Passwords: advance one and be recognised.

As well as being TV genius, Dad’s Army provides an excellent overview of why passwords are a broken reed in the security toolbox.

Ground troops’ standard way of identifying each other is as ancient as warfare and relies on knowing the correct password challenge and response at a particular time.
Of course, to be effective these had to change at least every day, often at the most inconvenient of times.

As Dad’s Army memorably illustrates, less than complete competence can mire the process in chaos, which is how our current use of passwords feels. Indeed, their ubiquity resembles a particularly unhinged episode from Walmington-on-Sea.

Of course, the challenge and response no longer involve two soldiers whispering loudly at each other in the dark. Now, we face an illuminated screen challenging us to recall the password we didn’t write down for the website we use too infrequently to recall.

Every online service asks for a user name and a password. Our work and personal lives can’t function without them and if we can’t remember them, we end up in the Sisyphean hell otherwise known as Forgotten Password.

Coping mechanisms.

We’re told repeatedly not to use the same password for all our accounts so many people use three or four. This is good because it means we can probably remember them. Alas, it’s bad because we have to remember which password belongs to which site. 

And, in any case, companies have proved chronically incapable of protecting our data (e.g. LinkedIn in 2012) which means if the passwords haven’t been leaked already, the chances are they will be in the future.

The security professional’s advice: use a password manager.

I have over 170 online accounts and at least three email addresses at any one time. Obviously, remembering 170 unique passwords is impossible so the only solution is to use a Password Manager.

This means I have to remember one complex password to log in to the Password Manager and it does the rest. Take the advice of the UK National Cyber Security Centre (NCSC) and make that one password easy to remember for you but hard to hack for an adversary. In the realm of passwords, length is better than complexity so just choose three random words.

Full disclosure; I don’t like my Password Manager, I love it. It means I can have a unique password for every one of my online accounts so when LinkedIn advised me to reset my password, I changed just that one. And felt pretty smug about it too.

My Password Manager fills in the details every time I need to log in. It completes my name and address when I register for a website and it generates a unique, strong password which it syncs across my different devices.

Password Managers aren’t perfect. They are an obvious target for attackers and several have been breached, although no passwords were revealed. But, as someone who works in cybersecurity every day, I still believe they’re the only viable option to make sense of passwords.

What’s in a user name?

Account security is not just about passwords, we need to think about usernames as well.
Here’s the approach I use which relies on having more than one username.

For a start, don’t use your work or normal personal email. Create a third email account which doesn’t use your real name or personal details. You don’t need to remember which user name you use for each account, your Password Manager will do that for you. Combine with Two Factor Authentication, and you will have made yourself an awful lot more secure.

The downside

Compared to the alternatives, Password Managers have few disadvantages but there are some crucial issues to bear in mind.

Some accounts, particularly financial ones, may not work properly. And do check your bank’s terms and conditions because some prohibit the use of a Password Manager.

They’re also not foolproof. Some will offer to change your passwords automatically and this can be hit and miss. But overall, the pluses definitely outweigh the minuses.

Select your Password Manager now.

In recommending Password Managers, we’re in good company. The NCSC says they’re a good thing, but just like buying a car, there isn’t a single, best option that suits everyone.

I’ve been using Dashlane for over three years and wonder how I survived without it. But I have security-minded colleagues who use other solutions and we’ve never managed to agree on a single, best option.

For a start, assessing their relative security is impossible. Commercial Password Managers are closed products which, unlike open source software, can’t be audited. But there are questions to ask which will allow you to make an informed decision between the main contenders;

1Password
LastPass
Dashlane
KeePass
RoboForm 8

Questions to ask:

Is it reputable? Search for *name of provider* and *hack* etc. to see if that company was breached recently. If you’re not content with what you find out, choose another provider.

How much? What’s the cost and is it worth it? Think of the time you spend resetting passwords. Time saved, money gained.

Is it easy to use? Will it make your life easier?

Business critical? Is the Password Manager part of a wider range of products? If it is, losing your passwords may not make the company go bust.

Sync. Will the Password Manager work seamlessly across all your devices? As an app and/or in your browser?

Generation. Does the Password Manager enable you to generate passwords and control their length and complexity?

Audit. Does the Password Manager tell you if you’ve reused passwords and prompt you to change them if they’ve been in use for too long?

Just do it!

For ground troops, the password challenge relied solely on shared knowledge; there was no username or multiple passwords. You can imagine the chaos if there had been and so there’s more than a touch of Dad’s Army about our dependence on such an unsuitable mechanism to secure our online lives.

Considerable efforts are being made to address the deficiencies of passwords; fingerprint scanners are in widespread use on smartphones, more exotic biometric solutions (including blood vein patterns) are being pursued; Single Sign On services can help organisations manage their security. But we’re unlikely to see passwords disappear any time soon.

Not sure where to start? Here are some recent reviews:

http://uk.pcmag.com/password-managers-products/4296/guide/the-best-password-managers-of-2018

https://www.techadvisor.co.uk/buying-advice/security/best-password-managers-2018-3653951/

https://www.cnet.com/news/the-best-password-managers-directory/

https://www.tomsguide.com/us/best-password-managers,review-3785.html