So… many… passwords! How to securely manage them?

As more of our work and personal lives require us to have logins to access information – either in applications or on websites, it has become cumbersome to safely manage all those usernames and passwords.

Password safety

Frequently we reuse the same username and password across multiple applications and/or sites – or we write that information down to be able to reference it.

Both of those behaviors open the user to having their credentials stolen and used without their knowledge.

Using the same username and password for multiple applications and sites means that if their credentials from one place are compromised, the cybercriminal can then potentially access other applications and sites where those credentials are used.

Writing the passwords down exposes the credentials to anyone that gets access to the paper (or spreadsheet, word document, or another type of electronic file) where the username and password are written/stored.

Even more worrisome is that in both scenarios, the user’s credentials could be compromised without them knowing until the damage is already done.

Password sharing

Another common challenge impacts groups – such as support team members – who need to manage applications or environments with privileged account credentials.  In that case, there is one username/password combination that needs to be known/used by multiple people.  If these credentials are compromised, the cybercriminal now has access with administrator and/or superuser privileges.

When one member of the team leaves, this creates a significant effort to change all the support passwords to mitigate the risk of the credentials being used for malicious purposes.

Password vaults

Password vault applications are a sound solution for these challenges.  Password vaults allow users to safely store and manage credentials for all the applications and sites they need to access, and across multiple devices.

Good password vaults use strong encryption to store the information, while not allowing the application vendor to have access to the credentials they store. This means that even if the vendor is hacked, the cybercriminal cannot access the usernames and passwords that are in the vault.

Additional benefits of password vaults:

  • They allow users to share access to credentials and then remove access when necessary, to avoid having to change passwords if someone leaves the team.
  • They support automatic login to sites and applications and can be configured to use a Single Sign On (SSO) solution for convenient access.
  • They can autogenerate secure passwords and then update the credentials for that application or website.
  • They can identify where usernames and passwords are reused and will alert the user so they can update the passwords to be unique and more secure.
  • Through Dark Web monitoring, they can alert users when sites accessed have been breached.

Some vault managers even include a personal subscription for enrolled staff and their families.  There are free vaults for personal use, but organizations should look for a paid subscription with more advanced features such as the ability to remotely remove user access, and to separate company credentials from personal credentials, providing portability of personal credentials and nonportability of company credentials, as well as the ability to store secure notes and/or documents.

One of the best things about a Password Vault is it only requires a user to remember a single (master) password.

Passwords vs. Passphrase

What should you consider in a master password? For many years, the best advice for password security was to use a complex mix of upper- and lower-case letters, numbers, and special characters.  This can make it challenging to remember a password and what substitutions may have been applied to make it secure.  It is now recommended to create a passphrase that is three to five words long.  A passphrase such as snoopydancinginthemoonlight can be as, if not more, secure than E33pl@nt – and much easier to remember!