A Business Technology Place

Password Management System

How do you manage your passwords?

Electronic password managers were created with the goal to help all of us have a more structured approach to storing and retrieving our passwords. But not everyone uses electronic password managers because they don’t know about them, don’t trust them, or because they require extra steps when it is time to authenticate with a service. Many people still rely on sticky notes and paper notebooks.  

I’m convinced passwords are one the largest nuisances in life for most people. It’s easy to see why. Different sites have different password rules and modern password complexity rules require us to use with specials characters, numbers, and capital letters. We can’t reuse password, they have to be a minimum length, and they can’t contain parts of our name or email. I’m dizzy already.

There are two problems with this system:

  1. The rules are not our natural way of processing language and thinking. Result? Passwords are not easy to create and not easy to remember.
  2. To keep up with passwords effectively we all need a system. Sticky notes by the keyboard are not accepted.

Password managers; the good and the bad.

One system to use for credentials management is an electronic password manager tool. There are numerous tools available on the market. Some of them are locally installed on a computer while others are cloud based.

The good

  • Easily searchable
  • Accessible from wherever you are
  • Encrypted text
  • Password auto-creation to match site complexity rules.
  • Accessible only those with whom you share or that have your credentials.

The bad

  • One key to rule them all
  • Cloud based services are targets for attack and exposed to more thieves on the internet
  • The security of electronic sites and applications are frequently exposed for new weaknesses

Don’t lose site of what is at stake.

Regardless of how you feel about electronic password tools compared to a paper based system, don’t lose site of the importance of having a secure system. It’s your data and your life. Identity theft is both harmful and disruptive. Having a password management system can be a time saver too. When you need access to your data you don’t want to spend time looking through drawers and notebooks.

It appears password complexity rules may be changing in the near future as research is showing password length is better than complicated rule sets. So making passwords longer without special characters is a win for both usability and security. In the meantime, make sure you create a safe system.

Onward and upward!

Easier password rules

Somebody give these guys a high-five.
Finally. There is a glimmer of hope for resolution to the insanity that has become password complexity rules. The National Institute of Standards and Technology recently revised guidelines for password complexity. The prescribed password complexity recommendations are detailed in Appendix A – Strength of Memorized Secrets. The NIST findings not only acknowledge the impact to usability of the existing recommendations for complex password rules, but they reveal the impact to improved security is not significant. This will make you smile and is sure to get a round of applause from everyone. Here’s an excerpt:

“Humans, however, have only a limited ability to memorize complex, arbitrary secrets, so they often choose passwords that can be easily guessed. To address the resultant security concerns, online services have introduced rules in an effort to increase the complexity of these memorized secrets. The most notable form of these is composition rules, which require the user to choose passwords constructed using a mix of character types, such as at least one digit, uppercase letter, and symbol. However, analyses of breached password databases reveal that the benefit of such rules is not nearly as significant as initially thought [Policies], although the impact on usability and memorability is severe.”

The new advice is to consider the length of the password more important than the complexity. Shorter passwords are easier to break for computer programs. Longer passwords are more difficult to break after they have been encrypted and stored. The NIST acknowledges the over complex password rules we’ve been subjected to only enforce bad behavior when we strive to make the password easier to remember. In other words changing your password from “Password1!” to “Password2!” doesn’t really help the password to be more secure.

Randomly generated passwords are OK as long as they don’t create a usability hassle. Some users, like me, use a password vault tool that can randomly generate passwords to use with specific sites. Again, longer password length is better even when using random characters.

I looked at my accounts.
I used this guidance and examined three financial services sites where I have accounts. Here is a look at the current password complexity requirements from each site:

Site 1
At least 8 characters in length
Has at least one letter
Has at least one number

Site 2
Must contain 8 to 20 characters including one letter and one number.
May include the following characters: % & _ ? # = –
May not contain spaces

Site 3
Minimum of six characters
Must use a mix of letters, numbers, or symbols

The good news is I can use my random password generator to create passwords longer than say 8 characters. It’s no more work for me because I go to my password vault tool to retrieve passwords anyways. But even if you don’t use a password vault tool, you can make your password much more secure by creating a phrase that complies with the existing rules. For example: ILove2seemygrandmother would fit the requirements. It is easier to remember and more secure. Hopefully, the new guidelines will find a place with technology compliance and regulation and we’ll be able to more freely submit password phrases in the future.

Onward and upward!

Secure your identity with password storage software from PassPack

I finally forced myself to sit down and come up with a better management plan for password management this past week. As online identity theft grows, it’s becoming more common place for media and bloggers to write about security best practices, password protection, and other topics related to online identity. Unfortunately,  password management is one of those topics that people choose to ignore because they want something simple and don’t want to be burdened with password rules and expiration dates. I counted myself in that group up until now.

I reviewed a few alternatives for password management programs. Some of the programs have local clients to install with the password storage local. Some use a recording and playback method. Some leverage a two-factor authentication system with a physical device that supplies a key.  What is common among all of them is that they require a user to change their habits in someway. I think this is a valid trade-off for added security and a little peace of mind.

For my review, I decided I needed to find a solution that addressed the following criteria:

1. Portability

Have an online version so that I could access my password storage from multiple locations. Since I use different computers throughout the week or may need to get to a site from an unexpected location, I need something portable.

2. Multi-Factor Security Options

Ok, so this is obvious right? After all I am giving someone my accounts and passwords. Since I wanted an online solution, I need to be comfortable with the security of the system. A fairly new approach to security that goes above encrypting the contents of the message on the wire is the host-proof-hosting system. I’m not a security expert, but I get the fact that this systems encrypts the data on their server, that I have a secret key that is not stored on their server, and that at no time is the key moved to their server. I see there are several players on the market that are using this system including industry giant Verisign.

3. Browser Compatibility

I spend 95% of my Internet browsing time using Chrome or Firefox, so the password management system must run on those two browsers. I already have too many applications that only run with IE. I’m going to add another one.

At the end of my journey I selected PassPack as my management tool. The tool meets all three of my decision criteria and offers additional optional security features that I won’t list in this post. There is a local desktop version available as well. The PassPack business model is currently set to give away usage rights for individuals (up-to 100 passwords), while charging for group and administered accounts. It definitely requires a change in my behavior, but I know its for the better. At the end of the day, I’ll learn to enjoy the central management aspect of the password storage system and welcome the value-add it provides to me.