Password Managers

The Basics:

Who else loves remembering hundreds of long complicated passwords, especially for websites you only need to visit once a year? Yeah, neither do we. This is one of the many reasons why we are enamored with password managers. The key here is that you need to be smart about how you use this resource.

Secure this your password manager as tightly as you can, guard it as jealously as you do your social security number. Actually protect it even better then most people protect their social security numbers. Put as many layers of MFA as the password manager allows. At the minimum set a password that you use for only this service, and it should be the most algorithmically complex password that you know and use on a regular basis. This password should be a MINIMUM of 16 characters, but we recommend making it as long as you can remember and tolerate typing.

If you can properly guard your password manager they will provide increased password complexity without over-burdening your memory with passwords that are 80 characters long. The fact that you can have passwords that are 80+ characters long is a feat that the vast majority of humanity would struggle to accomplish for one password, let alone the dozens or hundreds of times necessary to have unique passwords for all your applications.

Our Recommendation:

If you read our post on MFA you would note that we love FIDO2 compliant authentication methods and that our favorite are hardware keys, as such that is the MFA we recommend you use with your password manager. We understand being a little relaxed with MFA when it comes to other services, if you want to only use TOTP with amazon fine by us, but don’t skimp with your password manager. Most password managers will have a recovery password that you can use in case of emergencies, print that out and save it somewhere private and secure like a household safe.

Take advantage of the fact that you don’t have to actively remember all these complex passwords and make them as long and weird as the login will allow. If Google allows you to have a 100 character password, have your password manager generate one that is 90 characters long. Smarty pants that you are you probably recognized that 90 is less then 100, well spotted! That leads us into our final recommendation when it comes to password managers.

If like the We Assume Breach team you live by the motto of stay paranoid then you may question the logic of keeping all your passwords in one location because of the havoc that would reign down should that password manager be breached. That is a fair concern, as your password manager will be breached we can absolutely guarantee it. As we are writing this LastPass, one of the most possible popular password managers, was breached, while they claim that no customer data was accessed the fact that they were hacked is at once surprising and an inevitability. What you should remember about these breaches is that if you are paying for a reputable password manager then all your personal information and passwords will be encrypted, and unless the company’s CISO has a brain made of jelly then the encryption key will be secured separately. Meaning that a hacker may be able to steal the tranche of encrypted data, but in the time that it would take for them to crack the encryption you can change all your passwords and keep the hackers from attaining their goal.

But what if the CISOs brain is made of jelly? That’s where our final recommendation comes in, have a secret salt that you put at the end of your passwords. It doesn’t have to be unique to each password or complex, you can add the name George to the end of all your passwords if you want, but adding this salt that you don’t save in the password manager will give you enough time to respond if your password manager gets hacked and you discover their encryption key was poorly guarded or, even worse, that they stored all your passwords in the clear.

Also, and this should go without saying, that unless you are an expert in the field of cybersecurity and know what you are doing then you should pay for your password manager. Our team uses LastPass, 1Password, and Keeper Security as our password managers and as long as you secure your chosen service as we advise, then you will be well served by any of them.