Passwords are not good enough in today’s cyber landscape. This is a truth we have to acknowledge, but given that we are stuck with them for some time, it’s important to explore secure ways to use them, much like responsibly operating a Mercedes Benz in a manner that won’t get you killed. How you drive the car holds more weight than its safety rating. In order to properly protect passwords, we should first understand how they’re compromised.
How are passwords obtained?
Social engineering is certainly the biggest culprit, but on a technical level passwords are generally compromised in two modes:
- Online – Hacking passwords on a live system typically involves the concept of “brute force.” This is where the password is guessed at a very fast rate using tools that hammer the system repeatedly until a match is found. Preventative technical controls for this are common now, including session timeouts and account lockouts that are triggered after a certain amount of attempts detected in a given timeframe.
- Offline – Systems typically store passwords in “hash” form. This means that they appear as a seemingly random string of hexadecimal characters which are generated by an algorithm. For example, the MD5 hash for the password “bearcat” is the following: 852f52a0f79bb088ba5ab77fa7f7e36b
Even by changing just one character in the original password, the resulting hash will look completely different. Seems fairly secure right? The problem is that if hackers obtain one or more hashes, they can then work offline, running brute force attacks against the hash at will until a match is found.
The most crucial technical preventative measure today is to enable multifactor authentication (MFA for short). I discussed the college’s implementation of this more in a previous blog article. The option for MFA is becoming more widely available across applications, many of which have the ability to tie into your choice of authenticator app (e.g. Duo or Google).
Password managers allow you to have a different password for every system or application that you use, without having to memorize any of them (except for maybe one). They provide an easy-to-use interface to store and manage passwords and other sensitive data, as well as links to login pages for fast and easy access.
Doesn’t a master password defeat the purpose? What if that one is compromised?
It’s true that the master password is a volatile single point of failure, but remember that most management solutions require a certain level of strength and complexity on that and some also offer alternate authentication such as biometric or app-based checks. In addition, most solutions allow you to enable two-factor on the master password for an extra layer of protection.
Though it might fall into a “pay-for” tier, most managers do more than store your passwords. Some, like Dashlane and 1Password actually have built-in darkweb scanners that will scan known data stores for instances of your information in breaches or data leaks. Some will also check for basic web security on sites you are visiting, and alert you if the website is not using SSL encryption (HTTPS) or does not support MFA. Many like NordPass, LastPass and Dashlane have auto-fill and auto-save features which save you time as you bounce around the world through your many identities.
For the privacy nerds, be aware that some solutions like LastPass do have trackers to gather information like device type, ip address and subscription plan.
Below are our five favorite picks for password management solutions. Click to find out more about each one: