Every day you hear about security breaches; be it a major retailer having credit card info stolen, a large scale email hosting service having user passwords stolen, credit score agencies losing social security numbers, or maybe you are one of the unlucky ones who has had an email, Facebook or banking account hacked? To combat this, you hear all over the news, from tech savvy friends, maybe even from your IT company, that you need to have different, secure passwords for each account you use. With Microsoft putting the best policy password length at 14 characters, adding in complex characters as well (! * $ #), and you having so many accounts to protect from your email(s) and Facebook to Amazon and banking, that’s a lot to remember, and that’s why this month CCR will show a possible alternative to trying to remember or write down all of these passwords.
What is a password manager? You can think of it as exactly what the name implies, it is a place to store and manage passwords for online accounts, almost like a little digital notebook of sorts. This may seem contradictory after JUST saying don’t write down passwords, however this is a little different. Before we get into more detail, it is worth noting that CCR does not endorse a specific password manager (though there are many to choose from offering an array of different utilities) we have engineers in our office using everything from Lastpass to Keepass to myki and more! When it comes to picking a password manager, it’s most important to think about how you would like to use it. Here in this tech tip you will see some screenshots from Lastpass and Keepass as they are two examples of password managers that act very differently. The most important thing to note with any password manager is that for ALL of them there is one commonality; you will need to choose and remember one very secure master password. While there is no set rule on how long this should be, it’s best to think of this as the one password to rule them all. This is the password that gives you access to EVERYTHING so it’s best to make it as secure as possible!
Offline Password Manager
In this example, we will use Keepass to explain what an offline password manager is and how it works.
Keepass is an application that is downloaded to your local computer, and does not store ANYTHING online, the only network connectivity it has is to check back to Keepass’ website for updates. Keepass creates an encrypted database file on your machine that you access every time you open the application.
Once you have installed and set up Keepass, you can open and run it at any time on your machine, it will prompt for the password you created and bring you to the following page. As you populate Keepass with passwords you will see there are other areas to fill out when creating an entry such as title, username, password, URL, and notes all which are shown in the above listed image. This is all here to make it easier to access the sites you are storing your passwords for. The big thing to note about how Keepass works and what becomes either a big draw or detractor for users is what we mentioned about it being offline. You can only access this Keepass database on the machine you installed it to. The upside of this is that it is more secure being locked down on your machine with no one able to try and hack into it online; the downside however is that this makes it near impossible to try and access these passwords from another device should you be working from home or on a mobile device.
Online Password Managers
The direct alternative to this then becomes the online password manager. It does the same basic function, storing your passwords for accounts. But what these do differently is that they have you create an account for their service (some are free, others not) and you use this account to log into their service from any device to access your passwords. How each company handles this is different, but almost all have high level encryption and have NO access to your data themselves, which they warn you about when creating the account as they can not assist or retrieve your “master” password if you were to lose it.
Logging into an online manager can be easier, as most offer multiple ways to do so. Alongside a web application you can access, most have browser extensions that can be installed right into Firefox, Chrome, IE, Edge and so on. Many also have mobile applications that can tie in the same features and then some.
When opening and populating Lastpass, it will ask for a lot of the same things as Keepass such as a name for the password, the username, the password itself, URL and more. Another big feature of Lastpass is that seeing as it is a connected service, it will try to update its database as you work. If you were to set up Lastpass and install the chrome extension then go about your day, accessing Facebook, Yahoo, Amazon and so on, when you log into these sites, Lastpass will give a small popup asking for permission to log the credentials for you automatically. Then, the next time you visit this site, Lastpass will pop up with a small “autofill” option that will fill in the credentials you allowed it to save.
This only scratches the surface of what Password managers can do and offer, there are so many other features that can be tossed in such as secure notes, secure internet browsers built into the password manager, and much more. When it comes down to deciding which is right for you, consider your own personal workflow and which of these two models would work best for it and research from there which password manager has the features that will best suit you.
Tech Tip Provided By:
Zach Krupa
Assurance System Technician
Center for Computer Resources
