Tips for Selecting Your Perfect Password Manager
As of yet, it is still difficult to find statistics for 2016, but in the years prior, there have been several surveys taken to tabulate the estimated number of passwords and online accounts maintained per person on the Internet today. Here's a brief look at password security over the last decade.
In 2007, Microsoft stated, "The average person has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords, and types an average of 8 passwords a day."
In 2012, the Norwegian Centre for Information Security stated, "The average number of private passwords per person is 17, and the average minimum number of work passwords per person is 8.5."
Also in 2012, the Janrain/Harris interactive study found, "58% of online adults have five or more unique passwords associated with their online logins and 30% of people have more than 10 unique passwords they need to remember. 38% of people think it sounds more appealing to tackle household chores—from folding the laundry to scrubbing toilets—than to try and come up with another new user name or password."
In 2014, research showed this number continuing to grow. It also showed users were still unable to create secure passwords. According to Sophos, "The average person has 19 passwords, but 1 in 3 don't make them strong enough."
More recent data only adds more bad news. According to to the #TurnOn2FA discussion, "73% of online accounts are guarded by duplicated passwords. On average, only 6 unique passwords are used to guard 24 online accounts. Even worse, 54% of people use 5 or fewer passwords across their entire online life."
All these data elements are pointing to one root issue, human beings are not only terrible at generating passwords, they're even worse at keeping up with them.
Free Download: Overhauling Password Behavior at Your Association
Enter the credential vault
With so many passwords to remember, what are the squishy-brained humans supposed to do? (Much as I'd like to, I am still unable to upgrade the amount of available RAM in my cranium. To top it off, some of my existing chips appear to be degrading over time.)
One of the options humans have come up with is the credential vault (AKA password keeper, password manager, credential store, keychain, etc.). A credential vault functions exactly as its name describes, it's a vault for your credentials. Originally, these applications functioned little better than spreadsheets, keeping track of where the credential was used, the login name, and the password. Today, credential vaults can do much more. A brief list of typical (but not all) functionality includes:
1) A "master" password that unlocks all of your credentials for you as you need them
- This password cannot be recovered should you forget it.
- Some solutions support resetting this password.
2) Storing data locally or in the cloud
3) Automatically filling in forms as you navigate
4) Biometric integration
5) Function across your multiple devices.
6) Two-factor authentication
All of this development is focused on addressing the one core issue of password security: human beings need passwords to be easy, but security demands they be difficult and unique.
What should I look for when selecting a credential vault?
Some operating systems, such as some Linux variants and Apple's MacOS, embed this functionality referring to it as a "keychain," but what about the Microsoft users out there in the world? Never fear, you have a solution as well. Actually, you have at least 10. If you are interested in reviews and a breakdown of functionality for each of these options, check out PC Magazine's December 2016 article entitled, "The Best Password Managers of 2017." Regardless of the product you select, there is a set of minimum requirements for this type of solution. All of the other functionality you will see described—those are nice to have, but should not be your deciding factor unless all other factors are equal.
Download Overhauling Password Behavior at Your Association and get started today!
Two Factor Authentication
When accessing your credential vault, especially from a new device, you should be forced to provide a second factor to authenticate. Be it an email to a secure external account, or a hardware based USB dongle—knowledge of your master password should not be enough to access the vault for the first time in a new environment. I suppose a biometric solution is acceptable here, but it would not be my preference. (I still sort of feel like this gives the bad guys a reason to chop off a finger, but I watch entirely too much Netflix!)
Seriously strong encryption
All of the vendors state they use "strong encryption," most of which leverage AES-256. For typical users this should be safe enough. The master password is being used as the key value (or to retrieve the key value) to then decrypt the credentials stored in the vault. Since we need to read the data, we have to use two-way encryption. For the master password itself though, if possible, look for a vendor that implements this as a one-way hash using a strong solution such as SHA-512. If the solution provides you the ability to control which encryption methods are used, even better (Well, as long as the available methods are strong enough).
Unrecoverable (one-way) master password
You should never be able to recover a lost master password (so don't forget it! And don't write it down either). This just creates a vector for me to attack your credential vault. As an attacker, the only option available to me should be brute force. The credential vault solution should prevent brute force attacks, by timing out and "locking down" for a short period, when multiple failed attempts are detected against the master password.
Everything else you need should be geared to your needs
Besides making sure that the cryptography you're using is secure, and guaranteeing that the master password solution is not weak, everything else regarding your credential vault should be geared to your specific needs. The entire point of the solution is to ease the burden of managing all of these passwords, so if the functionality doesn't work for you, try something else. Almost all of the vendors available support the export and import of credentials from other solutions. There are lots of other factors to consider such as cost, sharing and where your data is stored. In some countries, where personal data is stored is dictated by law, so review local ordinances before making your selection. In the United States, data can be stored on the cloud and in other countries as long as it is not used for certain government-related purposes. (DoD, Secret, Top Secret, etc.) For most users in the U.S., this should not be an issue.
Adopt a solution and stick to it
If a credential vault addresses the havoc of password management for you, then incorporate it into your association cybersecurity. Don't wait, get started now. The sooner you adopt a solution, the sooner you can start updating your passwords to something more secure and unique. Stop reusing that weak password you've kept using for the past 10 years (just so you can login within a reasonable amount of time and without a password reset), if you don't, you'll eventually get breached.
Discover best practices for securing passwords at your association and delivering secure logins to your members and staff. Download Overhauling Password Behavior at Your Association and get started today!
About Joshua Hiller
Since 1994, Joshua Hiller has been a professional software developer and security analyst, working as a private contractor, team member, and team leader. Specializing in automation, integration, penetration auditing and forensics, Josh has over 15 years experience working in the non-profit industry in roles such as application developer, department director, and vice president. A married father of three girls, Josh’s interests include; art, comic books, fantasy, science (and science fiction), application and network security, software development and tropical fish.