Password management: Keep your passwords safer and private online

 

It might be tempting to use one easy-to-remember password for all your online accounts, but your passwords are helping keep your online accounts safe from unscrupulous cybercriminals’ attacks.

If you imagine a locked door on each of your online accounts, the password for each account is essentially a key. So you don’t want a single key that can open all of your doors.

A good password is your first line of defence when you’re online so it’s important to pick strong passwords for each of your accounts. How secure is my password, you might ask? If your password is 123456 or PASSWORD, then it’s not going to take a genius to crack it.

Deep down, we all know the importance of passwords but it’s tempting to cut a couple of corners when picking a new one. After all, it’s hard to remember the complex passwords the experts recommend and we all have so many online accounts to protect these days.

The problem is that cybercriminals are just waiting for you to give them an opening. The UK's National Cyber Security Centre (NCSC) recently reported that 123456 was the most widely-used password on breached accounts. If you constantly leave your front door unlocked, it’s probably only a matter of time before someone you don’t know walks right in and helps themselves to your stuff.

What is a password manager and why is it useful?

It’s natural to experience password overload when you have passwords for your email, social media, phone, bank account and any number of other accounts. Often, you’ll have another dozen work accounts to remember on top of that. That’s where a password manager can help.

A password manager stores all your passwords in an encrypted online vault and autofills your logins when you enter a site. It can also help you to create more secure, complex passwords for your online accounts and tell you if your current passwords are unsafe.

Is a password manager a good idea? Put simply, yes. Not only does it solve the problem of remembering all of your passwords but it also makes it easier to log in to your favourite sites.

But before we go into the benefits of a password manager and discuss the right password manager for you, it’s important to look at how some basic password hygiene can keep your accounts safer when you’re online.

How to keep your passwords safer online

Protecting your data with passwords is essential but some people still see them as an inconvenience and may not have a password on their phone or computer.

Our phones now contain a treasure trove of data and apps. The passwords that were intended to protect those apps will be useless if you don’t protect your hardware. Cybercriminals could simply go into your apps, access all your sensitive information and even reset your account passwords.

All your devices should be password protected or you could be leaving your devices exposed.

You also need to keep your passwords private. That may seem obvious, but some people are willing to share their passwords.

It may seem obvious but passwords are only truly secure if you don’t share them with other people.

Using strong passwords is also key (no pun intended!). When over 38 million Abode customers’ accounts were hacked in 2013, over two million of them had 123456 as their password. The other five most common passwords were 123456789, password, adobe123, 12345678. It’s safe to say that a lot of people don’t try very hard when it comes to passwords.

So what is a strong password? It’s recommended that passwords are a mix of uppercase and lowercase letters, numbers and symbols and that they’re at least eight characters long.

This is to help prevent hackers using brute force attacks with password-hacking technology that basically guesses passwords until it finds the right one.

When the new Nvidia RTX 3090 graphics card was tested, it was revealed that it could generate 669 million passwords per second. That’s why you should never use a single word as a password.

Another way to make your password more secure is to add two-factor authentication, which can provide an additional layer of protection to your accounts. With two-factor authentication, you’ll log in as normal and then be asked to provide some additional information, such as a pin number that’s been sent to your phone. So even if your password is compromised, you can still prevent unwanted access to your accounts.

What does a password manager do?

A password manager is a software application that can store more securely all of your passwords in a single encrypted vault. It makes it easy for you to log into all your accounts, by automatically filling in your credentials when you visit a site.

Back when the internet was relatively new, you probably needed only a handful of passwords.

We’re all using an increasing amount of online services now, which means even more passwords. That number is only likely to grow as more and more sites require you to register to use them.

There are only so many complex passwords that you can remember but that’s where a password manager comes in. You only need to remember one master password to log into your password manager and it will do the rest of the work for you. Some password managers also let you use biometric data like Face ID for added security.

That means you can have complex, difficult-to-guess passwords for every site or app that you use, giving you peace of mind without taxing your memory.

A good password manager can also generate new passwords for you, using random selections of alphanumeric characters that will be almost impossible to guess. It can even flag any weak passwords that you are currently using to reduce your risk.

But my browser already saves all my passwords, you might say. Unfortunately, most browser-based password managers aren’t very secure and they don’t store your passwords in an encrypted form. That means that a hacker could gain easily break into your password files and access all your logins.

As well as being more secure, using a password manager is also convenient. It autofills your login details when you land on a verified page or app, so you don’t have to remember the login details for every site or app that you visit.

That means you can say goodbye to those annoying typos when you’re logging in. Requesting a password reset when your memory fails you will also become a thing of the past.

This feature can also help to protect you from phishing attacks. Hackers can use phishing emails to send you a link to a fake website that looks exactly like the real thing. The aim of these attacks is to gain access to your username and password when you try to log in. Because the password manager can easily identify fakes sites, it won’t automatically enter your details and you’ll instantly know that there’s a problem.

You’ll no longer need to use the same password for more than one account, which means that you don’t have to worry about your accounts falling like dominos if hackers get access to one of your passwords. Unfortunately, data breaches can happen and hackers can be very resourceful with breached passwords.

The dangers of re-using a compromised password was illustrated by the Dropbox breach in 2012. A Dropbox employee re-used an old personal password for one of their work accounts – unfortunately, that password had previously been compromised during a LinkedIn breach. The result was that hackers were able to use that password and the employee’s identity to illegally enter Dropbox’s corporate network and 68 million Dropbox user accounts were compromised as a result.

A password manager essentially installs a virtual firewall between each of your accounts and ensures that a single data breach can’t undermine more than one account. It also removes the need to ever re-use an old password, which reduces the risk of it coming back to haunt you.

A good password manager will let you sync your logins across multiple devices, helping ensure protection across all of your devices.

Choosing the best password manager for you will obviously depend on your circumstances.

There are cloud-based password managers that store the encrypted vault with all of your passwords on the service provider’s server. Alternatively, you can choose one that stores it locally on one of your devices.

With a cloud-based app, you can recover all your passwords if you lose the device, it updates passwords automatically without the need to sync with a device.

However, if you’re concerned about your passwords being stored on a third party server that could be targeted by cybercriminals, you might prefer to download them to a specific device. But it’s worth remembering, it will make it harder to move your password manager between devices as you’ll have to do so manually.

How safe are password managers?

A password manager may sound like a no brainer, but the thought of having all your passwords in one place and accessible by one password might make you a bit nervous. As the old expression goes, ‘Who watches the watchmen?’

If your password manager is compromised, will all your passwords be at risk? So let’s look at how secure password managers are and see if there are any legitimate concerns.

What are the disadvantages of a password manager?

The reality is that no technology is 100% safe but should that put you off using this type of application or is it one of your best form of password defence? There have been instances where password managers have proven to be vulnerable to cyberattack.

Some password managers allow you to use a master PIN code instead of a complex master password but this can naturally leave them more exposed to cyberattack. PIN codes are much more susceptible to brute force attacks, for the same reason that complex alphanumeric passwords provide better security.

However, other password managers will limit the amount of times you can guess a master PIN or password, which would help block this type of cyberattack. Although with just one password to remember, there’s really no excuse for not using a complex combination of letters, numbers and characters that’s going to be impossible to guess.

A University of York study revealed that some password managers could be fooled by a malicious app designed to impersonate a legitimate Google app. Two of the five password managers it tested failed to identify it as a fake and autofilled the username and password on the fake app.

However, this would require that you download malware that could install the malicious app, most likely through a phishing attack. As with so many online breaches, this is one of those cases where human error is ultimately going to be responsible for the technology failing.

Another study that examined password managers by Dashlane, 1Password, LastPass, and KeePass on Windows 10 discovered a flaw that could potentially allow hackers to find the master password in your laptop or desktop’s memory. This particular bug applied only to password managers that had been downloaded to a device but it shows that the technology isn’t always perfect.

In response, one security expert advised that you should never leave a password manager running in the background, even while locked. They also pointed out that setting up password managers on new devices generally requires two-factor authentication, so getting access to your master password isn’t necessarily going to be enough in these circumstances.

As the above example demonstrates, it’s generally a good idea to have two-factor authentication activated as it gives you that extra level of protection in the worst-case scenario.

Another thing to consider is that a password manager is not a silver bullet that can guarantee you protection. It’s still important to follow good password hygiene. If your master password is 12345678, you’re not providing your other passwords with much protection. Even with a password manager, it’s always important to follow best practice.

What happens if my password manager gets hacked?

One of the biggest advantages to having a password manager is that it uses what is called a ‘zero knowledge’ model. That means that the password manager knows your master password but your provider doesn’t.

So even if your provider is hacked and the hackers get your encrypted data, they can’t discover your master password. And they can’t access the encrypted data without it. If someone hacked the server that hosts your cloud-based password manager, the data they retrieve would essentially be gibberish without the means to decrypt it.

So the best password managers make it incredibly difficult to access your passwords, even if they’re hacked. There will always be certain bugs or exploits that hackers will try to use to exploit but this technology will place some major hurdles in front of a hacker who wants to access your passwords.

So should you still use a password manager?

The reality of cybersecurity is that it’s not about being 100% safe, which is virtually impossible in a world where hackers are constantly finding new vulnerabilities or bugs that they can exploit.

Good cybersecurity is about taking all available precautions to ensure that you don’t make it easy for cybercriminals. It’s about knowing what you should be doing and reducing your risk whenever you’re online.

What many of the above cases reveal is that it doesn’t matter how safe a piece of technology is – staying safe online revolves around practising good habits, closing any back door access points that could be exploited, and following best practice when it comes to your online security.

Despite the threat of cyberattack, the benefits of being able to adopt complex passwords and store them in an encrypted vault still outweighs the risks of the old-fashioned reliance on memory, notes or word documents on your computer.

The other thing to consider is that you’ll probably get what you pay for. While open source password managers can probably provide a pretty good service, a premium service is always going to offer you additional security options. Doing some research will help you find the best option for your circumstances.

Despite finding some vulnerabilities in the password managers that it extensively tested, the authors of the University of York study we mentioned earlier still recommended that individuals and companies should use one. It advised that password managers represented a “more secure and useable option” than any alternatives.

“While it’s not impossible, hackers would have to launch a fairly sophisticated attack to access the information they store,” said lead author of the study, Michael Carr.

If you’re smart about how you use a tool like this, you’ll certainly be better off than you would be without it. Plus, there is also the undeniable benefit of having better passwords across all of your accounts. Having a password manager encourages you to practice better password hygiene, which can only be a good thing.

Password security tips to follow

A password manager is just another useful security tool that can help reduce your risk and make life a little bit easier. Cybercriminals are constantly looking for ways to get at your data but using tools like this can give you an edge in this ongoing battle.

Hackers will often try to get your password with phishing attacks so the biggest threat to your password security could be this type of social engineering attack. Luckily, a healthy bit of caution that can help you to avoid potential online pitfalls.

Whether you choose to go for a password manager or not, it’s easier than you think to take precautions and stay safer online with a little common sense.

Part of the reason that a password manager is so effective is that it goes back to basics. Encryption may be its main selling point but it also reinforces the principles of good old-fashioned password hygiene.

Here are eight simple password security tips that can go a long way.

1. Don’t use personal information: Avoid family names, addresses or anything that a clever hacker could guess from your public profiles.
2. Don’t use real words: This leaves you wide open to brute force attacks. Always use alphanumeric combinations with uppercase and lowercase letters and some special characters like % or &.
   
3. Use long passwords: The longer a password is, the harder it will be to guess. Aim for eight characters at the very least but go for more if you can remember them.
   
4. Don’t write passwords down: We’ve all done it but resist the temptation to write passwords on notes or in documents on your computer. Having a document called ‘Passwords’ on any device is just asking for trouble.
   
5. Change passwords regularly: We know it’s hard enough remembering your existing passwords but you should really change them every month or two for added security. This is definitely one area where a password manager can help.
   
6. Don’t reuse passwords: Never recycle passwords from other accounts. Doing so can lead to multiple accounts being attacked if one of your accounts should fall.
7. Don’t log into sites on an open network: Never enter your password for an app or site when you’re using an open Wi-Fi network. They’re notoriously insecure and anyone on the same network could be watching what you’re doing.
   
8. Use two-factor authentication: This makes it very hard for hackers to get into your accounts, even if they do have your password. It’s an extra layer of protection that can make a real difference.
   

Keeping your passwords safe can be a piece of cake when you use a password manager. And with Norton 360, in addition to a password manager* you’ll also get a VPN and antivirus protection to bulk up your cybersecurity and online privacy. That means it helps you lock, bold and hide the doors to your online accounts from prying eyes.

*Norton Password Manager is not exclusive to Norton 360 functionality but is independently available for free online.