We’re pleased today that Ian Koetter, IT Security Analyst, agreed to share his expert advice on how to solve a problem we all share.
The problem? We all have too many passwords.
With the expansive growth of online services has come an equal number of account details we’re required to remember. Many of us choose to just reuse a common password to make it easier to remember, but that can be incredibly risky. Using the same password across multiple services means you’re at a much higher risk of account compromise. A single failure in security from any of those services could allow an attacker to compromise your financial, email, or social media accounts!
The solution? A keychain.
If all your passwords could be considered as ‘keys,’ then what you need is a keychain. The digital equivalent of the keychain is the password manager. In the most basic sense, a password manager allows you to record all the username and password combinations in a central location for easy recollection.
Go back to just one single passphrase!
The best part about a password manager is that it allows you to only remember a single, master passphrase without putting all your online accounts at more risk. Sure, there is some associated risk with storing all your credentials in one place, but if done properly it can be many times safer than password reuse and much easier than trying to remember which password you used where. By utilizing online password management services, you’re trusting experts to create an encrypted secure container in which you can stash all your online account information.
These password managers will allow you to securely generate very difficult passwords to autofill into the online services’ login pages you’re using. ‘42!J8e%GVR%klMQNqtuA’ is infinitely more secure than ‘BoomerSooner’ (please, don’t.), and if you don’t have to remember it anymore, why not make it nearly uncrackable by password guessing attackers? Set a different randomly generated complex string of characters as your online passwords and let the password manager store and automatically use them to login to your sites for you.
Another handy thing about password managers is that they commonly are available as browser extensions to automatically insert your credentials into websites, can be accessed from your mobile phone, and can even rotate or change passwords on websites for you when needed.
So, we’re back to a single password, isn’t that bad?
Practical security application is all about managing your risk. Yes, you’ve now put all your sensitive password data into a single bucket. You should have also secured this new bucket with a complex master passphrase, but now you can really lock down this password vault by adding an entire new security layer: Multi-Factor Authentication.
Multi-Factor Authentication means that to access all your stored passwords, multiple types of authentication will be seamlessly used to unlock the password vault. In reality what this typically means now is that when logging into your password manager you’ll receive a notification on your phone which asks if you’re trying to sign in (“Is this you logging in?”), you get an SMS text with a code, or you can pull up an automatically changing pin code from your mobile app. If you’ve somehow avoided being associated with a smartphone, you can also pick up inexpensive hardware token generators which stay attached to your literal physical keychain as a second method of authentication.
By adding ‘MFA’ as a security layer to your password manager, even if an attacker manages to get your master passphrase they won’t be able to access the account without also alerting you or physically stealing your phone from you. Good luck, hackers.
Password managers sound great! Where do I get one?
There are a lot of available free or cheap password managers. Some of the more popular ones are Lastpass, 1Password, Dashlane, and KeePass. Many of these services offer a free version and then premium variants which allow for more extensible functionality. The OU IT Security website has included links to some of these services as well as other sites which might help you choose a more secure passphrase.
Once you’re using unique passwords on each online service, you can rest easier knowing that even when one of those sites gets hacked, and exposes the password you used there, it can’t be re-used to compromise other website accounts you own. For you, the scope of the website’s failure in security remains limited to their own.