Password Managers: Putting an End to Data Theft
It’s well known that passwords are being stolen and sold by the tens and even hundreds of millions on the dark web. It’s also well known that the carelessness of device users is responsible for most of these crimes. Here we discuss two mindsets – resistant and adaptive – towards the secure and (fairly) user-friendly password managers, both free and fee-based, that can actually protect users from hackers.
Mindset 1: “Please – Not Now!” This resistant mindset is widespread and just plain dangerous. At home it invites serious financial loss. At the office, it invites potentially catastrophic data breaches. What to do about it? Try entering your email address at Microsoft security expert Troy Hunt’s ‘;–have i been pwned? data breach website. The wake-up call you’ll likely get should make you receptive to William Saito’s suggestion that “You should think of your [data protection] activities online like eating. You’d naturally be wary if a complete stranger walked up to you and offered you food.” To Saito’s nine “Don’t bite” cybersecurity tips here are two of our own:
- Emailed Passwords. Never email them. Because on its way to your recipient’s computer, your emailed password will pass through at least two mail servers and anywhere from 1 to 30 routers, any number of which could be compromised – or actively “snooping” your email.
- Passwords over the Phone. Give them only to people known to you. Phone hackers can now trick you with information about your boss or company that you thought no outsider would ever know.
Want more? Brian Krebs has a comprehensive list of Password Do’s and Don’ts
Mindset 2: ”Bull by the horn” This adaptive mindset signals a commitment to take the time needed to secure one’s personal data with a password manager and to observe office security practices. Install time for a password manager ranges from 30 minutes to several hours, depending on the desired strength of security. Password managers organize, encrypt and securely store large numbers of passwords. Once encrypted, passwords can be stored for increased security on remote file hosting services like OwnCloud and DropBox. Here are several we like:
- KeePass is free, open source and hence ad-free. It uses the same Advanced Encryption Standard (AES) that’s used by the US government. And it gives users maximum control over password storage. Users can set the strength of their password database encryption and decide on how it’s stored and synced. KeePass reports on the strength of your passwords. It also offers browser plugins for Firefox and Chrome that simplify password entry on these sites.
- LastPass installs quickly and is convenient to use. It has shown itself to be resilient to data breaches. While data has been stolen from it in one instance, encryption was so strong that the data stolen was useless to the attacker. LastPass offers strong multi-factor authentication and a security check that verifies the strength and uniqueness of every password.
- Dashlane offers the same level of convenience and safety as LastPass, and uses strong 2-factor authentication to protect your master login.
- Keeper allows for secure storage of files as well as passwords, and lets you easily import and export your data if you want to move to another service.
- So-called Internal Password Managers like those at Firefox, Microsoft Edge and Google Chrome work well and have useful default levels of security. At the same time, they are prime targets for malware, and not resilient to attack. If your master password is compromised, you’re in trouble! The attacker has all your passwords.
For more information, check out the password manager evaluations at PC Magazine, Information Week, Wired Magazine and finally this handy introduction to password managers, with some evaluations, at HTG.