Cyber Security – password managers

WE'VE spoken a little about passwords, and the importance of making, and keeping them safe and secure. As touched on in a previous article, there are a few things you can do to mitigate risk of your passwords.

  1. Creating a password that contains Special Characters, Numbers and Capital Letters.
  2. Avoid using dictionary words
  3. Length over complexity
  4. Using different passwords for each service.

It is number 4 on that list that seems to be the tough one for most people. An average person uses a password for 25-35 services. Is there a chance you'll remember all of those passwords? People try to work around it by altering a password slightly for each service (e.g. Password1, Password2, Password3 etc). You are in fact using a different password for each site, technically. However, by doing it this way, you are making yourself more predictable, and thus increasing the risk of a hack.

Remembering completely different passwords can be very difficult. For example, hYf5i1sZ*CZW7oU , d#%$*gxsIPUK43$ - there are only two strong passwords there, and it seems almost impossible to remember them exactly. After asking around, we've discovered that some people write them down in a notepad, but this does leave you at risk again.

So we come to Password Managers. There are a number of these available to you, most of which are free. The idea behind these is to allow you to only need one 'master' password for all your sites. Simply log into your password manager, and you are then able to login to any service you have saved. There is no need to remember all your passwords, as the manager does it for you.

So what are the risks? It can be argued that it's a bad idea to put all of your eggs in one basket. However, accessing your information is no easy task for intruders. The example here is LastPass. This has been built so that the company itself does not hold the key to your account. Sensitive data is encrypted at the device level with AES-256 before syncing with TLS to protect from 'man-in-the-middle' attacks, ensure complete security in the cloud. For all the 'non-technical' people, this basically means that every time you enter details into your account, it is not recorded as plain text, so hackers simply aren't able to read what it is. Creating your account with a strong master password will locally-generate a unique encryption key. Your data is encrypted, and decrypted at the device level, so your data is never sent, as plain text, to LastPass' servers.

In effect, the only way someone will gain access to your data is by using your master password. However, they have added another level of security on this also, as you can activate Two-Factor Authentication (highly recommended!)

As mentioned, there are a number of providers for this service - LastPass, Dashlane, 1Password, KeeperSecurity, TrueKey. If you are interested in the idea of it, feel free to find the right one for you. If you have any questions on these, please don't hesitate to get in touch.

Keep an eye out for future articles where Clark IT looks deeper into Cyber Security.