Our Virtual Chief Information Officers (vCIOs) have been getting a lot of questions lately from our clients about password managers. Our clients want to know how they can better manage their online credentials. The most widely used solution today is a service called LastPass but there are several options that are available. The key feature that you want to ensure is in place with any password manager is that the passwords are saved to an encrypted database. The benefit is that if someone hacks the password software, then the passwords they download will be unusable.

So how LastPass works is that it has an encryption key and the decryption happens on your local computer. When you type the password on your local computer, it encrypts it, sends it to the server to match, to make sure that you are who you say you are, and then when you are requesting passwords back, it sends you the encrypted version of that password that you then unlock with that code.

Services like LastPass offer a very high level of security and to do this they cannot simply “store” your master password. Hence, you still have one password to remember, and that is the master password for your password manager. So, you must learn one password instead of many.

What is the number one benefit of using a password manager?

The thing about people and passwords is that people want to remember things. So, they use the name of their cat, or the name of their dog, or their daughter’s birthday, or something like that. Here’s a video revealing just how widespread this bad practice is. Problem is, passwords that are easy to remember are very easy to guess!

The number one benefit of using a good password manager is that when you register with a website for the first time, it will generate a good password for you, as opposed to you simply choosing a very poor password. This prevents you from using the same password repeatedly. If one account gets compromised, all accounts could be compromised.

Other benefits

• Your passwords will be stronger and aligned with current best practices
• You don’t need to remember all your passwords or waste time constantly re-setting your password
• Fast access
• Easy to manage shared accounts

“I’m technologically impaired” – How challenging is the process of setting up a password manager?

The short answer is that getting started with one is easy. You simply install the password manager as a plug­in on your browser and download the app on your mobile phone. You create an account and you have the option to import the passwords that maybe you’ve already saved in your browser, or somewhere else, using the tool. You can get started quickly.

Before you implement a password manager, you will want to give yourself a bit of time to just get all your passwords organized. Make a list of all the websites you have passwords for and if you are not using that site anymore, delete your account. Identify low versus high-value accounts (i.e. accounts where credit card information is stored). Strengthen your weak passwords. Make it a weekend project!

But wait, I’m concerned about setting and remembering my master password. How do I keep that safe?

Firstly, give it some thought. Do not try to keep it in your memory. Frankly, if it’s in your head it’s probably not a good enough password. You need a very strong master password and you need to save that password somewhere. We recommend to people that you shouldn’t save it digitally. Do NOT save a spreadsheet called “passwords.”  Whatever you do, do not use a master password that you have used for anything else. Write it down and re-enter it a few times daily to learn it. Or, consider writing down hints and keep it in a safe place. You cannot learn a strong, unique master password overnight.

What if I cannot remember it?

When choosing a password management solution, be sure to dedicate a good amount of time to reviewing the different recovery options. You’ll need a solution that works for you. Some solutions offer recovery options that will allow you to regain account access using a hint, SMS recovery, reverting to an old password. Please be aware that these company’s employees do not have any knowledge of a user’s master password.

 

If you’d like more information about password management and all of your other IT needs, contact us.