I was speaking with my fiancé the other day about one of the games that she enjoys playing occasionally, and ended up walking her through the password reset procedure for the account after she angrily exclaimed “I only use this account once a year, how the ** am I supposed to remember the password for it?!”. This is a common problem that everyone on the internet faces today, though usually on a more reoccurring basis, too many passwords to remember. This often leads to the less security conscious decision of using one password for multiple accounts. Most people have heard the advice from security professionals saying that they should use a unique password for each of their separate accounts, but often ignore that advice because that can quickly become unmanageable, as it becomes increasingly difficult to remember more and more unique passwords and which account they are associated with. So, what’s the alternative? What is the method or procedure that will allow us to follow best practices related to account management and passwords, AND allow us to continue with our everyday lives without having to remember one hundred different sets of credentials? Especially for those accounts that are used infrequently; i.e online tax accounts.
Enter the password manager! Products such as KeePass, LastPass, Dashlane, and many more exist to both help you store your passwords, and to help you generate strong and secure passwords. Hold up a minute. You mean to tell me that there are programs out there BESIDES EXCEL that will allow me to keep a list of all my passwords, but that also will store them securely? Blasphemy. My passwords.xlsx file is the most secure thing ever… right? No, if someone gets a hold of that file (pick your poison on as to how) then they have access to all of the accounts that you stored in that file. The listed password managers take a different approach. What they do is they keep your entered credentials inside of an encrypted database when not in use, and require you to enter a “decryption password” upon launching the password manager; reducing the number of passwords you need to remember down to two, the one for the manager, and the one to logon to your computer. That way if someone gets a hold of your hard drive and makes a copy of it and all the files on the hard drive (something I’ve been playing around with myself during some forensics courses recently) they won’t necessarily have access to your password vault; they would first need to crack the password to the vault itself.
In a perfect world, everyone would use a password manager in order to securely store their account credentials, that way they wouldn’t need to remember hundreds of different logons (or create excel spreadsheets of them), and they would be stored far more securely. Most good password managers are cross platform, allowing you to have the same password vault on your Android Phone, your iPad, and your Windows 10 Desktop. Super handy. There are even some password managers that sync all of the application databases via the cloud; I personally don’t use these managers, and prefer to take the manual approach of copying the database file to each of my devices. Not all clouds are created equal, and not all clouds are created securely. Discussing which of these password managers is the better option is outside of the scope of this post, and I recommend doing independent research based on your own preferences and needs.