Passwords are the weakest aspect of account security. The primary reason is a human is in control of them. Over time when people get overwhelmed, pressured, frustrated the natural tendency is to revert to the easiest, fastest and sloppiest solutions. When that happens to passwords accounts and services are put at great risk. In today’s connected world the username/password approach needs to go. Unfortunately, this will not happen anytime soon for a majority of the services you use. Rather than try to push against a wall learn to use tools around us to make your account security stronger.

Traditional accounts consist of a username, usually your email address, and a string of characters that are secret to the account owner that are known as passwords. When every site you visit requires some kind of authentication to gain access to services or additional features a typical user can have 50 or more accounts to manage. This is one of the aspects that make people choose an easier to manage route by using the same password across multiple sites. It’s easy to remember for a user but very dangerous and risky.

If a user uses the same password, not matter how complex the password is, if one of those sites gets compromised and the password is revealed then all of your sites are indirectly breached as well. Password reuse is what hackers count on. Dropbox’s breach was caused by password reuse. When passwords for a site are discovered hackers put those into automated tools that try to login with the same username/password combo across all the popular social sites, bank websites, medical sites and others trying to exploit a user’s laziness.

The other problem with user’s managing their own passwords is complexity. Using simple strings, dictionary words, patterns are basic passwords that can all be cracked in seconds by most hacking tools. Each time a breach reveals passwords hackers take them and add them into their tools to check against. Like using the same password on multiple sites to remember them easier, making the password itself simple to remember is just as dangerous.

The 10 most common passwords from 2016
123456
password
12345678
qwerty
12345
123456789
football
1234
1234567
baseball

My point is if a person manages their own passwords on all their accounts they are running the risk of getting breached. It’s not a matter of IF but WHEN. Also do you know exactly how many sites you have created an account on? It’s that one site you used two years ago with the same password that you are using now that will get you in trouble. Never assume websites have your security in their list of priorities, most of the time they do not.

What can a regular person do to mitigate this problem and get control and visibility into their accounts? The answer is to bring in technology known as a password vault. Password vaults are the best solution to control your accounts and help you manage them all in one location. I have written about vaults before and personally use LastPass (not sponsored). Through this post you will see screenshots from LastPass but there are plenty of services that do similar things and can secure you just as good.

A password vault will store all the websites, usernames, passwords and other pertinent information about a site. It can also be used to store your WiFi passwords, network passwords, home network configurations, account numbers, and anything else you need to be private. The vaults store all your information in an encrypted container that only you can access. The downside is if you forget your vault login information you data is not recoverable by the service providing it. Side note – If a company says that they can recover your information don’t use them.

After you load in a website you never have to manually login again. Instead you install the vault plug-in, in this case LastPass, and whenever there is a detected login box the plugin will put a selection icon there for you to choose your account. Then the vault automatically fills in your username and password. It’s that simple.

The benefit of this approach is you can make significantly more complex passwords that you do not have to remember. LastPass can reset the passwords for you or generate new ones based on what you tell it to. When you get to the change password page on a website LastPass will have an icon to generate a new password. No more thinking one up, reusing an old one, or making a weak one. LastPass will generate a complex one like in the example below – Q@aXG80Q0%360. Since you don’t have to remember it who cares how complex it is.

The other great benefit of using a central vault is the cross website analysis and reporting you can get. LastPass will tell me if I am using a password on two different sites. Password reuse is a big risk. It will also score the complexity of my passwords, alert me if I have weak ones and let me know if any site I have an account on has announced they have been breached. Those are the invaluable benefits to help maintain and keep my accounts and information as secure as I can.

With the growing number of sites we use trying to manage the accounts securely is a daunting task for most. Don’t try to do it yourself as human nature will prevail and trend toward the easiest methods which is not always the best way. Writing down accounts in a notebook is the worst idea you can do with using the same username and password on every website a close second. You are asking to get compromised and bank accounts drained. Using the Internet comes with more risks than most people understand or want to admit. This is one of those areas that require additional tools and services to assist with keeping you safe.

Never assume a website’s security is adequate, most of the time it’s not. Time and time again the big players show us that even them have poor or less than optimal security practices. Breaches happen and the best we can do is limit the damage and risks to ourselves.

End of line.

Binary Blogger has spent 20 years in the Information Security space currently with Magenic providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure everyday.

Subscribe
Facebook Page
Follow Me On Twitter
contactme@binaryblogger.com