Good Password Hygiene Requires Behavior Changes and Password Managers

For years I advocated the importance of good hygiene. The importance of using complex, long and unique passwords. But where this approach falls short is that it’s dependent on one very important element – you, the user.

Today, I draw all my energy trying to impress upon users like you the importance of a password manager. I personally use LastPass, but I don’t personally care which one you use.

Password Hygiene Requires Behavior Changes

Good password hygiene has little to do with the technologies available, and everything to do with having the right mindset.

If as a technologist you implore your colleagues to install a random tool, they might do it. But activation is not the same as being active users, and it doesn’t mean you’ve made the positive change you were trying to make.

As an individual, you have to realize that you’re making an investment that  will require personal behavior changes and investments. You must take charge of your own digital security, and for whatever it’s worth, your passwords are a critical piece of that equation.

• Yes, this means you might never know your passwords again.
• Yes, you will need to go through all your applications (at least the first time) to get set up.
• Yes, this will take some getting used to.
• Yes, it will require a little sweat equity to get yourself personally set up.

Thankfully, there are tools designed to help you through this adoption and adjustment phase. Most of the password managers offer some browser integration (via a plugin) and most website forms recognize your password manager.

Note: Yes, I’m aware of the challenges with browser plugins, specifically their associated risks, and of the various breaches password managers have suffered in the past. For the hyper paranoid, I encourage you to keep using your local password management techniques (e.g., GPG, etc..). This post is not for you. For the rest of civilization that lives a very different interconnected world, password managers are a good way to go.

The biggest user experience issue will be on mobile devices (specifically phones and tablets that depend on an app ecosystem). I have yet to find a good password manager that integrates on mobile applications so that your user / password is recognized when you open the app. My work around to this is the employment of bio-metric features (e.g., TouchID and FaceID).

Choosing a Password Manager

The most prevalent tool today designed to help you take control of your personal password hygiene, are password mangers.

Think of password managers as a personal vault designed to store your most sensitive information, while also making it easy to retrieve when you need it most. Most have the ability to store a lot more than your passwords. For instance, you can use it to store product subscriptions, sensitive connection data, credit card and their associated security codes, PIN numbers, and a slew of other bits of information in addition to your password.

Password managers have become prevalent because it’s impossible for us, as everyday users, to keep up with the wide array of systems we interact with. We live increasingly interconnected lives, and this interconnection requires some form of authentication with another system. Username and passwords are still the key authentication mechanism available to us.

When choosing a password manager it’s important that you spend time thinking about your personal digital experiences. How you answer these questions will help you define your personal requirements, and will help you gauge how one solution might meet your specific needs.

• Do you interact on desktop or mobile devices?
• If mobile devices, are they notebooks, laptops, phones?
• Do you have multiple devices?
• Do your devices leverage multiple OS’s (e.g., iOS, Windows, Linux, etc…)?
• Do you live in browser or app ecosystems?
• Do you ever have instances where you have to share your credentials with someone else?

As technologists, we have to keep this in mind when making recommendations. Understanding how we each interact on the web will be imperative to how we make decisions and recommendations.

Some of the more common password managers include the following:

• LastPass
• Dashlane
• 1Password
• KeePass (requires technical chops)

The Importance of Password Hygiene

The implications of poor password hygiene is too grave in my opinion. There are the obvious implications to our personal digital lives (e.g., identity theft) and extends into other environments we interface with (think work). As a technologist, my immediate reaction is – how can this be fixed? I draw solace when I think about the work organizations like FIDO are undertaking with their web authentication / biometric initiatives, and what organizations like Amazon are undertaking with their self-checkout stores (shows a different authentication world).

Nobody will care about your security as much as you should, so take some ownership.

Regardless, we’re years away from this and in the interim the impact to everyday users will continue to be in the 10’s / 100’s of millions. I can assure you that no-one wants to be part of the statistic. I challenge you to ask yourself the following:

• What are you doing to protect your own digital security today?
• How do you think about your digital security?
• Do you think that adding slight variations to the same password is unique?
• Do you use the same password on multiple sites and applications?
• If your password was comprised, how would you know?
• What could a bad actor do if they had your password?

I believe the future of passwords is no passwords; but until we get there, use a password manager.