63% of data breaches result from weak or stolen passwords. Moreover, a lot more passwords can be called weak. IBM recently established that any eight-character password can be cracked by brute force with relatively inexpensive technology in nine minutes. The average time was three minutes. Until we properly deal with passwords, we are simply no longer secure.
The training we have been getting about passwords is no longer good enough. We are told to make up strong passwords. That is all well and good until you have more strong passwords than you can remember. I counted mine, and I have close to 100 passwords. Who can remember which strong password goes with which login? We need help.
Fortunately, help exists. Two technologies are now essential for anybody who is serious about their IT security: password managers and authenticators. If you are not using these, or if, as an IT manager you are not requiring your users to have them, you are succumbing to your fallible, irrational human nature. You are not taking care of business. Period.
A password manager, as you probably know by now, is software that stores your passwords and uses them to log you in. It keeps a list of your logins. Click on a login, and the password manager logs you in. It does this with a password that it keeps encrypted. It can do this with a password you make up, or it can make up a much more difficult one to use. In most cases, the password manager does this across your devices, so that if one fails, you don’t lose your passwords.
Depending on the product, lots of other features may be available, such as remembering your challenge questions. The point, however, is that once you set it up, it makes using passwords easy. You never have to take risky shortcuts like using a password for more than one site, writing passwords down, or using passwords that are easy to guess.
Many good password managers are on the market. I use RoboForm. A lot of people I know use LastPass. I’ve seen half a dozen that look pretty good, and they don’t cost very much. RoboForm is going for $23.88 per user per year right now. LastPass is about the same, $2 per month for individuals. Both vendors offer free trials, as most password managers do.
So, basically, if you’re not using a password manager, you are procrastinating. Deal with it. Just get up and say, “Today is my password management day!”
Authenticators are the other great technology. They are software, most convenient on a smartphone, that produces a number every minute or so. When asked by a two-factor authentication routine, you type the number from the authenticator into the login, and you get two-factor authentication.
You probably know by know what two-factor, or multi-factor authentication is. That is where you don’t just have one piece of information to prove you are who you say you are to a security system. You have two. A password, something you know, or which your password manager knows, is one form of authentication. You can get another one from something you have, such as a smartphone with an authenticator, or something you are, such as a person with a unique fingerprint or retina.
These days, a lot of systems use your computer or smartphone as the second authenticator by sending a code to it by email or text, which you then use. This is better than nothing, but it is possible for an industrious hacker to get that number sent to another device. Authenticators avoid this risk. They are available from several vendors, for free, including Google and Microsoft. Often, you can use one vendor’s authenticator with another vendor’s system, I use my Google authenticator, for example, to log into Microsoft. So you don’t have to use multiple authenticators.
Clearly, multi-factor authentication removes a lot of the risk of stolen or intercepted passwords, much as the password manager removes a lot of the risk of automated password guessing. Together the two technologies make using passwords a lot safer.
So why aren’t we all using password managers and authenticators? Why aren’t our users? It’s hard to believe that only a couple hundred years ago, we would die during the winter if we didn’t chop enough wood during the summer. Life has become so much easier. These days, even downloading some simple software and learning to use it is such an effort. What has become of us?