Disclaimer – I am not a security researcher/expert by profession. I know a few things about security based on personal experience as should you. This post is to give you some ideas.
Before making any changes, do some research and make an informed decision.
I suggest that you keep your personal and office/employer’s tools separate.
Overview
Security is hard. So, You have to do lots of things right without causing so much pain to user experience. One of the things is Authentication.
If any resource/information should only be available to particular user/person, can be secured by Authentication and Authorization. Authentication confirms that users are who they say they are.
Simple example– Bob has a bank account. He goes to the website of the bank to access account details, he has to authenticate to confirm that he is Bob so he gets access to his bank account.
OR
Bob has a computer. He wants to protect access so only he can log in.
The easy way
The simple way to set Authentication is “Password”. It provides the first line of defence against unauthorized access to your computer/ resource. Its one of the easiest way but not the best, but .. hey, it works.
A lot of websites have started shifting to Auth by OTP (one-time password), SSO ( single sign-on using your google/apple account to logon to ABC site) or MFA ( Multi-factor authentication) but not all of them support MFA yet.
The need for a Password Manager
A good password is something you can’t even remember yourself, it shouldn’t have anything to do with your personal info like a pet name, date of birth etc etc so a hacker can’t possibly guess it based on your publicly available info.
Search on Google and you will see lots of recommendations, minimum 15 characters, special characters this and that …Also, you should not reuse the password to minimize the damage, or else, if 1 Website gets breached, your password for all websites are known to the hackers.
You might have seen or heard about a spam email stating that Hacker has your password and got into your laptop, recorded your webcam when you were doing something and need payment in bitcoin or else, he will release it on to the public. You might even see 1 of your password mentioned on that email. Its a common scam, based on the assumption that you reuse your password and on 1 less secure website breach he got into all your websites login including your computer/phone.
Its almost impossible to come up with and remember complex password all the time which is not reused, so here comes a need of password manager. A tool of some kind where you can store/manage all your passwords.
Is it safe to use a Password Manager?
Nothing is 100% safe. Maybe Password Manager is safer than not having one, or else, you will end up using a simple, reusable password.
What are the different type of Password Managers?
There are many kinds of Password Managers, I suggest you choose the one suits your risk appetite. Maybe, a balance of Secure VS Easy.
Password Managers can do a lot of things added to generating/saving your complex passwords. For example, Autofill on sites/app. Some can even check against “haveibeenpwned” to match if any of your accounts on a site is at risk because that site has been breached recently and provide you with a dashboard/notification. Some can even reset your password in bulk in every defined period. the list goes on …but I think you get the idea.
One unique benefit is that some password managers can autofill based on URL, so if someone is impersonating your bank website with the same logo, page content but a tiny change in URL ( example google.com –> goggle.com), it will not fill it.
Product name mention here is just for example, it’s not an exhaustive list. Search on google and you may find many other. I am not paid/sponsored for any product mentioned here.
- Spreadsheet – Some people just use an online password generator and save the password on excel/notepads with some additional password protection. I think it’s a poor choice, less secure and difficult to use.
- Browser-based – Browers such as Chrome, Safari, Firefox etc can also generate/save your complex password. Firefox even provides the app “Lockwise” which you can put on your phone for easy access, copy/paste to the apps.
- Freemium/Cloud-based – There are many which provide basic function free, including an app. For more features, you will need to pay. Lastpass, Dashlane etc, search on google and you will find many, please read their policy carefully.
- Opensource/Self-hosted – If using cloud-based app scares you, use something like Keepass. It is one of the examples ( there are maybe more). You can store all your passwords in one database, which is locked with a master key, saved locally. So you only have to remember one single master key to unlock the whole database. Database files are encrypted using the best and most secure encryption algorithms currently known (AES-256, ChaCha20 and Twofish).
The downside is that it’s not easy sometimes to manage and can’t sync on mobile very easy. - Enterprise-grade – Personal need, risk appetite is different than Enterprise. Companies prefer/use MFA/SSO at most places but still need to save/manage passwords/ssh-keys etc, so they rely on enterprise-grade password vaults/managers.
Some use opensource, some use product which can be inbuilt in the workflow and can do more than password management. For example, Security audit, temp account creation, password rotations .. the list goes on.
Why one over another
Each kind has a unique advantage and a flaw. For example, cloud-based freemium has a risk of Product company getting compromised, browser-based let someone access all of the credentials if they have access to the computer, Self-hosted on your computer has a risk of keylogger getting your master password 🙂
Conclusion
Choose an option suits you best, try to have MFA on your password vault as well on important sites. Just make it less easy to get compromised.
Don’t hesitate to give me your feedback or add your thoughts on this in the comment section, or you can DM me on LinkedIn. Thank you for your time.
Extra info
MFA – Authentication only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism:
- Something you know ( Password, PIN etc)
- Something you have ( Security token / Certificate on the computer etc)
- Something you are ( biometrics, such as a fingerprint, eye iris etc)
- Somewhere you are: Some connection to a specific computing network or using a GPS signal to identify the location
