The year is 2017 and we continue to give advice on the process of creating passwords. This must stop. The phrase “These are the tips to creating a secure password” should be stricken from all presentations, articles, tips and side-bar conversations.
Managing passwords has never been more streamlined. Organizations have invested countless hours and resources into building solutions that seamlessly integrate into our habits, and every business owner, and individual, should invest energy into integrating password managers into their overarching security program. So ask yourself, why are you, or your organization, not employing the tools designed to help you from yourself?
Password managers are solutions designed to streamline the generation, storage and retrieval of passwords. They are meant to make the once mundane process of creating a password a thing of the past.
Today’s solutions are platform agnostic, meaning they function across all platforms, browsers and devices. On the Desktop, they attach to the most prominent web browsers in the market, and on mobile they almost all have a mobile app you can leverage.
I personally use LastPass (not affiliated with them). There are a number of other solutions you can play with: KeePass, 1Password, Dashlane, etc…
Yes, LastPass has suffered security incidents in the past, but let’s be honest, most have. Let’s also remember not to throw stones in a glass home. Or the fact that even on their worse days they are 1,000x more secure than the approach we’re likely employing. Hint: We’re not as creative or unique as we think we are. On that note though, I’ve shared some thoughts on LastPass and it’s Security, and specifically spoken to it’s incident in 2015. I still trust them. In fact, trust them more every time they suffer an incident.
Password Manager Benefits
I would wager that in the not so distant future, ignorance will not be an acceptable answer as to why small businesses get compromised. Especially if it comes down to weak credentials being exploited due to bad passwords being cracked. Thankfully, password managers help us with this problem.
Some of the advantageous we get when using a password manager:
- You never have to remember your passwords, with exception to the master one;
- It’s easy to apply newly crated passwords to forms;
- It’s easy to share your credentials while not sharing the password;
- It’s easy to control who gets access to what system;
- It’s easy to ensure that you’re following whatever password policy is in affect;
- It’s easy to update your password in some frequency;
- It’s easy to access the information across multiple devices, on the go;
- Your overall threat scope is much smaller, reducing the affect of a major breach (happens every year);
For Businesses: As a small business owner, what other reasons do you require? Talk to your teams, it’s not so much about everyone using the same system, as much as the fact that a system is being used. The good news is that it’s not a cost issue, most are relatively inexpensive even for the poorest of geographies.
For Endusers: If you’re an enduser, the message is even simpler. Why it’s not being used falls into two camps: a) you’re being lazy or b) you’re unaware. Now you know, so “b” should no longer be an issue and “a” should not even be part of our dialog, right? We are our greatest threat, specifically the fact that we’re behaviorally weak.
For Developers: If you’re a developer, for all that is holy, please verify that your account creation pages, log in pages, and other similar pages support online password managers. There is nothing more infuriating than a page that doesn’t, it sets us back years with all the hard work being done to improve consumer behavior.
Let’s Evolve Our Password Instructions
As a community, regardless of what we do, at some point we find ourselves talking to a customer, family and / or friend. Or maybe we see a security discussion find itself into our favorite group or forum. Take this opportunity to educate and bring awareness to the idea that we should no longer be talking, or educating, people on the process of password creation. Instead, we should state that passwords are created using password managers, specifically password generators.
We are not as unique as we think we are. Attackers know this. Attackers exploit this. Don’t be a statistic.