Probably you have heard many times that you are supposed to pick a good, strong password, with more than 8 characters, mixing numbers and symbols, etc. and remember it. Maybe this worked well some years ago when there were not many services that we needed to login into and only a few passwords to remember and manage.
Nowadays with the advent of smartphones and always-on connectivity, many of us need to access dozens of services that require a password, from the Windows computer at work to all the online services such as Facebook, Gmail, Whatsapp, etc. Imagine having to remember complex passwords for each of these services... Many people end up just using the same password for all services. This is a BIG security issue. If one of the sites you access gets compromised, an attacker can use the password to log into your other services.
What is a good way of managing many passwords then? One solution is using password managers. With password managers you only need to know one strong master password that will give you access to all your passwords.
Simply putting, a password manager an application or service which has a database where you can put login/password information. These databases are encrypted and can only be opened by a master password/key.
you only need to create one strong password to protect your database
Different Password Managers have different functionalities, such as generating passwords, auditing the quality of existing passwords among other features. The point here is that you only need to create and remember one strong password to protect your database. By opening your database, you can then copy the username and password for the sites you want to login. Just keep in mind that it is important that the master password is a hard to guess password, but one that you can remember. LastPass recommends in their page that you can use passphrases. This consists of creating a sentence that you will easily remember and mix in number, punctuation marks and symbols. For example:
A sentence like:
could be turned into a good passphrase (modifications in bold):
Look at an example below:
I would like to access my Gmail account, but I don't know the password.
I open the database with my master password, copy the Gmail user name and password, and past it in the browser and I'm in.
I don't need to see or know the password. This brings us to another point. Since you don't need to remember the passwords, you can create a complex, random, hard do remember password, which will make your account better protected against brute force attacks or attacks that use words in the dictionary. You can create these by hand or better, using the password manager's functionality to create one for you. Another way is to use another application or service such as the generator in the LastPass page.
Offline vs Online
In terms of access there are two types of password managers: Online and Offline.
Offline password managers are mostly used by those who want to keep their password databases locally, in their computers and not in the cloud. There are several application offering different features. Some of my favorites, both free, are[KeePass] (http://keepass.info/) and Password Safe. KeePass supports more platforms.
Online Password Managers are ones that store your password database in the cloud. These providers usually provide state of the art encryption and the key do the database is not stored in the server, therefore even the provider cannot see your passwords without the key/password that you possess. Online Passwords Managers are very convenient since they can put information directly into your browser login page without you having to open the database and copy/paste every time and they can also sync between devices. Also when changing passwords, some password managers offer to replace the old password with the new you just typed. One of the most popular is LastPass, which has a free plan as well as premium and Enterprise ones.
I will elaborate a bit more about this in a future post, but would only like to mention a powerful method to step up your security: Two-factor authentication.
Basically to authenticate a human being we can use the following credentials:
1. Something you know (e.g. a password or PIN number)
2. Something you have (e.g. a smartcard)
3. Something you are (e.g. your fingerprint, your eye's iris)
By using only one of these, we say that you are using a Single Factor Authentication. Usually we use passwords (Something you know). By using two credentials or two-factor authentication, you can really step up your security. With Two-factor authentication you use Something you know and Something you have. A good example of this is using an ATM to get money, were you need a card (something you have) and a PIN code (something you know),
Many online services allow for two-factor authentication and you should take advantage of them.
High-security locations such as military installations a three-factor authentication method adding up biometric authentication.
Many online services allow for two-factor authentication and you should take advantage of them. Usually to login in these services you have to provide your password ("Something you know") AND provide a one time code that you can receive in your phone or retrieve from a HW generator ("Something that you have").
Password Managers help you manage your passwords in a database. You just need to know one master password in order to open the database. This allows for stronger passwords to be created, that you don't need to remember, for each service.
Different Password Managers have different features and can be offline or online. Online ones store the database in the cloud.
In order to make your account more secure, if the service supports it, take advantage of the two-factor authentication offered by most major service providers.
Image credits: Google Authenticator in the iTunes store