By guest columnist Carlota Sage
This week, I’ll discuss password managers.
When you don’t want people just wandering into your house, you lock the door. For a long time, we thought about our online accounts this way, as well. If an account needed to be locked, we used a password.
As our digital lives grew, more accounts needed passwords, so we just kept using the same password over and over again. The bad guys figured this out, and used it against us.
So we had to make passwords stronger, make them unique, change them often, enable multi factor authentication … and it helped. But now, it’s been a few decades, technology has changed, and we need to stop doing some of the things that were password best practices 20 years ago.
Unique passwords reign supreme
As attackers gather more and more data with a single breach, unique passwords continue to set a higher barrier against them taking over a user’s account on your system.
Apple has Password Monitoring built into its devices to check passwords stored in keychain against a curated database of dumped passwords, but this still relies on the user to understand and use it.
The burden of unique passwords falls squarely on the user, relegating your IT team to the role of influencer here, relying mostly on security awareness training and password managers to encourage good password habits.
Longer passwords in; complexity out (kind of)
Enforcing password rules that require a minimum length and special characters isn’t unreasonable – until everyone requires it. I like to demonstrate the power of length and complexity by pointing users to Security.Org’s “How Secure is My Password?” page. Enter a password and this page will calculate how long it would take a computer to crack it.
|Example password||Time for a computer to crack it|
That time is greatly reduced with some automation on the attacker’s part, but I find it’s a tangible demonstration for users on why length and complexity are important.
While I’m all for requiring a minimum password length (at least 16) in systems, I’m softer on a complexity requirement.
|Example password||Time for a computer to crack it|
With current limitations on technology, we really don’t gain any extra security between requiring one special character in “whattimeisit?” versus requiring a mix of upper- and lower-case characters, numbers and special characters in “WhatTimeIsIt?” or “Wh@tT1m31s1t?”. Requiring a mix of upper- and lower-case letters and one special character will future-proof us for a while, and by the time we get to quantum computers, passwords will likely be made obsolete.
Password rotation is dead: Or is it?
Historically, we’ve forced 90-day (or even 30-day) password rotation on users to encourage unique passwords. But as early as 2014, security leaders at the SANS Institute questioned the benefit of 90-day password rotations over the disruption it causes. By 2019, even Microsoft publicly declared password rotations “ancient and obsolete.”
I think this is absolutely true for enterprise organizations. But those larger companies have security monitoring and threat detection in place, which is often not the case in smaller organizations. However, I believe smaller organizations can confidently eliminate password rotation by enforcing longer passwords. I also recommend individuals and smaller organizations use a password manager to make creating and managing those longer passwords easier for the user.
Browsers aren’t password managers
While I appreciate that browsers now suggest strong passwords and offer to store them for the user, I am firmly not a fan of relying on this in a business setting. As users get more password savvy and multi factor authentication becomes more prevalent, hackers are increasingly attacking the browser directly, putting those stored passwords at a significantly higher risk.
Password managers: A recurring theme
Did you notice how often password managers have come up throughout this article? I honestly believe the best way to enable users to create and store longer, unique passwords is by using a password manager. This is a very small spend ($4 to $10 per user per month) with a very big risk reduction. Of course, there is always the concern that your password management platform will get breached, but as a bigger target and enterprise organization, password managers spend significantly more on security than small businesses. And by supporting encryption, they make it very difficult for attackers to get your passwords. It’s unlikely that your passwords stored in a password manager will be compromised, but it’s not impossible.
That said, password managers are still the best option. PCWorld and PC Mag regularly review and rank popular platforms, and while my preferred 1Password isn’t in either’s top 5 this year, it’s still a good option. Whichever platform you select, keep in mind the users you support and their experience. Prepare a training and a set of frequently asked questions to help them get started. The important thing is to get started!
Have questions about password managers or security practices? You can find me in the Flyover IT Slack channel.