How to Securely Manage Passwords

Introduction

Don't write down passwords, especially on Post-It notes

Don't write down passwords, especially on Post-It notes

In a previous blog entry we discussed why SMS authentication might not be as safe as we think it is. In this blog entry we discuss generating and managing "strong" passwords as well as the industry migration away from passwords to passphrases.

As cybersecurity professionals we know a “strong” password is, supposedly, one that is at least 8 characters long with a combination of upper case, lower case, numbers, and special characters. But, as Bob Dylan said, the times they are a-changing. There is new movement in the industry to move away from this traditional password guidance to something more secure, user-centric, and friendly.

New Password Guidance

In 2016 Microsoft released new password guidance, based on their own experience combating the over 10 million username/password attacks they see to their identity platforms every day.  This new guidance essentially states that more complex is not necessarily better. But longer passphrases are. Additionally, the National Institute of Standards and Technology (NIST) is also in the process or revising their password guidance for the U.S. Government.  You can read all about it in NIST SP 800-63-3.  From an administrative perspective, this means that we may have a little less work to do because we can do away with the requirement for our users to change passwords every 90 days, but the prohibitions on password reuse should stay in place.

But what about from a consumer, or end-user, perspective? This is where the real danger to our personal information lies since, as we know, most computer users tend to use the same password for multiple accounts, and they generally don’t use strong passwords because they are difficult to remember. This is where a credential manager comes in handy. Did you know that in Windows 10 there is a credential manger built in to the Control Panel?  There is!  It’s very bare bones and doesn’t have many features but it will allow a user to store all kinds of online passwords without having to remember them.

Credential Managers

For truly powerful password management, though, we need to look at third-party credential managers. Any software you choose should have some basic features that include the ability to generate strong passwords, be portable, store passwords in a database, use strong encryption, and password/passphrase protect the database. Three industry leading products are the open-source KeePass, 1Password from Agile Bits, and LastPass.  The latter two are commercial products. All three offer compelling features that fit well into an enterprise environment or our daily lives. Let’s focus on how these apps can help users manage passwords.

As mentioned above, one of the biggest threats to password security (besides passwords that are not complex enough) is password “over use.”  This means a user will use the same, (sometimes) weak password for multiple online accounts. The ideal solution would be to use different, strong passwords for all our online accounts. But this can be confusing and the passwords hard to remember. Which is where the credential manager comes into play.  Using a set of built-in algorithms, any of the credential manager products mentioned will generate complex, long strings of random characters or passphrases which can then be used to update a password for an online account. Both LastPass and 1Password have browser plugins that allow the user to generate new passwords directly on an account “new password” page and save that new password in its database. They also have the ability to update existing passwords with the new passwords, making the entire process very easy and convenient.

That last point is key.  If managing these new, complex passwords isn’t easy and convenient end-users simply won’t do it. They will stick with what they know, literally. Which brings us to another key feature of these products: portability.

Today, in addition to traditional desktop computers, everyone is also completely mobile with laptops and a plethora of other, smaller mobile devices. All these devices are used to log in to our various online accounts, as well. So, if all the passwords are stored exclusively on one computer that doesn’t make them very useful. This makes portability of the password database a key feature of a good credential manager.  LastPass uses its own Cloud exclusively to sync databases between devices, while 1Password can use Dropbox, Google Drive, or Apple’s iCloud Drive to sync its database as well as it can be stored locally for additional security.

Another thing credential managers are good for is keeping track of answers to those security questions many sites want a person to answer. Most people answer the questions honestly, since those answers are easy to remember, but this information can also be easily socially engineered from our myriad of social networking profiles. This type of personal data can be obfuscated by making up answers to these common questions. Of course, then the answers must be remembered. Using a credential manager, though, the questions and answers can be stored along with the site login credentials for added security.

Summary

In summary, everyone should be using strong passwords that are longer passphrases rather than more complex (although that is good as well); don’t reuse passwords; use a credential manager to help keep track of everything. And never click links in emails.