What you need to know:

Where are your passwords stored? If they’re in your head, written on post-it notes, or on a spreadsheet, you are not as secure as you should be. First, the common business worker has dozens of passwords for everyday accounts that need to be accessed. Most computer users also have many more personal passwords for “important passwords”.

Keeping these in your head most likely means that they are too simple. A password that is too simple can be cracked with a “brute force” attack. As a security professional, it’s not uncommon to see credentials written on post-it notes and stuck to the wall, window, computer (you get the idea);this is a security issue waiting to happen. Spreadsheets or documents full of an organization’s passwords are another issue. Who has access to these? Who has seen them? Who has copies “just in case”?

Ideally, you don’t want anyone to remember the password to a resource except to the password manager itself. Remembering one complex password or passphrase is much more secure. If you are going to write down your master password, it should be kept in a safe deposit box.

There are plenty of personal password managers available, most of them commercial, some of them are free, open source projects. I’m not recommending any one in particular, but will give you some key items to look for:

A good personal password manager should have the following qualities:

  • The password manager should use two factor authentication (2FA); this makes sure that only the person authorized to access the passwords is the person logging in.
  • Master passwords should not be stored by the vendor. Your master password, used to access your account should be known by you alone. More than one password manager has been breached by attackers. If someone has access to your master password, they are one step closer to every account you have protected.
  • The vendor should not have access to any of your account passwords; they should be encrypted and only available after entering your password and 2FA key.

 

A good business password manager should have the following qualities:

  • All of the above plus:
  • Allow categorized/group access so that individuals only have access to the passwords that they need to do their job.
  • Be able to identify password strength.
  • Be reportable so that management and security teams can review periodically.
  • Be auditable so that if an employee leaves your company, you will know what passwords that employee had access to and the ones that have been accessed so that you can change them.
  • Can require that passwords be changed periodically.
  • Be able to enforce generated password complexity rules.

 

A word about passwords:

I recommend using a master pass-phrase instead, punctuated with numbers and special characters. The web comic xkcd did the internet a favor with this explanation of how to generate an easy-to-remember yet hard-to-guess passphrases (just don’t use the example):

Passwword Strength by xkcd is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.

When it comes to auto-generating random passwords for websites, you should be generating them with upper and lower-case letters, numbers and special characters. If you use these rules and your password is 15 or more characters, an attacker would need to use an enormous amount of compute power to guess. Gibson Research has a great website pertaining to the maximum time required to brute-force a password.

Be Safe,

Mark Norton