Why don't more people use password managers?
26/07/16 08:22 Filed in: Industry
Another data leak, another random mumble about password managers.
Woke up to see another data leak story today:
O2 Customer Data Sold on the Dark Net
When ever I see stuff like this it makes me double check my security for websites etc. to make sure I'm not accidentally doing anything daft. This morning though it got me thinking - how come more people don't use Password Managers? Or more specifically - how do people make stuff secure without using password managers? It's beyond me.
Looking at my own for example I currently have 422 logins to various things. Yes. Four Hundred and Twenty Two. Bonkers.
Without a PWD manager the likelihood is a lot of those sites would:
- Use relatively simplistic patterns or words that are memorable.
- Repeated across multiple websites.
- Instantly forgotten and constantly having to tick 'forgotten password' on sites.
- Email to a single source meaning a single email could be compromised, resulting in the compromise of multiple sites.
Now, I'm the first to admit I can be a bit paranoid about such stuff. I like to follow best practice. Achieving that though without a way of managing your passwords - difficult.
Working in IT means I get to 'help' a lot of my friends etc. with their computers, microwaves, shelves* etc. It astonishes me how poorly their general attitude to security is. Firstly, it's rare someone will hand me their laptop and it be encrypted. They never think to question that I recover their stuff so quickly, just assuming it's something down the black-art of 'those computer things'. (See: Encryption - It's for Everyone). I'll also often find things like text files on the desktop containing common email/password combinations and more often than not including the web site that they're associated to.
So why is a password manager so important? Well, the obvious one is that it stores all your passwords and makes them easy to access. It has other - more important - benefits too:
- You can generate truly random passwords that even you won't be able to remember. Stuff like SAjhhWJKH987KJJ71$$$!$%%%%_43 for example. Try remembering that. (There's a legitimate argument against such passwords too, to be fair: See XKCD).
- You don't have to remember all those ridiculous passwords! The manager will do it for you.
- You can have unique passwords for every single site.
- Most will do a security check through the passwords that are stored advising you of any poor or repeated selections.
Wait - how do you secure your password manager? Well - of course you have to set a master password…And you need to be creative with that. I use phrases that make no sense for example, rather than short words. So something like 'Jay likes to eat b0ats on a Sunday'** for example. Easy to remember as it's so weird. You don't find yourself typing it in very often either - iPad/iPhone it's all TouchID, and on my main machines it locks when I lock my normal machines.
Do I save passwords in my Browser? Yes, I do - for some sites. Never for any sites that hold any detail or financial information.
What about the 'tick here if you've forgotten your password' - if they all go to the same email address then hey, you only need that email address compromising don't you…? Well, of course I don't setup a different email address for every website as that would be beyond silly - but I do have a few separate ones for secure sites. I don't use the same email on any financial sites for example. Ever. That could however be part of my general paranoia and may be a bit beyond the norm - I'll graciously accept that.
Honestly, check out password managers. It'll make your life more secure, and what's more make your day to day easier too.
…are probably the most popular. All multi-device, all integrate natively in to your web browser etc.
Get secure. It's your responsibility, not the providers. It's your data. They've always got a get out - oh we did our best. Blaming them all you like may make you feel better, but it's still your secure data flying around that internet.
*OOOO! You work in IT! Can you help me put a shelf up?
** No, this isn't my passphrase. Even I'm not that daft. //scuttles off to change pass phrases.