Password managers are safe, effective tools for thwarting cybercriminals in their non stop attempts to make money by stealing and selling private information. The last time we discussed password managers was in November 2019. The world may have changed a lot since then, but the need for good password protocols is as important as ever.
Remember, bad passwords really do put you at risk (yes, you). Using a common password or repeating the same password for many accounts increases the likelihood that your information will be stolen. 80% of hacking-related breaches are caused by weak, stolen, or reused passwords. Hackers have a variety of tools in their arsenal for cracking your password. From brute force attacks to password spraying, a determined cybercrime enterprise doesn’t have too much trouble getting into the average account.
High quality passwords aren’t words at all. They’re long phrases that contain both symbols and numbers. Using a unique passphrase with as many characters as allowed for each of your online accounts is the best defense against cybercrime. Hundreds of accounts means hundreds of passphrases, which is why a password manager is crucial.
How Password Managers Work – User Experience
A password manager generates and stores all your passwords (and usernames) in one secure location. Most password managers also allow you to store credit card information and secure notes. Notes are useful for data like loyalty card info or frequent flyer account numbers.
Users access the data in the manager by entering a long passphrase or using biometric data like a fingerprint or face scan.
Setting up a password manager can be tiresome if you have a lot of online accounts. (Don’t we all?) But it’s ok to add them over time as you find yourself using them. Once you have your login credentials set up in the manager, optional autofill features are an amazing way to speed your way through the tedium of logging in to all the accounts you need on a daily basis.
How Password Managers Work – Encryption
Good password managers are extremely hard to compromise.
By now, you’ve been hearing about password managers for a few years. But if you’re reading this post you may still be dubious (or have dubious friends, family, or coworkers). You are smart to wonder how it’s possible that password managers are safe. It’s counterintuitive to put all of your most important data all in one place.
The most commonly used password managers are web-based and store your data on a cloud-based server. Because the data is stored in the cloud, you can access it from any device at any time. But how do you know that the password manager company can’t see your data? Or that someone can’t intercept it on its journey between your device and the server?
Web-based password managers use zero-knowledge technology to encrypt your data on your device before it is sent to the server. Most password managers use a military-grade cipher called 256-bit AES to encrypt and decrypt data. Even with a quantum computer, cracking this type of cipher would take longer than any amount of time your brain can comprehend. 256-bit AES is the same cipher used by the National Security Agency and is standard for VPNs and firewalls as well. The one exception is NordPass, which has implemented a higher encryption standard called XChaCha2.
Corporate Use of Password Managers
Corporate IT departments are tightening up security measures in all sorts of areas and password safety is high on the list. If your employer hasn’t already instituted the use of password managers, you should expect that they will soon.
Some employees are reluctant to store anything personal on a work device. And there’s no rule that says you have to add personal passwords to the password manager on your company device.
Consider this: a free password manager provided by your boss is a safe and convenient way to ensure the safety of your company’s data. Plus, password managers save people an average of 50 hours per year on typing in passwords and personal information (according to Dashlane). At a minimum, storing your work passwords will keep you from having those annoying password reset conversations with IT. And as an added bonus, your company might not get taken down by a data breach that costs a bunch of money to repair and affects everyone’s bottom line.
Remember that a good online password manager uses 256-bit AES encryption. It’s doubtful that your IT team has the time, resources, or energy to decrypt anything you store there. And your boss and your IT manager don’t want to access your Facebook profile. They want to keep your company’s payroll software and customer data out of the hands of cybercriminals.
Reaching the Reluctant
Password manager hacks are exceedingly rare. There have only been four instances of reported vulnerabilities among the primary paid account password managers. And none of them resulted in breaches.
In 2015, LastPass suffered an intrusion to its servers. The hackers took user email addresses and password reminders. Fortunately no known damages resulted because an account with a cracked password would still need to verify access by email.
A number of password manager vulnerabilities were identified in 2016 but these issues all required a successful phishing attempt to trigger the user to reveal critical data.
A 2017 vulnerability in the LastPass browser add-on resulted in zero issues and was repaired in less than 24 hours.
Finally, in 2019, Windows 10 users were found to be vulnerable to a flaw in the code of several major password managers. However, the flaw could only be exploited if the users also had a specific type of malware installed.
Just Do It
Password managers are safe. The professional cybersecurity community widely regards them as an important tool for protecting private information online. They are encrypted with best-in-class ciphers. And there is no history of serious breaches caused by hacked password managers.
Choose one of the web-based, paid services like Dashlane, LastPass, NordPass, or 1Password, and start being safer on the web today.
Does your company have a strong password policy? If you need guidance on developing and implementing high quality information security practices, Asylas can help. Call us at 615-622-4591 or email email@example.com. Or complete our contact form.