Not long ago the concept of password security was straightforward. We were told to pick passwords with some minimum length (say, eight characters), throw in a number or two, and we’d be fine. Password cracking and brute forcing were slow and unsophisticated attacks, and as a result, we were lulled into thinking our accounts would be impervious forever. So much so that many of us used the same password everywhere. But with the development of tools like John the Ripper and the advent of phishing attacks, everything changed.
With rare exception the human mind really isn’t good at coming up with strong passwords. We tend to base our passwords on the language we speak. After all, how else can we be expected to remember what they are? Attackers know this all too well, which is why most password cracking tools were designed to integrate with and mangle words in a dictionary file. If a password cracker can automate the process of trying every English word, for example, and then try mangled versions (e.g., substituting 0 for O, etc.) of each with unlimited iterations, it’s easy to understand why such tools are so successful.
And that’s to say nothing of phishing attacks, which are perhaps today’s most serious cybersecurity threat. If we’re tricked into submitting our passwords to a spoofed Office 365 landing page, it doesn’t make any difference how many characters they contain or how complex they are. They’re compromised, and the attacker will use them for whatever they want.
There’s certainly something to be said for multifactor authentication (MFA) as a defense mechanism for these types of attacks. It’s a great way to prevent account takeover, but it’s not supported everywhere (yet). And MFA still doesn’t absolve us of the need to create strong passwords. So, what are we to do? That’s where password managers come in.
Simply put, a password manager is a software application that is used to store and manage passwords. These are stored in an encrypted format either locally on our machine or in the cloud and are protected by a master password. Think of it like a keychain with unlimited space, where individual passwords are the keys on the ring, and we only need to enter our master password in order to access and use any of those keys. The password manager allows us to generate a random, unique password for each of our website accounts, store it securely, and then automatically enter it into that website’s login field without ever seeing what it is. This helps prevent hacker attacks like keystroke logging and it prevents the need to remember multiple passwords.
Some great options for personal password managers include LastPass and 1Password but there are many others available. There are even enterprise-level password managers that allow an organization to provide this functionality to its employees.
So, if you’re already using a password manager, good on you! And if you’re not, it would be a great way to ensure that all your passwords are unique, resistant to cracking, and easy to access and use. Throw in MFA to help protect against phishing, and you’ve got yourself a strong password security posture.