Password breaches are happening in massive numbers. In one week last year, 500,000 Yahoo! passwords were exposed. While one exposed password may not cause you much grief, if you use that same password for your bank login and other accounts that protect your financial information, you could be in big trouble. Because companies can’t guarantee the security of your username and password, it is crucial to use a different password for every Internet site and/or service. Given the large number of sites most of us frequent while at work and at home, the only real way to ensure password security (and keep our sanity) is to leverage a password manager.
Password managers are often built as web browser extensions that capture usernames and passwords as they are entered into websites. Some of the better software offers to automatically save inputted credentials and will automatically fill in the saved information for you the next time you visit a site. Password managers use a “master password” to protect your stored credentials, allowing users to create only one strong password that needs to be remembered. As an added bonus, password managers can help to generate strong and random passwords on the fly.
Password managers securely store login credentials in a single encrypted file, often called a vault. Some password managers also let you store passwords or notes in the vault that are not website-related.
All password managers suggest you set a master password. This master password locks and encrypts your password vault, so a strong password is highly recommended. The software may rate the strength of the password you choose, or have built-in tools to assist you with password creation.
If you forget your master password, the software may provide a way to recover it using email or text messaging. As an added security measure, some managers leverage multi-factor authentication, requiring users to provide a second form of identification when attempting to unlock the vault from an unknown device.
Vault data can be stored locally on your computer, on a flash drive, or off-site in the cloud. While storing sensitive data in the cloud may seem risky, when done right – such as by the company LastPass – no one can gain access to your encrypted data without the master password. Some managers also offer a way to store a printed, physical copy of the vault’s contents, for times (such as during a disaster) when the digital solution can’t be depended on. Be sure to store these hard copies off-site.
Choosing a Password Manager
Information Services and Technology (IS&T) does not recommend one tool over another, but does recommend the use of a password manager. Here are two that members of the IS&T IT Security Services Team like:
- LastPass (free, multi-platform and multi-browser support)
- 1Password ($24.99 for single-user license, multi-platform, multi-browser support)
LastPass is cross-platform and has a very robust free tool as well as a premium option for $12 per year. IT Security Services Team members can recommend LastPass based on their positive experience with it, including its ease of use. Mike Halsall, a member of the team, says: “People are awful at creating and remembering strong passwords. I know three passphrases total, but I have 191 passwords. I don’t even know my banking password. My passwords are inputted for me, by the password manager, when I hit the login form of a site.”
1Password has many of the features as LastPass, but encrypts and stores the data locally, rather than in the cloud. (The company gives you the option to sync your vault via Dropbox.) 1Password is considered by some to have a more user-friendly interface, but does lack some of the more advanced functionality of LastPass (such as the option to enable two-factor authentication and the ability to restrict vault logins based on IP location).
If you have concerns about a compromised password, contact the IS&T Help Desk.