The Internet is racing towards 10 Billion publicly documented breached accounts. You can check your own email accounts for breaches and what information was compromised through CyberHoot’s website, inside your Firefox Browser, or even at haveibeenpwned.com. With all of this breached data out there, what should I be doing?
Use a Password Manager
Using a password manager is the best way to limit the damage to you from an online breach such as happened to Facebook, Linked-In, and Yahoo. Password Managers also represent the easiest and most efficient way to manage and secure all your passwords and personal information. A password manager stores and encrypts all your passwords, allowing you to save the information in the cloud or on your personal computer. It keeps them easily accessible in your browser for when you need them. This allows you to use varied and strong passwords, making them much harder for criminals to attack. Password managers, such as LastPass; protects you from giving away your private info on phishing link webpages. Even though security experts recommend password managers people still are hesitant to make the switch. Here are the top five (5) most common misconceptions about password managers and why they don’t hold water!
Myth 1: Password Manager Vendors Access my Data
Myth: Password Manager vendors must have a back-door into our password databases putting us all at risk to their employees or a hack of their IT systems.
Reality: Reputable password managers use Advanced Encryption Standards encryption which even the US government and the NSA complain they cannot hack into. No employees at the Password Management Vendor have access to the private keys that decrypt your data.
- Password Management vendors do not having access to your master password (neither hackers nor employees can access it to steal your data);
- Password Managers encrypt all your data with unbreakable AES encryption (see recent US government pressure to place back-doors inside AES)
Myth 2: Password managers aren’t 100% secure
There is no tool that can guarantee your full online safety, but even the most complicated locks are broken into. We understand that bank safes can be broken into, but we keep our money in there anyways. We cannot rely on our memory for passwords. Without a Password Manager the majority of people will use the same set of passwords for (3 to 5) for most of their accounts. Google research says 2 out of 3 people reuse passwords. According to Symantec, 80% of data breaches could be prevented by the use of a password manager. Most password managers also support two-factor authentication to unlock them making it very difficult for hackers to breach your critical encrypted password database. Read this article on Two Factor Authentication for more information on 2FA and Password Managers.
Myth 3: My passwords are more vulnerable because they are all in one place
All of the data that is entered into your password manager is securely encrypted. Since even the US government is pressuring tech companies to backdoor their encryption standards such as AES, which is used by password managers, it is highly unlikely that your passwords can be hacked out of these encrypted databases. The only way for your data to be accessed is by entering a master password and 2nd factor authentication method. CyberHoot recommends you use a passphrase of 15 to 25 characters and enable a second factor to access your password manager. Here’s a video on how to enable 2FA in LastPass.
Myth 4: It is safer to create and memorize my own passwords
How many times have you had to click the “Forgot Password?” link when attempting to login to an account that you haven’t accessed in a while? Just like when you have to change your password every 90 days, you will use a variation, or an easier password when creating a new password; making it vulnerable to hackers. With a password manager you are able to install a plug-in into your web browser in a matter of seconds. You can also install it on your mobile device so your complex passwords go with you everywhere.
Password Managers also have a hidden advantage in that they all come with a “Securely generate a Random Password for me” feature. This feature creates a pseudo-random password of whatever length you choose, and the password manager remembers it for you!
Myth 5: It is a pain to set up a password manager
As mentioned in myth 4, it takes only a couple minutes to install it on your web browser and mobile device. Once installed, whenever you login to a website your password manager will automatically prompt you to save the login details for your future use. When you return to each site your Password Manager will fill in the login fields, making it much much easier. You can slowly change your account passwords over time to complex, 14+ character passwords as time goes on, you don’t need to do it all in one day. Whenever you are creating a new account, the password manager will create a unique password every time to be easily copied into the password field. As time goes on, you will not want to go back to anything else.
If you would like to learn more about Passwords, Passphrases, and Password Managers, watch this short CyberHoot Training video:
Summary:
- Password Management vendors cannot access your private encryption key to gain access to your passwords. Asymmetric encryption, which underpins the Internet, ensures your passwords remain only accessible by you.
- While no software ever written is perfect, the alternatives, like 2 out of 3 people reusing passwords is far worse. Password Managers are more secure than any human-based password management systems by an overwhelming margin.
- Having passwords secured inside unbreakable encryption is far superior to writing them down or reusing your favorite set of 5 password roots combined with prefixes or suffixes.
- The human mind is fallible. Trying to create and memorize our own passwords has been proven in thousands of breach studies to be the worst possible method of securing your digital life.
- Password Managers have come a long way in usability. They are very smooth both inside your desktop browsers but now increasingly on your mobile devices as well.
Adopt a Password Manager. You’ll be glad you did. Just make sure you enable 2-factor authentication into that password manager and do not EVER forget your master password.