These days just about everything you do requires a user name and a password...
The safest type of password is a complex one; something without real words, that is changed regularly - but isn't the same for every account. Now that's all well and good, but if your memory is anything like mine, it’s almost impossible to remember more than a couple of passwords at any one time without being forced to write them down.
This of course defeats the object of having a secure password because anyone can pick up your keyboard and read it off the bottom!
The solution is to use a password manager. In a nutshell these are secure databases that store all your long, complex passwords and other information you don’t want prying eyes to see. They are typically secured by one password meaning you can keep everything safe and secure and only have to remember one piece of information.
There are a whole host of Password manager applications out there, so before you take the plunge and start using one, here a few things to look out for.
The Important things...
Local or in the cloud
The first thing to decide is where you need to use a password manager. If you only ever use one or two devices in the same locations a local vault is by far the most secure option. The advantage is that a hacker has to gain access to your device in order to grab your passwords. However most of us need to have the information across multiple devices in multiple locations. In this case a cloud option is best with the ability to be used across different types of device and operating system.
When looking at Cloud options check that you can sync a local copy on your device in case you don’t have a network and check the types of device you can use it on. Of course the downside here is that there is more scope for a hacker to get at your vault, but not as much as you would think.
When using Cloud based managers, make sure that any data transferred uses Secure Socket Layer (SSL) and 256 bit AES encryption. This will ensure your data is safe when it transfers from the cloud to your device. Look for a manager that utilises a large number of PBKDF2 iterations (Password-Based Key Derivation Function 2, if you wanted to know!) as this will increase the security of your Master password.
All encryption and decryption should only happen on your device as this ensures that data is never transferred un-encrypted and the encryption key is only ever kept locally. It's also a good idea to use a minimum of 256 bit AES encryption to secure the data in your vault.
Some password managers increase security by adding multi-factor authentication to your vault. This simply means you need to use two different methods of logging into your vault before it will let you in. It is most often associated with using passwords and biometrics such as finger print scanners. But your second method can also be in the form of hardware tokens. These are USB sticks that provide a time variant secure login code that varies every time it’s used.
Other features to look for in a Password Manager
As well as storing all your long complicated passwords, a good Password manager will help to make your life easier. Here are a couple of features every good password manager should have...
This feature prompts you to save passwords whenever it sees a new one. This saves you lots of time and makes sure you don’t forget to pop it in the vault and then forget it!
This feature automatically fills in the username and password for you when you access a website. Some managers even provide a link you can click to automatically open and login to a website.
Do you struggle to come up with a decent string of numbers, characters and symbols? The password generator does it for you. You tell it how long the password should be and what type of characters you need in it, and it does the rest.
So I guess what you are all wondering now is which password manager I would recommend. Having looked through a number of options the one I use is LastPass https://lastpass.com. This is generally considered to be the leading option on the market. It ticks all the boxes for a password manager and adds some nice additional features.
For security it uses 256 bit AES encryption, routinely increased PBKDF2 iterations and all data is encrypted locally prior to syncing to the on line vault so they never see your password. If you want to increase security it supports a number of different multi-factor authentication methods. A number of Resolver's use LastPass; both technial and non-technical members.
For other features it has automatic saving, autofill login and a password generator along with the ability to set up profiles for online shopping, create secure notes, backup sensitive documents, securely share logins and audit your online security. This last feature identifies weak areas of your online security and recommends improvements. It will also alert you to weak or duplicated passwords as you create them.
One of the biggest plus points for LastPass though is that the basic level is free and gives you all of the above features on Windows, Mac and Linux devices. However if you want to sync to mobile devices running iOS, Android etc. you will need the Premium version. This adds mobile sync, a few more multi-factor authentication methods and tech support for only £2.60 per month.
If you are a business looking for a good password manager LastPass also has an Enterprise option that integrates to Active Directory, has customisable security policies, shared folders with customisable permissions and a central admin console.
A final thought
Once you have chosen your password manager and set it all up, remember to use passwords that are a minimum of 8 characters, preferably more than 10. Always use lower case, upper case, numbers and symbols, make them random and change them regularly.
I hope you have found this useful, leave me a comment below if you're going to manage your passwords differently from now on.