Hey, it’s National Cybersecurity Awareness Month, so it’s the perfect time to have some real talk about passwords. The TL;DR of this post is, “Please use a password manager,” so if you’re doing that, great—you know the score, and you’re doing the right thing.
With that said, read on to learn some tactics for encouraging others in your network to do the same (and give us some of your own tips in the comments about how you can get people to join our secure password management tribe).
Usability vs. security
The tragedy of password selection is that the easier it is for you to remember, the easier it is for someone else to guess it. It’s a complete bummer that this security control we depend on to keep our online lives intact is, in fact, predicated on a classic security vs. usability dilemma. If you’re stuck with a three-pound hunk of meat in your head to keep your passwords straight, you are pretty doomed when it comes to selecting and remembering a reasonably complex password. We saw this was the case in the 2018 edition of “Under the Hoodie,” which reported that about 53% of our surveyed penetration testing engagements involved at least one cracked or guessed password.
Many people take the following approach to password management: They come up with one or two “secure” passwords they use for work, their bank and their email; one or two “okay” passwords for sites they don’t log in to daily or don’t consider to be very high-value; and one or two “known weak” passwords for truly throwaway purposes. This comports with the many psychology studies that posit that humans in a literate society are pretty okay with remembering about seven, plus or minus two, chunks of information. In this case, these chunks are “passwords I care about.” Now, note those scare quotes—most “secure” and “okay” passwords are also pretty awful when you look at them critically, but they feel secure to the people who came up with them.
Putting that subjective quality of passwords aside, we tend to make things worse by spreading these five to nine passwords all over the place. It’s not like people only have five services they ever log in to; in fact, we have dozens to hundreds of services we use, so not only are these passwords pretty weak, but they’re also used over and over again.
Password managers (finally) on mobile
None of this has to be the case, though. Using a password manager pretty handily solves dreaming up suitable passwords, remembering those passwords, and remembering which ones go with which websites. I’m happy to report that this year is the first year you really don’t have any excuse to put off using a password manager.
Password managers have been super useful for a long time in a desktop environment, but alas, many people today spend a whole bunch of time accessing things with their phones. I’m pretty sure that this gulf in password management has been holding up the wide, common adoption of this technology. After all, if all your passwords end up stuck on your desktop, you’re unlikely to actually use those sites with robust passwords when you can’t log in with your phone.
But this is not the case anymore. Android Oreo has had full integration with excellent password managers LastPass, 1Password, and Dashlane since August 2017, and Apple iOS 12 just rolled out the same in September 2018.
Now, actually using a password manager is absolutely a case of putting all your credential eggs in one basket, so what if that basket gets hacked? After all, password managers are software applications, and it’s axiomatic that all software has some number of bugs. In fact, security research team TeamSIK reported last year it had discovered a bunch of vulnerabilities in a bunch of password managers, so is it reasonable to avoid these password managers?I don’t think so. To avoid using software simply because it might have security vulnerabilities is to avoid using all software. After all, everyone writes bugs, and sometimes those bugs introduce vulnerabilities.
Instead, look at how password management providers respond to security vulnerabilities and breach reports—do they act shady by dodging issues and attacking vulnerability reporters, or do they respond quickly by both fixing the immediate problem and making vulnerability reporters feel safe and welcome? In other words, I’m much more comfortable with using any software that has a track record of a few reported (and fixed) vulnerabilities, and that goes double for security software.
The upside of all of this is that using a password manager not only makes it easy to replace all your passwords with long, complex gobbledygook (which is good security hygiene), but it incidentally makes you nearly invulnerable to phishing attacks. After all, if you don’t know your password, it’s pretty hard for you to accidentally give it away in a moment of panic. Password managers that autodetect websites don’t fall for fake login pages; if a website’s domain doesn’t match, it doesn’t match, and no amount of eyeball-fooling with similar names and graphics will trick a decent password manager’s autofill.
So, take this opportunity during National Cybersecurity Awareness Month to get your house in order when it comes to passwords, by which I mean your whole house—kids, spouses, parents, siblings, cousins, everyone. It’s on you to recruit into our secret secure club, and hopefully one day make this all less secret and more secure for everyone.
This post was the third in a four-part series celebrating National Cybersecurity Awareness Month. Check back next week to hear about approaches to securing the nation’s most critical infrastructure, and be sure to read our previously published posts, “Manage Your Risk at Home with Simple Tweaks to Your Voice-Controlled Devices” and “Getting Started with Cybersecurity Education and Training Assistance Programs.”