02 March 2018 category: business technology
In our last blog on cyber security we showed you How to Create A Strong Password.
But it is no good having just one strong password, you should have a different strong password for each website or application.
Obviously remembering dozens if not hundreds of different strong passwords would be a challenge for any human brain, even if each one is easy to remember.
You therefore have two options:
- Create unique passwords based on the company name or domain name
- Use a password manager or vault (Recommended)
Our recommended option is using a password manager. (For fun we will follow up in a separate blog on the company or domain name trick)
You should also be using two-factor authentication to secure your password manager and all your online accounts where possible.
What is a password manager?
A password manager or vault is a place to securely store the login details for all your websites and applications.
The password manager should be secured with a Strong Master Password that you can remember.
Most have browser extensions to automatically fill in your login details on the web page.
Most also have a password generator to generate super strong unique passwords for all your different accounts.
Is it safe to keep all my passwords in one place?
The short answer is Yes!
If secured properly with a strong master password, and additionally two-factor authentication, then the risk of having your password manager hacked is far lower than the risk of having your online accounts hacked.
If you are not using a password manager and using the same password (or set of few?) on multiple sites (as many people do). Then if a hacker cracks your password on one site, they will potentially have access to some, or all of your online accounts!
Where do I start?
There are 3 different types of password managers:
- Built-in Browser Password Manager (Least secure - not recommended)
- Offline Password Manager (Most secure - but inconvenient)
- Online Password Manager (Balanced - recommended)
Browser Password Manager
You should avoid using the built-in browser password managers as these are the least secure. These are the little popups from your browser asking to remember your password.
If you are going to use a separate password manager, you should disable the built-in browser password manager.
Offline Password Manager
An offline password manager, involves software that stores all your passwords on one computer or device.
This in theory is the most secure, as the hacker would need access to that physical device to try and crack your master password and gain access to all your login details.
But the problem with this is that if you don't ensure you have a backup, and the device holding the manager is damaged, lost or stolen, you will lose access to all your login details. This could be an administrative headache resetting all your passwords.
Online Password Manager
An online password manager allows you to install apps and browser extensions on all your devices and synchronise the login details across all these devices.
This is the most user friendly and robust system. You always have access to your login details no matter which device you are on.
If you lose a device, you can at the touch of the button disable access to your account from that device.
If you enable two-factor authentication your account has very little risk of being compromised even if they somehow crack your strong master password.
But please do make sure you Create A Strong Master Password.
Two-factor authentication means that in addition to providing your username and password, you also need to enter a unique code that is generated at the time you log on.
There are 3 common ways that the code is obtained:
- Mobile App - A unique code is generated every 30 seconds. You enter this when requested by the site (sometimes on the login page, sometimes after your username and password have been validated.
- Text Message - After your username and password are authenticated a code is sent to your mobile phone for you to enter to gain access to the site or application
- Email Message - After your username and password are authenticated a code is emailed to you to enter to gain access to the site or application
The best methods to use, if available are the mobile app or text message. This is because the hacker would need access to the physical device, email can be accessed on any device.
The hacker may already have already remotely hacked your email account and is now trying to reset passwords for your other accounts, using the forgot password feature via email.
If using text message or mobile app two-factor authentication they would be thwarted unless they have somehow also gained access to your mobile.
With some sites and applications, it is possible to set it so that it only asks you for the two-factor authentication code when accessing it on a new device, or perhaps once every couple of weeks on that device.
Note, you should make sure that access to your mobile phone is secured with a PIN and/or biometrics (finger-print or retina scan).
Putting it all together
So, the holy grail of online security is to use a password manager, secured by a strong easy to remember password, and two-factor authentication as additional layer of security at the very least on your password manager account, but ideally on each individual website as well.
A day in life with an online password manager and two-factor authentication
Let's go through the steps of getting setup and then using an online password manager and two-factor authentication.
Note, there are many different password managers out there, and we will follow up with a quick review on the main players next week, but it is worth doing your own research and trial before fully committing.
Setup the password manger
- Download and install your chosen password manager on the device you are likely to be using it on the most.
Important - only install on devices where you have exclusive access, or a secure login.
- Make sure you secure it with a strong but easy to remember password. See How to Create A Strong Password
- Secure your password manager with two-factor authentication
For ease of use, set it to only require the two-factor authentication when accessing your password manager from a new device.
- Import passwords from browser password managers
Some password managers let you import login details from browser password managers
Once you have imported them, we recommend deleting all saved passwords in your browser and disabling the built-in password manager
- Install browser extensions if available to automatically log you into sites as you are browsing.
- Some password managers then give you the option to review your passwords, open the sites to change your logins and even automatically update passwords on supported sites with new super strong unique passwords for each one.
- If using an online password manager with the ability to synchronise, optionally install on all the devices you need to access your passwords on.
Using your password manager
- When you boot up your device you will be prompted to enter your strong master password to unlock your password manager. (If using on a mobile device, depending on the settings you will probably only be asked for your master password every couple of weeks or so)
- Enter two-factor authentication code if using, and not only required when adding new device.
- If you have a browser extension enabled, you should be logged into websites automatically (or given the option to select from a list of logins if you have more than one account for a given site - personal and business for example)
- If you have two-factor authentication enabled for the site, enter the code as directed.
- If accessing a website for the first time, use the password manager to generate a super strong password, and save to the manager.
Although at first this seems like a lot of extra steps to just login to websites or application.
But it is highly recommended you make it as difficult as possible for the hackers.
Plus, once setup, and if choosing the lowest effort option on two-factor authentication, to only require when accessing from a new device, then password managers can actually simplify the login process.
Stay safe online, and stay tuned for some reviews on password managers, and a tip to create unique passwords for all your logins from your one strong master password if you really don't want to use a password manager.