If you don’t have one, get yourself a password manager … now

by tarambling, posted in Security, Software, Technology

For some time now, I’ve been using a password manager application, across multiple platforms, that I’ve found to be very effective. I’m not writing this post to specifically promote the particular application I use – it happens to be mSeven Software’s mSecure, which I’m very, very happy with, but as a call to action to those who don’t have one – go out and get one now. A recent experience that a friend had, has just demonstrated to me, just how important they are.

But firstly let me tell you some of the key characteristics I see as important for a good password manager (admittedly they’re probably influenced significantly by my experiences with mSecure):

  • Cross-Platform: I run versions of mSecure on iOS, Mac OSX, and Windows, which is very important for me. It also runs on Android and Windows Phone as well, so pretty much all major platforms are covered. And I’d suggest you consider this when choosing a Password Manager yourself.
  • Security and Encryption: Obviously, one of the key features of any such application, is that it securely stores the data you entrust to it. mSecure uses “256-bit Blowfish encryption”, and although not an encryption expert, my research on the topic gives me reasonable confidence in the strength of that encryption; mSeven software’s website itself claims this level of encryption has never been cracked. However when reviewing products, you should verify that the decryption process they use is dependent upon the “master password” you choose, so that no “accidental” compromise of your sensitive information should allow your passwords to be exposed, without access to your “master password”.
  • Ease of Synchronization: Obviously when working away from the office, I’ll often add a new entry to my iPad or iPhone based password manager database, and clearly I don’t want to have to manually duplicate these values into the password manager databases running under OSX or Windows. mSecure allows for simple, bi-directional synchronization between separate instances, on the different platforms I use. I use the synchronization via WiFi, but it also supports synchronization via DropBox and iCloud.
  • Flexible Data Definition: Although I’ve used the term Password Manager to describe this class of applications, I use mSecure to store much, much more. I essentially use it to store a wide range of sensitive information, everything from the obvious, usernames and passwords, to Software License and Registration Keys, Bank Account Numbers, Telephone Banking Access Details. Essentially anything that I want to keep with me, but which I’d prefer to protect and not keep in clear text. mSecure, allows you to define new “data types”, and to define which fields contain “sensitive” information, meaning I can create whole new “classes” of data types, which is clearly very flexible. These new data types get synchronized along with all the other data between different databases at synchronization time.
  • Ease of Use: The most common usage scenario for me these days is copying the password by simply tapping on the masked (hidden) password value, which implicitly copies the value onto the clipboard, and then pasting that into the Password field of an Application or Web Page I return to. In many instances, and my kids can’t even believe this, I’ve generated quite complex, random passwords for many accounts – obviously deliberately – which I no longer know nor even bother remembering – they are too difficult to remember, and I rely entirely on my password manager to copy and paste them from to use.
  • Auto Generation of Complex Passwords: This is a crucial feature, and one that every password manager should have. I use it regularly to generate random passwords of an appropriate length, that I have absolutely no intention of remembering and then will be entirely dependent upon my Password Manager for retrieving. Here is an example of mSecure’s powerful password generation dialog.

pwd_autogen

Having discussed the key features I see as important in a password manager, let me recount the incident that a friend described to me, that reinforced, just why everyone should be using a password manager.

My friend had recently registered online with his local library. The registration process involved the allocation of a user id, choosing a password, and ended by suggesting that there was a final step of the registration needing to be completed when he attended the library to pick up his library card.

When he arrived at the library, he called at the desk and asked to “complete his registration”. The person at the desk looked him up and down, and gave him a puzzled look. “But your registration is all complete”, she told him, and turned the monitor around to show him all his details. My friend was a little gobsmacked to see towards the top of the page, in clear text, his chosen password displayed. Given he’d used one of his regular, familiar passwords, and one that he used for a number of his financial institutions, the ramifications of this choice struck him immediately. When he questioned the fact that the password was shown in clear text, the librarian responded that “Oh yes, a lot of people forget their passwords, so it’s just easier if we can tell them what it is straight away.”

Now this level of security awareness in a library may upon reflection, be what you might expect from a non-IT specialist organisation, but the ramifications for you as an online user, are quite scary. We all know people who use the same password for practically all of their online accounts, and in this case the weakest management of that password by one of those organisations – in this case the library’s unencrypted storage of that password, and displaying it to any administrative library user means that essentially it could be harvested by someone with criminal intent who had the appropriate access.

I might say that my friend fairly quickly changed his library password to a very non-familiar, random password after this experience.

My key take out here is to consider the organisations you entrust your password to. Do they take the appropriate care with your password? Can anyone at their organisation view your password? And if you’re not convinced already, get yourself a password manager and start migrating to automatically generated, random passwords now. It’s certainly a much better and safer approach in my opinion.

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s