Steve McGregory
Ixia Senior Director, Application and Threat Intelligence

Password Managers

October 17, 2018 by Steve McGregory

Password Managers - a great idea

For people who know me, they know that my primary goal is to make a positive dent on the world through fighting the bad guys of cybersecurity. They know this because I often ask them how they are protecting themselves in the cyber world. I make a point to recommend that they use a Password Manager. If you don’t know what a Password Manager is, it is a program that safely stores all of your account login information. Password Managers are meant to relieve you from the burden of remembering passwords, and since it handles them for you, you can use a very strong and unique password for every account you have on the Internet. They usually come with a browser plug-in, which makes it easier for you to take the login data from the “vault” to the web page.

So what is the value in using a password manager? They primarily exist because networks and websites get hacked all the time. A valuable asset is the account login information, it’s valuable because most people reuse the same password for multiple accounts. The weakest link in your credentials is one of the websites you use that has little to no cybersecurity, or they store information in plaintext and it escapes their control. You have no power over that website or business, but you do have power over the credentials you use. Using unique credentials everywhere is the best approach to you controlling the limit of your exposure to one of those breaches.

In my mind, a Password Manager is an essential tool that everyone needs; at least until we find a better solution for identifying ourselves; something other than just username and password. So, at every chance I get, I recommend that people use a Password Manager. Since I do this fairly often, I get a set of reasons against using Password Managers. For my October Cybersecurity Awareness blog, I’ve decided to review the most common responses and my support for why you should be using a Password Manager.

The "I don’t have many online accounts" Response

I’m not sure of the minimum threshold of online accounts it takes to warrant using a Password Manager. However, I do get this response and I most often can help them identify more online accounts than they initially considered. I tend to ask them questions about their online habits. Do you have email? Do you shop online? Do you bank online? Do you have any Social Media accounts? As I go through these, I point out that they have more login’s than they realize. Then I let them know that when I first moved to a Password Manager about 4 years ago, I quickly added 100 logins, and I now have over 600 in all my vaults. How in the world would a human be able to have 600 unique passwords memorized? Not this human, I say let the computers do that job.

The "I have a password scheme that allows me to have unique passwords" Response

For a long time, well a couple years, I had peers in this industry that would recommend a password scheme as the solution. What they meant by a scheme, for example, would be to append the site name to the end and use numbers for some letters. This would mean, you might have a Yahoo password that looked like “B0t00mF33d3r_Yahoo” and then for Gmail it would be “B0t00mF33d3r_Gmail”. While this is fairly trivial, and might work, one could easily derive this pattern if they saw this password in a plaintext version of breached account information. Yes, that raised the bar a little. But it didn’t go this far, “BNN%cgM6,#34J6gX”, that’s one of my 600+ passwords. I’m happy to hand it out, it’s not one of the most important ones, but it is unique for 600+ potential online accounts.

The "What if my password manager gets hacked" Response

If the Password Manager is breached, all my passwords will be leaked Yes, this is true. This makes Password Managers a potentially high-value target, and yes, it has happened. That said, it is much easier for the hackers to gain access to a weak website and they always go after the weakest link. I can still promote your use of a Password Manager, it is much better than you trying to remember the passwords. Also, a feature of some Password Managers is that they allow you to store your “Password Vault” in places other than their cloud service. What does that mean? If you have a DropBox account, iCloud storage, or Network Attached Storage (NAS), then you can configure “Password Vaults” to use those locations instead of the Password Manager cloud.

Password Managers are a very powerful tool, use one

In conclusion, I’m still going around and suggesting people get a Password Manager. You can see my previous blog about Password Managers and some of the features that you should look for when considering a Password Manager. Since that blog, Password Managers have improved quite a bit, one of the newest features of my Password Manager is that it tracks when websites have been hacked. That information is important because you now know that you need to go change the password on that website. I’ll leave you with one more piece of guidance, you must change your password for the most important accounts every 90 days; any place that contains banking or financial information should fall into that policy.