Guidance on Password Management

Every time we open the news, there’s another story about a security firm being breached. Most recently it was LastPass password manager, although they insist compromised password databases remain encrypted. This past week, Norton announced a similar breach of their flagship LifeLock service. And in the not too distant past, Dashlane, Keeper, and several other password tools have all fallen victim to hackers. Even Google Chrome had security experts issuing guidance not to store passwords in the browser due to an attack targeting remote workers.

When the security services are failing, what is a user left to do?

Below are a few recommendations to help keep data safe during these unprecedented times.

  • Enable Multi-factor Authentication

Many applications and online services now offer some sort of multi-factor authentication. This means users get prompted via an email, text message, phone call, or authenticator app code. This acts as a “second factor” beyond the password adding a speed bump for hackers, and notification that an account was attacked. Multi-factor should be implemented on all critical services such as financial institutions.

  • Create Strong Passwords

Complex passwords are a must for critical services like online banking or master passwords. A good password should be a mix of letters, numbers, and symbols and be as long as reasonable possible. The problem is, how to remember that good password.

Where password managers aren’t practical (or trusted), try this simple method to generate strong passwords. Think of a sentence about the site or service that is easy to remember. For example: I like to go to my bank for deposits and get coffee at Starbucks next door. Make your sentence unique and meaningful to you.

Now, let’s turn this sentence into a killer password. Take the first letter of each word, complete with capitalization and punctuation, substituting symbols for a few key characters. Our password becomes: Il2g2mb4d&gc@Snd. With a little practice, this behavior can become second nature, improving password security.

  • Use an Offline Password Manager

Although the convenience of online password managers is great, allowing sharing of passwords between multiple devices and on the go, users are quickly learning convenience comes at a price. Instead, consider vaulting sensitive passwords in a local password vault. To avoid vendor favoritism, we won’t name any specific vendors. A quick google search will identify several to choose from.

If you absolutely need access from multiple devices, consider storing it on a secure cloud share. Keep in mind, if the share is compromised, so is the password database, leaving it up to the strong master password.

  • Have a Recovery Plan

Last but not least, have a plan in case your password solution is compromised. This may require an offline secure list of the accounts or services that were vaulted or a plan to export them. Don’t keep the passwords. This would defeat the purpose of securely storing them. It may also include a plan to export your data or account list from the password manager.

  • Don’t Rely on a Single Solution

The key is to use the above measures in concert, rather than independently. Enabling multi-factor can provide an early warning that passwords have been compromised. Using strong passwords may buy more time to reset critical accounts before hackers can crack the code. Having a plan in place for a breach might mean the difference between a few hours of password reset pain, and weeks or months of identity and financial clean-up.

Related Posts