Password Managers – Friend or Foe?

Posted on January 6, 2014 · Posted in Software, Uncategorized

OK, let’s be clear, we all hate them. Those confounded passwords can make our lives a living, well, pain. And when you’re asked to change them, it’s too short, not enough special characters, mixed case, etc. It’s just enough to drive you to your own version of a blue screen of death.

I won’t go into detail here, but there is a legitimate reason for all this chaos. As IT people responsible for system security, it is our objective to create password disruptions, in an attempt to prevent users from having common passwords used in both their personal and professional lives.

So I get asked all the time, “What about password managers”? As someone who has a lot at stake if security fails, I have always discouraged the use of password managers. But I have recently concluded, that at least in my personal life, that a password manager might actually increase my security. Here’s why….

Like most of you, the passwords I use in my personal life are often similar and relatively short. Would not my security be increased if all of my passwords were unique, randomized, and at least 12 characters? However, this would require a database be kept so that lookups could be easily referenced and passwords cut and pasted as needed.

Enter the Password Manager. These applications help you keep track of all this chaos. I encourage each of you do your due diligence before putting all of you security eggs in one application basket. I have done that to my satisfaction with LastPass. LastPass only stores salted hashes of you entries, and calculates the resulting password on your end node device, after entering your Master Password. This Master Password should also be 12 characters or longer, and of mixed character sets. I am also a big fan of enabling the LastPass Grid Multifactor Authentication. This will provide the equivalent of two form factor authentication at no cost. LastPass cannot recover any of your passwords if you have forgotten you Master Password ( and Grid if used), and are unable to use the email based password recovery mechanism.

Of course there are many players in this field. Other popular choices are Keepass, Roboform to name a few. Mobile devices also create another layer of complexity. LastPass is however free, as are options from a few other vendors.

While I am still evaluating the use of this for business use, I am satisfied that my personal information will be better secured by using very strong, unique passwords at the online sites that I frequent (including banking), and using LastPass to help me manage the chaos.

Keith Fast