Sep
23

Password Management Sucks But it Doesn’t Have To

Password Management Sucks But it Doesn’t Have To

September 23
By

This article also appears on Windows IT Pro.

What is it about passwords? They mean well yet they are the bane of the digital realm. We can’t live without them and it’s certainly a mistake to willingly create an insecure password. Sensitive information is leaked enough as it is and a secure password is at least one line of defense.

There are a lot of tips and tricks to managing a bevy of secure passwords for the dozens of sites we need to login to. Some are best avoided, some are downright stupid, and some will save you a lot of headaches. Let’s look at the pros and cons of a few different options.

Using the same password

Do I need to take time to explain this one? By using the same password for every site you visit, you’re making it pretty darn easy for people to access the sensitive information you keep on various sites. If someone gets one password, they have them all. It’s so easy to do and yes, we’ve all done it, but it’s not smart. This is one place where you shouldn’t sacrifice security for convenience.

Using a pattern

I have a friend whose password is just a pattern on his keyboard. His pattern creates a random, long, and secure series of numbers, letters, and special characters that he doesn’t have to remember as long as he knows the shape he’s drawing on the keyboard. It’s a cool idea, but there are two problems. One is that this pattern won’t work on a tablet or smartphone since the characters don’t line up the same way, and two it’s really only good for creating a secure password for one thing unless you can somehow remember a new pattern for each login, and that’s just as tough as remembering the characters themselves.

Writing passwords down on paper

There are more secure and less secure ways to write down your passwords. For instance, a sticky note on your monitor is not secure at all, but keeping a notebook with your passwords locked in a safe is not the worst thing in the world. The trouble is you need a lot of passwords each day so your notebook probably won’t be locked in a safe. Instead, it will probably be within reach because you’ll probably use it a lot. Whatever the case, writing passwords down is not a solution to the password problem since it’s just too easy for someone to find. Unless…

Writing passwords down in a spreadsheet

Writing passwords down isn’t a great idea unless you write them down in an Excel spreadsheet or other document that you encrypt. This means that one password protects all of your other passwords, but this document isn’t in a third party cloud like it would be with some password managers. This method allows you to share the master password with other administrators who need access to the list of passwords. In fact, a lot of IT pros on the Spiceworks forum use this simple method quite effectively. The trouble with this method is that forgetting the master password means not having access to anything in the document. You’ll have to reset every password if that happens.

Using a password formula

With this method, you basically create a formula with a few variables that change for each site you need to login to. This way you can have a formula with lots of special characters that’s complex, but one that also changes for each site you go to so you never have the same password twice. Unless someone discovers both your formula and how you select the variables for each site, you’ll have a secure, unique password across the board. Here’s an example of what one might be:

$2#HckThsXYZ*9%

You can see that there are three variables bolded above: X, Y, and Z. There are a number of ways to determine what these variables will be, but let’s just say you take the first three letters of the website you’re on and use those as your variables. If you were on Amazon.com, you’d take the first three letters, AMA, and plug that in for your variables, giving you:

$2#HckThsAMA*9%

The password above received a “Very Strong” rating with the PasswordMeter checker.

This method is my favorite because you don’t put all your passwords in one place, none of them are written down, and each one is secure and unique to each site. But here’s the bad news: it might not work for every site. Since different websites have different requirements for passwords, your formula might not work in some cases. A space, for example, is a special character in some places but isn’t something you can use at all for others. Just because you have a super secure, moldable password doesn’t mean it works across the board, meaning you might end up with a few passwords that don’t match your formula, which you might have to reset every time you need to login—a massive pain. Worse yet you could end up writing them down, which we already know isn’t smart. This method also might not work at all if you’ve got multiple people using the same passwords, as an IT department might have.

Using a password manager

Password managers like LastPass and KeePass make it ultra-simple to manage the dozens of passwords you use, and even let you share them if multiple users need access to the same accounts. As you may know, password managers let you save lots of password for lots of sites, all of which live inside a “vault” behind one super-secure master password.

Here’s a cautionary tale, however. When I used LastPass, I couldn’t bear the idea of forgetting my master password, so I wrote it in a notebook I kept somewhere safe. We know now that this is dumb, but at the time I thought it was too long and complex to commit to memory without a lot of effort. One day I needed to log back into LastPass after I was somehow logged out of the browser extension (I used it with Chrome), but I couldn’t remember the giant password and then I couldn’t find the notebook I wrote it in. After looking everywhere for a few days, I assumed the notebook had been stolen or that I dropped it somewhere—it was nowhere to be found.

One security feature of Last Pass is that you can’t recover your master password if you lose it. The only way to get into your account is to have the password. Forget it and you’ve got to delete the account completely. When you’re too dense to remember the only password you need (like me) you have to delete your account and change every password inside one by one since you probably can’t remember those either. Plus, if you did write your password down (because it’s long and complicated) and lost it, whoever might find that has access to all of everything and that thought alone is terrifying.

My sob story aside, password managers are the best method if you need multiple people to have access to many of the same passwords or if you’re certain you can remember your master password. It is, after all, the last one you need.

Dealing with passwords, for now

Passwords suck, but they won’t be going away soon, at least not until we have thumb scanners or other biometric equipment built into systems. For now, it’s best to just keep secure passwords and find a way to commit them to memory so they never exist anywhere but in your head. If you need multiple people to have access to the same systems, a password manager is probably the way to go. For IT admins, I’ve heard excellent things about KeePass, which is an open-source and completely free way to store and manage passwords.

Photo credit: Frits Ahlefeldt-Laurvig via Flickr