last piece of advice, you can easily find these passwords and it is well worth spending a little time deleting old one. Most websites and services have a password reminder system in case you forget or lose a password. However, increasingly services are turning to alternative methods of securing your account and you can end up with a lot of legacy passwords.
2 Factor Authentication
I love the theory of two-factor authentication but hate the practice. The saying goes in order to identify a person fully you need at least 3 or more pieces of diverse information about a person. You need their email address for example, then their phone and perhaps another piece of information unrelated to either.
2 Factor Authentication was born to frustrate, but the security levels when up ten-fold, the to point where limbs get chopped off in films to present to phones and retina recognising systems. The easiest solution is to download an App on your phone, Google Authenticator is probably the easiest, set it up with the services you need and each time you log into your account you can reference Authenticator to get the multi-digit number required.
A slightly older version of the same thing is the TXT message or phone call verification, it’s the same thing, but you get a call.
Authentication is all very well, but you will probably still need an old-fashioned password as well.
3rd Party Services
Dash Lane, LastPass, 1Password are all services that have sprung up to help manage passwords, they are not always safe and most of them have been hacked at some stage, they make good targets for hackers as they have a serious volume of sensitive information.
Sign up, install the App on your phone and browser and these days these services can store a lot more than just passwords, they can store addresses, credit cards and so on.
The biggest advantage is the ability to share passwords, something we need in our working life, but you may not. The second advantage is that usually, you can look up all your passwords from anywhere.
Software and Hardware
We also use a software solution called KeePass, there are I suspect plenty of alternatives. but this is proper software that can be downloaded onto a computer and passwords securely saved, the advantage is that there is no link to the online world. Passwords are saved on your computer and nowhere else, this alone is a huge security boost.
A further step can be taken by using hardware, passwords can be saved on a USB stick or specialist hardware, is this becomes separated from its recognised connection the passwords will no longer work.
It’s total overkill for most people, but if security is an issue then hardware that is disconnected from the Internet is probably the most secure form of password management available.
Legacy
Forcing good password management on people is one thing and regardless of what form of management is chosen, it must be accessible by another person. There is going to be a serious increase in issues as the first generations of computer users grow older and even die off. Not to put things too callously, should you die and not leave a method to access your bank accounts or sensitive data there could be severe repercussions.
Few services, think Facebook, yet understand how to deal with a person’s legacy after they pass away, does Facebook leave a profile on its website forever, it seems callous to delete it automatically after 2 years of non-use. The rules will be different and a hundred different scenarios present themselves.
But password management is central to all of them, writing down passwords while insecure is the easiest way to ensure someone else can access accounts if you’re squashed by a London Bus.
Conclusion
Consigning passwords to memory is the right way to deal with password management, forming a system that is personal to you to decide on the passwords is also effective. Long passwords are also effective. In this way, it’s possible to tell another person your formula for setting passwords and this will account for 90% of all your password needs.
This article is really food for thought… firstly, how far can you go with password management and secondly do you need to make sure someone else can get in if you cannot.