Password Managers – Why they're a 'Keeper'
Around 4 out of every 5 account breaches link back to password management, be it a result of a brute force attack, or of stolen credentials. Most people wouldn’t be surprised to hear that criminals perform an act called “credential-stuffing” – entering known login details from one account (say, Facebook) into another (perhaps Gmail).
A 2019 study by Google identified that almost 2/3’s of people used a common password across multiple platforms. A similar study by LastPass echoed those numbers, adding that on average, the same password is being used for around 13 different accounts. Still in 2019, the NCSC declared that of the many millions of hacked accounts during the year, 23.2m of the breached accounts had “123456” as the password. For the vast majority of people out there, losing one password could well result in losing many.
Research carried out all the way back in 2015 by popular password manager, Dashlane, stated that the average UK citizen had at least 118 online accounts. By now that figure is expected to have reached closer to 200. That’s 200 usernames and passwords you need to remember at will. A famous 1956 study by George Miller of Harvard University determined that, on average, people can only process 7 pieces of information in their short-term memory. In a 2015 study by Kaspersky, they identified that 71% of UK citizens weren’t able to recall their child’s phone number and 47% couldn’t recall the phone number of their partner. Unless you are truly something exceptional, you’re simply not remembering 200 passwords.
We know that we can’t remember every password for every application, and we know that re-using passwords is dangerous, yet multiple sources still show that only around 20% of Britons actively use a password manager (PM) to secure their login details. Why are we still afraid of these?
They can be hacked
Sure, a password manager can be hacked, just like any other online system. If you choose a long and memorable password for your PM and back that up with Multifactor Authentication (MFA) you are highly unlikely to have your account hacked. Plus, any good password manager will encrypt all of your personal data held in the PM so if they themselves are hacked, criminals will not know who the credentials belong to.
They don’t work across different operating systems
This may have been true a few years back but I would say it is improving year on year. Most of the bigger PM’s are able to work seamlessly across different platforms.
Once I start using one, I’m tied to them forever
Not true. In almost all PM’s you can download an encrypted file containing all of your login credentials to import into another system.
They are too expensive
Most paid PM’s cost an individual between £30 and £50 per year, less than a fiver a month. Commercial prices can be very marginally higher. We have partnered with the popular Keeper Password Manager and offer it to our customers for less than that. Many PM’s have a free option for personal use which won’t compromise on the core security of the application at all, merely the number of additional features you get compared to the paid version.
What if I forget my master password?
Indeed, what it you forget any password? There are recovery options available to you just as there are for any online account – but you’re far less likely to forget your password if you only ever have to remember one.
They take too long to set up
It can take some time to set up your PM but usually, you would start off adding one application at a time, storing the credentials as you go. The time that you will save by not having to re-enter your username and password every time you load a site or application will far outweigh the time you spend setting it up.
Bad password!
Of course, using a password manager will help you “remember” all of those details that you simply can’t do on your own. But what’s the point if your password is too weak to begin with?
Keeper (and other good PM’s) will allow you to use an inbuilt password generator to create new passwords for your applications. Using a combination of characters and numbers is a good way to add to the complexity of your new password, but even more important is increasing the number of characters for your password. The Daily Mail reported earlier this year that a 6-character password can be hacked instantly, whereas 11 characters combining numbers and upper- and lower-case letters will take 3 years to crack. 13 characters with the same parameters would take 12,000 years.
Wrapping up
The lesser-reported advantage of using a system like Keeper, is that the PM remembers the URL for the site so that it knows which credentials to present to you. If you happen to fall for a well-designed phishing attempt to farm your credentials, the PM won’t present them because the URL for the malicious site is not known.
While we are advocates of using password managers to secure your login credentials, it is important to remember that multifactor authentication is still the strongest protection you can apply to your accounts and should be enabled wherever it is available to you. In fact, Microsoft claim that MFA blocks more than 99% of the attempts made to access an account.
Our customers can speak to us about enabling MFA on their accounts for ultimate password protection. If you’d like to hear more about Keeper, give us a call.
Jason Abrahamse
Jason is ITbuilder's security expert and leads our information security project team. He provides consultancy and support on matters relating to cyber-resilience and data protection.
Something of an industry veteran, Jason has held various roles in the industry and combines that expertise to consult with customers on security best practices.
Jason is a native of South Africa, but is now a fully naturalised Brit except for not being accustomed to the cold. He lives locally in Hertfordshire.
More articles from Jason Abrahamse