When joining invotra in 2016, I was introduced to all of the Invotra security policies.
These are a range of measures taken to keep invotra secure and avoid our internal security enforcement measure, Dishing.
These include policies on data storage, antivirus software, encryption, and many other aspects of security.
One of these policies is a password policy, which consists of instructions on how secure a password must be, including minimum length, complexity, generation and storage of the password.
I was initially surprised to see policies on how to store a password. At the time, I had only ever used passwords that I could memorise, so, the idea of writing it down somewhere seemed to be less secure.
I did eventually come around to the idea and after using a password manager for work, I now also use one personally.
Here is what I have found after using a password manager for 2 and a half years…
Memorising all of your passwords is impractical
If you have spent a lot of time on the internet, you have probably set up a fair few accounts for numerous services that can often be difficult to keep track of.
Every website account, Internet of Things (IoT) device and email address you have should have a unique password. That way if one is breached, the rest will remain secure.
This has been getting increasingly harder to do manually as time has gone on.
New services appear that need accounts and older services have gained “smart” features that will often also require an account.
Each of these accounts then wants at least a password, sometimes an account name and other ID numbers. You can make your life much easier by conveniently storing all of this information in a password manager.
Password managers give you the freedom and flexibility to have numerous different passwords for all of your sites without needing to memorise all of them.
If you have spent any reasonable time on the internet then it is worth checking to see if your email has ever been involved in a data breach. Here is a website that allows you to check: ‘haveibeenpwned’.
These were my results:
These 2 breaches both caused me to change the passwords that I had used on the sites listed.
This was a major problem for me at the time. The breaches themselves revealed little personal data, however, at the time I was still reusing passwords (a very bad idea in hindsight).
As a result of this, due to each of these breaches, I had to change the passwords for dozens of sites. A password manager would have allowed me to only change one password and I wouldn’t have even had to remember it.
Strong unique passwords
A big advantage of password managers is that you don’t actually need to remember a password. You usually won’t even need to type it. On sites that will allow it, I now use 100 character passwords made of random letters numbers and symbols. The result looks like this:
#ApiKH4BHQ1KMbFe$9NeFiqpBseJGZ wcc8iOng#@G*M!fma1$hzc7Zs^BsKA2 WHGF9k TaKY78&o9P5ld9HFdcuD0Ep20T8xy 799
(Not my actual password, obviously…)
There are differing views on exactly how long it would take to figure out a password like this using brute force methods although most estimates are measured in quinquagintillions of years. Some sites have password length limits so will not allow a password this long but having a random password will still make it harder to guess.
There are many fake website sites which mimic real sites. These can be deceptive to a human but a password manager would know the difference. Some password managers will even give you a warning if they detect you entering login information into a different site to usual. This can provide a useful line of defence if you do accidentally find yourself on a malicious site.
More information on avoiding fake websites and staying safe online can be found here at Niall’s blog.
There are risks involved in using a password manager, as with any system for recording passwords.
The biggest risk is your master password. One password to gain access to all of the others. This must be very secure. Something no one could guess and something you are going to have to remember. Multi-factor authentication is strongly advised with a password manager (as with all accounts with sensitive data) to ensure your passwords stay secure.
It is also worth checking if any services you use have policies against password managers. Some banks do not allow you to store their passwords in a password manager. If you tell them you stored your password in a password manager, or have written your password down anywhere else, then they may not refund any money you lose if your bank account is compromised. For these, it may still be necessary to remember an additional password.
There is also the risk of the password manager itself being breached.
This has happened in the past. This is bad but the passwords will still be encrypted, even if someone gains access to them. This can be mitigated by using multi-factor authentication and then changing passwords. This is time-consuming but with a password manager you have a list of all of your accounts and can easily change each one. The only one you need to remember is your master password.