CONTACT US

@2024 IdentityXP. All Rights Reserved.

Passwords remain a necessary evil

Passwords / Apr 4, 2024

Authored by William Baillieu.

Passwords are just like opinions: everyone has got one, and they are not necessarily any good.

In fact these days, far more than just one… and they are usually terrible!

Despite constantly telling everyone how to have better stronger passwords, the internet perversely made everyone’s passwords worse. Pretty much every online service forces you to set up an account and password which have to follow its rules. However, they don’t check if you are using a password that is known to have been leaked, or if you are using the same password for the nuclear lunch codes that you use for footy-tipping and everything else.

The average person ends up with between 20 and 100 accounts and passwords, which they forget and have to reset on average 2.5 times a year! (Depending on which study you want to believe the stats vary but the themes are highly consistent – here is great report from Keeper Security https://www.keepersecurity.com/en_GB/us-password-practices-report/ that says it is about 20 passwords and 50 resets).

I’ve got 743!

If they were proper keys instead of 1’s and 0’s, I’d be considered a gentleman cagophilist. Well ok, maybe not a gentleman. But I’d certainly be one hell of a key collector. Though I certainly wouldn’t be carrying them around, far too heavy and awkward. I’d have a lovely glossy wooden cabinet with glass doors in the poolroom containing my fabulous envy-provoking collection of shiny keys.

How many of us can memorise at least 20 unique passwords, consisting of at least 16 non-repeating or common words, incorporating a combination of uppercase and lowercase letters, numbers, and special characters, are no more than 3 months old or have never been used before or are one of the 613 million hacked passwords listed on the excellent https://haveibeenpwned.com/Passwords? And that before getting to work and having to do it again for work accounts.

I suspect that most people live “in silent, shameful defiance of all the accepted wisdom regarding passwords” just like Tim Dowling wrote in The Guardian (https://www.theguardian.com/technology/2024/feb/17/no-focus-no-fights-and-a-bad-back-16-ways-technology-has-ruined-my-life-tim-dowling) and are resigned to either having the same password for everything, or instantly forgetting their newly set passwords and clicking on ‘Forgot my password’ every time they need to get in. The reality is that even writing them down doesn’t help as much as it used to because you need them when you are out and about.

But it doesn’t have to be like this. Unless you or your organisation are at really high risk (nuclear launch codes)  – you can and should seriously consider using a modern cloud password manager. Much like my poolroom and shiny glass cabinet, you keep your passwords (and other types of credentials like certificates, passcodes, PINs, etc) securely all in the one spot. But that is where the similarity ends. Being in the cloud means no need to lug keys around. Your data is stored in an encrypted vault and access is protected by strong authentication, which does have the downside that it is much harder to show off your key collection. But on the upside, there is no need to memorise 20 passwords let alone 743! In many cases a password manager will even generate strong passwords and enter them into forms when required.

Some features built for companies make them teamwork friendly, such as automated account creation for employees based on your company identity provider, sub-vaults with role-based access and operational reporting. If someone is sick or there is an emergency a manager can unlock sub-vaults, or the whole vault, if they have the right permission.

If you are medium to high risk (have teams of people with accounts, passwords or are managing valuable assets) you should consider consulting with identity security specialists to help select the best fit for you and your organisation then set you up to use it securely. (Shameless plug – we can help here -– identity security is what we do!) but otherwise if you are low risk, you should be able get started yourself. There are several leaders such as 1Password, Bitwarden and Keeper Security – all of which have excellent reputations and the functions most people need.

There have been some well publicised security incidents with one of the more popular online password managers, which led many people to be rightly wary of storing all their passwords in the cloud (aka someone else’s computer accessible from anywhere). To them I would say two key things:

One – If you (or your employees) manage passwords manually you are almost certainly living in silent shameful defiance and are exposed to severely impactful cyber-attacks, and;

Two – While password managers are not perfect, using one of the leading modern cloud password managers (that has been independently audited and implements best practice security) is far and away a safer proposition versus going it on your own.

Image Credit Storyset