Advice on passwords is getting out of hand. Just round and round in the echo chamber of infosec with our highly subjective opinions. It serves only to confuse users and does little to actually change the habits we see around password management. Sick of seeing such articles I’d like to lay it down in a simple way. Many password articles are aimed at companies trying to sell you stuff on the back of it. You should understand you don’t necessarily need a training module on passwords, you might not need fancy devices to be secure.
Do you want some honest advice from a security company? Seriously? If you’re a newbie looking to this article to be the one true article to end all your password woes as your poke around confused in the maze InfoSec has created – you’re going to be disappointed. Save yourself the read and click on the ticket below. It guides you to 1Password’s sign up page.
We don’t get a referral fee, we are not affiliated with them in any way – We didn’t even ask them if this was ok. I just know your time would be better spent setting that up.
So just to be clear – You have so much going on in your digital life that you are worried about it, but you’re scared off by a little signup and some hassle. You want to DIY it and keep it in-house because saving that £3 a month is paramount. As a Yorkshire man, I almost admire you. It requires a little more setup and you might find it a bit clunky but let me introduce you to KeePassX.
Step 1 – Create Some Passphrases
Create a unique passphrase for your personal and business affairs. Then one more for each online account you couldn’t live without. If you have an iPhone you may find this useful to be Apple iCloud, if you are Android you’ll really value your Google account. I don’t personally save these ‘master’ passwords in a password manager, I just keep them in my head. It’s up to you but I find this approach works well. Once you’ve created a passphrase never use it for anything else. That includes websites that check your password strength!
Easy – Personal, Family, Children – Be creative, pick four really random words. Really Random!! Like ‘SilverGrassZenonTank’ or ‘HostageBrokenFluxMove’ never use any phrases you’ve seen before. Create a few, repeat them, remember them. Use the pictures below to get your brain thinking.
Complex – Business, Enterprise, End Users – Four truly random words will be better than 95% of the passwords in your business but rules are rules. Password security can change over decades but your Active Directory ruleset and policy obviously can’t. You’ll get the same advice we give to kids, but you’ll probably want extra steps in there to make it needlessly harder for end users.
Four words can create a strong passphrase but if you have a problem with ‘SpeedsEligibleHillsMoving’ just tell users to add on your unneeded extras. Just add them on to the end, they are redundant and only there because you want them there. ‘SpeedsEligibleHillsMoving123!’ is just as secure as it was a second ago but now is compatible with your obscure requirements. If your employees have to remember more than 2 passwords to do their job your system is broken too, you’re just making it more likely they will repeat elements of the passwords across services.
Step 2 – Password Managers
You’ll only want to remember a few passwords like every other sane human being. So let’s do that. Keeping it simple means you can use your memory for other things. Choosing a password manager used to be a minefield but more or less it’s now a case of anything is better than nothing. KeePassX, 1Password, LastPass are all pretty good with various pros and cons.
If you want help in picking a password manager remember to get one that works for you, often this will need to be supported on several of the platforms you use and sync without too much hassle. This is possible with KeePassX but a few extra steps. Most well-known brands in this space are all pretty smooth.
Complex – Business, Enterprise, End Users – Here is where managed serviced start to be a pain – integration costs for small businesses. Take 1Password at $7.99 a user per month. 150 users and it would be $1,198.5! it’s cheaper than a data breach sure but if you have some clever people, you may find integrating KeePassX works for you. KeePassX is a massively underutilised opensource tool. Users can create secondary keys on USBs (like a sort of secondary physical two factor). Database files where the passwords are can be kept in cloud services to lighten the burden of saving it locally on one device. It’s a brilliant piece of software once users get in the habit of using it.
Step 3 – Setup
All the work up to now has been preparing for the big change over. Wow! look at you go with your passphrases and your password manager.
We are going to change all of our passwords one by one and use our chosen password managers to do the thinking for us. Head to your Facebook, enter that same old password you use for everything else, head to change the password, get your password manager to think of the new one for you. Activate Two Factor, Rinse and repeat. Every single online account.
Easy – Personal, Family, Children – Now you can get to your password app and look at your saved passwords easy enough you need to put it to good use. Whilst you are changing a password give it a try to make sure your app has saved it and is working as intended – nothing will frustrate users more than being locked out of their accounts because of ‘that security app’.
Complex – Business, Enterprise, End Users – Having employees managing their own password databases sounds like craziness but you will be teaching a repeatable secure habit that might even find its way into their personal lives too. An enterprise should always have the ability to access all accounts under it so you might find you have to think about it. Often if an issue arises because “John has all the passwords and he could get hit by a bus” but rarely is this the fault of the password manager – this is an issue with the need shared access, segregation of duties and such. No one person should have all the keys for the company anyway!
- Use Pass Phrases, four random words. Read More Here.
- Using any password manager is probably better than using none. Read More Here.
- Setup Two Factor – on everything! Start Here.
- Change passwords as needed. Normally after an alert.
- Stop using the same password – it’s so risky.
- Google Authenticator (AppStore) or similar is better than SMS Two Factor. But Any Two Factor is better than none!
Are You Safer?
Probably. It’s all far from over though! Many people rightly ask “isn’t using a password manager like putting all your eggs in one basket” and the answer is yes. One big solid steel, all singing all dancing basket with lasers on. Can it be compromised and leak all of your passwords? YES!!! but for this, we hopefully have secondary forms of authentication. It’s a rare scenario too. If someone is able to access your password manager they probably have access to your computer anyway. It makes the feared situation a little like being robbed by someone living in your own house (malware on a PC).
I would recommend a holistic approach following this up in other related fields. Now you have increased your password management skills you have about another ten sections to consider. Network traffic, physical security and endpoint security might be your next steps – Good luck!