The IT Blog for SMEs

A study conducted in October 2014 concluded that the average person needs to remember 19 passwords. At the same time, we are constantly being urged to make our passwords longer and more complex and to avoid names, dictionary words and dates - the very things that would actually HELP us to actually remember so many passwords! So what are the options for keeping our passwords secure without locking ourselves out of our online accounts?

 

Start with security

Everyone has their own opinion as to what constitutes a secure password and it's safe to say that a password that is acceptable to one online service may be deemed too insecure by another. But there are a few principles that most security experts agree to:

  • Longer = Better.  Not only is a longer password more difficult to guess, it's also more secure against a brute force attack, in which a hacker will use a computer to generate every possible password with a certain number of characters. Assuming that only lower-case letters and numbers are used, then increasing the length of a password by one character means it takes up to 62 (i.e. 26+26+10) times longer for a computer to guess the password.
  • Don't use dictionary words, even with mixed case/number substitutions! Security experts reckon that an 8-character password based on names or dictionary words can be cracked in under 1 hour using a powerful desktop computer! A truly random password (e.g. "H6Vgk3hZ") will survive up a brute force attack for up to 6500 hours - significantly more secure.
  • Include special characters. Including other characters from the keyboard, such as "&", "£", "*", "}", etc., improves your chances significantly. A truly random 8-character password that includes a combination of letters, digits and special characters can take over 177,000 hours - or 20 years - to crack.
  • Don't use the same password for multiple online accounts. If a hacker finds out your Facebook password, you can be sure (s)he will look for other online services that you use: your Amazon account, your Ebay account, etc. - and will try the same password (or derivatives of it) for those other accounts. It makes sense then to have significantly different passwords for each online service you use.

In other words, what we need are 19 long and completely unintelligible passwords to protect our online identities.

Now there's just the small problem of remembering them all...

 

Password Managers

Fortunately there's a wealth of tools available to help keep all of this information secure. They are known as password managers (or password safes or password wallets; there's probably other names too, but we've already got enough to remember!). 

A password manager is a piece of software that will allow you to securely store details of all the online services you use: the name of each service, the URL (web address), your username/email address, your password and often notes or other ancillary information. These details are stored in an encrypted database protected by a password that you choose. In theory, this is the only password you need to remember.

There are many password managers available, all of which have different features including form-filling, password generation, cloud synchronisation, cross-platform use, etc. The best solution for you therefore is the one that satisfies your needs most closely. Some of the more common ones available today are:

(NB: All links checked at date of publication. However, rcsb Ltd is not responsible for the content of third-party links)

If you're unsure whether a password manager is for you, it's best to download one of the free versions first. Then, if you need different features or just don't like the way the one you've chosen works, you can review any of the others more objectively. Note that even the chargeable password managers are generally only a few dollars per month - a small price to pay for peace of mind.

 

Password manager Best Practice

Even with a password manager, it's wise not to get too complacent about security. The first task should be to review all of your passwords to ensure that they are sufficiently secure - especially the passwords to services that hold your financial details, such as online purchasing accounts. Now that you're using a password manager, it's time to stop using your wife's (or husband's / child's / pet's) name or dates of birth as passwords.

The second task should be to back up your password manager database and store it somewhere secure. The last thing you want is for your computer to fail and to find that you can no longer access your password manager! Take regular backups too - ideally every time you add or change a password.

The third task to think about is the security of your password manager. The password that you use to encrypt this should be the most secure password you've ever dreamt up - for reasons that are hopefully obvious! But make sure it's one that you will ALWAYS be able to remember, as it will be impossible to recover all of your other passwords without it!

 

Beyond the simple password

The number of online services we need to access is set to increase even more in the coming years. Security experts are already working on other ways of authenticating our identity, including 2-factor authentication or biometrics. Until such methods become more commonplace, passwords are here to stay - choose them wisely and manage them effectively.