‹ Back to the blog listPasswords are awful, but…

PasswordManager.Owl.590.308.png

Until something better comes along it seems we're stuck with them.  Here's how to cope with this necessary evil…

 

Getting a grip

If your digital life is anything like mine, you're drowning in passwords.

According to the experts, we're supposed to create passwords with long, random strings of characters, not words. 

For example, something like "x6yjG880k32#44m2i0A4", rather than something memorable like "Megan78".  

And we're not supposed to use the same password in more than one place.  

PasswordManagers.NoWayToRemember.150.144.png

That's fine, in theory.  But the practical result is a frightful mess; I mean, who can remember even one password like that, let alone dozens?  

The obvious solution is a password manager.  The problem is, which one?  It's not so obvious…

Summary: Use Merlin's built-in password manager!


What are my options?

The first stop for most people is to read reviews and feature comparisons. Here's a bunch of the more recent ones to get you started:

This can be very helpful, and you should definitely invest some time looking at your options.  

But be wary, because as they fall over themselves comparing every last little feature, most reviews obscure a simple yet critical question: where exactly are my passwords actually kept?


Online or device password storage?

The big decision you have to make is about the technology a password manager uses to store, sync and retrieve your passwords.

Password managers vary greatly in the features they offer, but they all have at least one thing in common: the passwords they manage are all stored in one or more encrypted data files, which you unlock using a master key.

PasswordManagers.Lens.300.210.png

Online solutions like LastPass, Dashlane or RoboForm offer a plethora of cool features, including the ability to access your passwords from any device.  But to do that they store or sync your passwords online.   
 
They're encrypted, of course, but you'd better hope they haven't snuck a copy of your master password, and that they use strong and verifiable open source encryption, not some home-brewed technology that can be hacked or otherwise opened if they're mandated to do so.

"Storing dozens, hundreds, or even thousands of passwords in a single place poses catastrophic risks should that resource be breached. Exploits become easier by convenience features that, for example, store encrypted password vaults in Internet-accessible locations or automatically paste passwords into websites".   (Source)

You also have to trust that they contain no hidden vulnerabilities. Although most companies are quick to fix problems once discovered, overall it turns out to be a bigger problem than it should be.

 

Files containing all your passwords are just too attractive a target to trust to online services.  Don't do it.


And finally… Do NOT allow your browser to store passwords

Most browsers have a built-in convenience feature that offers to remember passwords for websites and other online services. 

When you return to a site and type the first few letters of your ID, the browser will fill in the rest of it, and fill in the password for you as well. 

That's extremely convenient, but it's also insecure because most browsers do a poor job of protecting them.  Keep all your credentials in your password manager, not in your browser.

MerlinEarthIcon-Green-10percent.png

If you found this blog useful please like us on Facebook!

 

 

Published on 2021-04-22 by:
avatar
Alan
Data Integrity and Security
‹ Back to the blog list