Creating and memorizing secure passwords has become a major headache for many of us.

passwordAccording to a study reviewed by Sophos, the average person has 19 passwords, a mix of personal and professional. Are they secure enough? Sophos says no, estimating that 75 percent of people are using all-too-simple passwords like children or pet names, or even birthdays.

Why is this not just an individual’s problem, but a business problem? Because we work from everywhere, and the only thing that protects many of our online accounts from unauthorized access is a basic password.
 

Password complexity

In the government space, passwords must be changed every 90 days, be a minimum of 15 characters and contain upper and lowercase letters, numbers and symbols. These passwords can be difficult to crack, but also a nightmare to memorize!

The irony is that by requiring such complex passwords, people end up re-using a single password across multiple systems, which actually increases the risk of that password being compromised. It only takes one data breach on the weakest system for an attacker to get the password that you use for everything else.

So how do we take control of our passwords without them controlling us? Use a password manager. Password managers are built to improve the security of your online accounts and save time all at once. There are many different options out there, but to give you an idea on what they do and how to use them, I’ll share my experience with the password manager that I prefer to use—LastPass.

How LastPass works

LastPass is a cloud-based password management system that integrates into your Web browser via a plugin. When you log in to a website, LastPass will offer the option of saving the username and password in your secured password database. Once a password has been saved into the database, LastPass will automatically populate the username and password fields when you return to that site.

Your LastPass account and password database are protected by a master password that you create when signing up for the service, so once the database is populated you’ll only have one password to remember. Great, so that takes care of securely keeping track of existing passwords, but what about generating new ones?

Easy. If you’re signing up for a new account or changing the password of an existing account, LastPass can generate and save a random complex password for you. This allows you to have a unique password for each account that you use online, so a breach on one account won’t impact the rest.

How to get started

Check out the top password managers online and see which one works for you. I recommend LastPass for its ease of use, but there’s also KeePass, Password Safe and 1Password. If you go with LastPass, here are my tips on how to get the most out of it.

  1. Choose a strong master password and memorize it

Your password database is only as secure as your master password. My recommendation is to create a 15-character complex password (upper and lower case letters, numbers and symbols) and commit it to memory. One method I use to memorize complex passwords is to open a word processor like notepad and type the new password several dozen times until it becomes muscle memory. Just don’t save the file when you exit! For some tips on creating a strong password, check out cryptography guru Bruce Schneier’s blog Schneier on Security for creating difficult to crack passwords.

  1. Enable multifactor authentication for your master password

Authentication can be quickly defined as proving you are who you say you are. There are three factors that can be used to authenticate yourself: Something you have, something you know and something you are. A password (something you know) is weak because anyone who knows or can guess your password can impersonate you. You can strengthen authentication by requiring more than one factor during the authentication process, like a password and a physical token (something you have). In this scenario, you cannot be impersonated unless someone has both your password and your physical token.

There are many multifactor options available, some of which are outlined in detail in LastPass’s user manual. I personally use the Google Authenticator, which uses an app on my smartphone to generate time-based codes that are required in addition to my master password when authenticating within LastPass. This ensures that my LastPass account is safe even if my master password is compromised.

  1. Modify the random password generator settings to create stronger passwords

The default random password generator settings do a good job of creating strong passwords, but we can make it better. First, set the password length to 15. Next, click Show Advanced Options and select the check box next to !$%@# to have the generator use symbols. Finally, set the Minimum Numeric Characters value to two. Now you’re set.

Remember, the point of technology is to make things simpler and more efficient. Who’s to say that you can’t improve your security along the way? Security is everyone’s responsibility so stay vigilant and be safe out there.

One comment

  1. Jodin Ravia

    Great post! I use a password app called “Keeper”.

    If forced to remember passwords see if the system will allow spaces. I have read some research about “brute-force attacks” where they use programs to guess your password.

    Tactics like substituting a number for a letter in a single word were guessed much quicker than nonsensical phrases with spaces, assuming the words aren’t dictionary words.

    For instance something like

    “mypassw0rd!”

    is less secure than

    “pa55 the lun12”

    It’s something about how many branches the cracker program has to go down as it’s guessing the next character, and the spaces start new words which increase the time needed to crack.

    Since we remember sentences better than code, you can get pretty secure with a passphrase like “pa55 the lun12 2 me” assuming the system allows spaces. Many don’t.

    Posted by Jodin Ravia on March 18, 2015.

Leave a comment