Steve McGregory
Ixia Senior Director, Application and Threat Intelligence
Blog

Passwords: Easy as 1, 2, and That's All.

October 6, 2017 by Steve McGregory

No need for a 3, the best practice for managing passwords and adding the right layer of protection for your account passwords comes down to just 2 things.

TLDR: Let the computers do the work for you, you only need to remember one master password. And you must enable two-step verification (also known as Multi-Factor Authentication) on every site that has the support.

The Password Dilemma

Generic stock photo of a passwd interfacePasswords are a pain for us all. We need passwords to help systems authenticate us, proving we are who we are. It becomes ultra-painful due to the number of systems we utilize that require some sort of authentication. Have you ever thought about just how many online accounts you have, you know accounts like Yahoo, Google, Twitter, your Utilities, Bank; I have counted over 400 for myself. The best practice is to never use the same password for any of those 400 accounts. The problem with using the same password is that whenever one of those systems is breached and the passwords are stolen, all of your accounts using that password are now vulnerable to being hacked. Using just one password may to be the easy thing to do, but now we have help in the form of password managers.

Let Computers Help

What human can remember 400 different account passwords? Someone probably can, but I bet they'd get more value in life using that memory on something else. Computers are meant to perform tough calculations, tedious tasks, or store things for us so we can focus on things we are better suited for in life. No need for us to remember hundreds of passwords. Also, I have seen people taking the approach to train us on how to generate a memorable password. Something like this; put a sentence together and only remember the first letter of each word, substitute numbers for certain characters, and throw in some punctuation here and there. This is helpful, and you should do this for the one password you need to remember, the master password used to encrypt and protect your password database. Other than that password, let the computer generate your random passwords. Here's a password I just asked my password manager generate, "5dLNP9%GXxFn;L". That's not a common or easily cracked password, I'll leave password cracking to another post. Use a password manager and have the computer help you manage this password dilemma.

Password Manager Features

I don't work for a company that makes password managers and I don't have a recommendation for the one you should use. Well, make sure the one you choose will work on all the devices you use. Okay, I'm feeling less than adequate for not supplying a list of password managers, comparing features, and helping further, so I'm going to link to one of my favorite sites LifeHacker.com so you can do research. The Password Manager must do 3 things for you, and it should be minimal effort to utilize these 3 things.

Generate a random, configurably complex password

Many systems do not share the same password policy, in many cases they do not allow certain punctuation characters; i.e. "_" the underscore. In this case the random password generator must be configurable by you to control how passwords are generated.

Store the login information in a secure manner, strong encryption

I'm not sure how you can verify this, but the product documentation should talk about how the data is stored. Encryption is important to assure you that even in the case where your password file is stolen, no one can read it without your master password.

Allow you to access this stored password information from all the different devices you utilize.

Ideally the password manager has native version for each of your devices. A device being your, desktop/laptop on Windows or Apple Mac OS, mobile device running Android or iOS or Windows. Another nice to have, since most of the passwords are for websites, is a browser plug-in for the Password Manager. This third option is for usability, as you'll only follow this process if it is easy enough to do...

I have purposely minimized the list here, if you go through and perform research, you'll see that many other cool features exist on these Password Managers. I just wanted to get down to the core features I find most important as a user.

How Do I Trust the Password Manager

That is a great question, and one that should not go without answer in this post. The Password Manager must encrypt the data using your master password prior to saving, or exporting to the cloud. As long as they are doing this, which I believe they will, then they cannot open to view your data because they do not know your master password. You must read through the material they present on the website, and find this clearly stated. If you are still not sure, email them and get an official response. If they do not encrypt using your master password prior to storage, then they are doing it wrong.

One More Thing...

The system we have in place that utilizes passwords is antiquated and eventually we'll have something much more rock solid to replace passwords. But we are not left to live with just username/password for authentication, many sites have begun to offer a "2-Step Verification" or "Multi-Factor Authentication" option. This option in authentication should be used by you on every site that has it. The 2-Step Verification process will utilize a secondary code that will be sent to you through something like SMS text on your phone when you authenticate. You will supply your username and password just like you've always done, and then after successful username/password event you are sent an extra one time code to enter on a subsequent prompt. This process is new, being deployed now, and has several options to choose from to complete the second step of authentication; most prominent is the SMS text to your mobile phone. This second step adds a layer that will prevent someone other than you from logging into the site, even if they have your username and password; they don't have your mobile phone and cannot input the second step code. While this extra step is adding a bit of complexity to your authentication, the amount of extra protection far outweighs the effort required.