Passwords, we all have more that we care to admit. With every online service, telephone service and device requiring one of those pesky words, our lives are littered with them. It is best practice to have a unique password for each account, but how do you remember so many? Check out our Top 5 tips for using a password manager!
What is a password manager?
Before we start our Top 5 tips for using a password manager, let’s summarise password managers.
Password managers are secure vaults for all of your passwords. In the simplest form, it is no more than that. You typically have one strong password, the “master password”, that unlocks the vault. Once the vault is unlocked it gives you access to all of your credentials. Good password managers will allow you to:
- Generate secure passwords.
- Notify you if/when a password has been compromised.
- Prompt you to change duplicate passwords (which of course, you have none!).
For all their great features, a password manager does of course come with risks. Their usage should be proportionate to the risk of the credentials being leaked. We know that every account should have its own strong password (until a passwordless society becomes the norm), but how many of those are highly confidential accounts? Which do you care about the most? Your bank account password being known only to you, or your Netflix account.
We will explore some of the risks associated with password managers in a later post. For now, let’s focus on the Top 5 tips for using password managers.
Top 5 tips for using a password manager
Here is Accelita’s Top 5 tips for using a password manager. Remember, password managers are not the only defence against credential compromise!
1. Use the password generator to generate strong passwords
Most good password managers come with the ability to generate strong passwords. The definition of a strong password is often a topic of debate, however many people converge upon a similar theme. The National Cyber Security Centre (NCSC) guidelines are to use three random words.
Create passwords using three random words. You just put them together, like ‘coffeetrainfish’ or ‘walltinshirt’.
2. Create accounts linked to domains
Passwords should be unique, and each service is likely to have its own website address. Password managers allow you to create accounts/logins; combining the username, password and website address (URL/domain name). Entering the website address with your password entry will help reduce the chance of you being tricked into entering credentials into a cloned site. Attackers are clever, they will lure you on to a site they control, often looking identical to the authenticate site and with a very similar domain name (think netfl1x.co.uk as opposed to netflix.co.uk).
If you have entered a website address against a login, but navigate to a fake site, the login you would normally use won’t be displayed in the list of suitable options. This is just one simple, subtle, hint for you to check you are where you think you are.
3. Ace the master password
Great, you have your password manager containing all your passwords. But, then you set the master password as “password1”. Doh! Now attackers have access to all of your accounts, not such a wise move. Following the guidance in Tip #1, set a strong master password, and don’t share it!
4. Maintain good account hygiene
You will find over time that the number of accounts you have in your password manager is growing beyond belief. Starting with 1 or 2 and often reaching hundreds in a matter of months, it is quite scary just how many services we are signed up for. Think of all of those people you have shared your details with.
Just as you would spring clean your house, take time to maintain your online footprint. Look through the list of accounts in your password manager and ask yourself, “do I still use this?” and “what value does this account bring me?”. If you don’t need it, close the account. You have a right to be forgotten and companies shouldn’t be storing data any longer than needed, so close the account and remove the risk. Why loose personal details through an attack on a service you no longer use?
5. Use two/multi factor authentication
Passwords are only part of the authentication solution. Passwords can be broken, stolen, or simply guessed. Using a secondary form of authentication such as a unique code generated on your phone, a one time password sent via SMS, or a hardware dongle (take a look at Yubico) adds in a second line of defence. Again, the NCSC has some great guidance on this.
Want to read more?
The NCSC have lots of great guidance on staying safe online. In fact, they even have their own post about password managers. Whilst you are here, why not continue your journey and see what the NCSC have to say?