Wednesday, June 24, 2015

How You Manage Passwords

Okay now, tell the truth.

With all the passwords you have to manage just to do your job and stay in touch with friends and family, you cannot possibly have a separate password for every account you manage, can you?

Some systems want you to have the password be a certain length, some want you to use at least one digit and one special character, (but it can only be from a certain subset of acceptable characters,) and some insist that you change the password on a periodic basis.

So you do what almost all the rest of us do. You use a standard personal password for most of your trivial accounts (like the Hilton Honors program and the Starbucks rewards program and your local gardening community forum site), and something special and (hopefully) secure for your online banking or your important social media accounts. But even with that strategy,  it's unlikely that you can keep all those passwords in your memory. So you write it down somewhere, don't you?!

Yes you do! Even the more progressive companies that require you to maintain credentials are beginning to acknowledge this age-old fact. No security system is stronger than the Post-It™Note.

So what are your alternatives? There are two. We'll talk about one today because it's something that's completely within your control

Two things that can transform that madness that current login security systems suffer. One is the use of a Password Manager, and the other is something called Multi-Factor Authentication (MFA).

We'll explore Password Managers here and leave MFA for a later article. The latter can only work when you're working with a well-educated IT team on the platform you need to access. The former is entirely in your hands, so we want to be sure you know about some of your choices.

Real quick - this is not a review, or a features comparison article. This is just about the principles behind the concept. I'm not out to make a product recommendation. You can dig a little to decide what's best for you.

The idea behind a Password Manager is the same as the guy with a drawer full of  Post-It™Notes. You find a secure way to "write down" all of your username/password pairs, and then you refer to it when you want to log in somewhere.

The beautiful thing about this is that (in theory) if you have a reliable Password Manager, you could have an entirely separate password for every single site where you log in. And each one can be highly random and unguessable, because even you couldn't possibly remember it.  (This satisfies that edge-case scenario where you're kidnapped by an evil mastermind or government and tortured to reveal your password to the Sonoma Stompers Secret Baseball Fan Society website. Heavens protect us against THAT imminent risk.)

So the simplest Password Manager is the one that's built into your web browser. If you use Chrome or Firefox, you have the opportunity to have the browser remember your login data on your computer. You can manage it a little, and you can erase it quickly if you feel like there's a risk of that data being compromised. It helps, but it doesn't cover all cases. (Other browsers offer this convenience, you'll have to decide if you trust them enough to be the repository of your identity information.)

If you use only Apple products, you can use the Keychain. This will support you when you use your Mac laptop, your IOS mobile device, or the Safari browser. For purist members of the Apple clan, this can be all the protection you need.

If you're like me and use a wide variety of devices and want to be connected to your information in a range of contexts, you need to find an agnostic Password Manager. Some of the most obvious choices are LastPass, RoboForm, and Dashlane.

I use LastPass, having chosen it after reading up on the field soon after the Adobe breakin a couple of years ago. (Here's a recent comparison at LifeHacker - http://lifehacker.com/5529133/five-best-password-managers)

The way it works is that I have a Master Password that controls access to my "vault." (Most of the Password Managers use this model.) Then the system integrates with my browser to jump in when I need to log in to some website and offers to auto-populate the username and password fields.

For login systems that don't work organically with the browser, I can ask my Password Manager to allow me to copy username or password to my clipboard and then I can paste them into the appropriate fields.

The key features I needed in my solution are that it has to be multi-platform. I use a Mac laptop, but sometimes I fire up Chrome on a PC and it should work for me there. I use an iPad and want to have it support me there, and I use an Android phone heavily, so it should help me out when that's my information source. LastPass does all of these things.

To be fair, I am only able to use the system on my mobile devices because I pay the subscription fee of $12 per year. Given the help that LastPass has provided me over the couple of years I've been using it, I consider that a pittance. (Please don't share or retweet this article anywhere their marketing department might see it and realize that their pricing is Too Good To Be True.)

The other players in this space are probably fine. In fact, if you choose any of the solutions in the LifeHacker Top Five, you'll probably be fine.

But for Heaven's Sake, give up the Post-It™Note strategy!