National Cybersecurity Awareness Month: Tips for Improving Your Personal Pa55w0rd! Management

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Hey, it’s National Cybersecurity Awareness Month, so it’s the perfect time to have some real talk about passwords. The TL;DR of this post is, “Please use a password manager,” so if you’re doing that, great—you know the score, and you’re doing the right thing.

With that said, read on to learn some tactics for encouraging others in your network to do the same (and give us some of your own tips in the comments about how you can get people to join our secure password management tribe).

Usability vs. security

The tragedy of password selection is that the easier it is for you to remember, the easier it is for someone else to guess it. It’s a complete bummer that this security control we depend on to keep our online lives intact is, in fact, predicated on a classic security vs. usability dilemma. If you’re stuck with a three-pound hunk of meat in your head to keep your passwords straight, you are pretty doomed when it comes to selecting and remembering a reasonably complex password. We saw this was the case in the 2018 edition of “Under the Hoodie,” which reported that about 53% of our surveyed penetration testing engagements involved at least one cracked or guessed password.

Many people take the following approach to password management: They come up with one or two “secure” passwords they use for work, their bank and their email; one or two “okay” passwords for sites they don’t log in to daily or don’t consider to be very high-value; and one or two “known weak” passwords for truly throwaway purposes. This comports with the many psychology studies that posit that humans in a literate society are pretty okay with remembering about seven, plus or minus two, chunks of information. In this case, these chunks are “passwords I care about.” Now, note those scare quotes—most “secure” and “okay” passwords are also pretty awful when you look at them critically, but they feel secure to the people who came up with them.

Putting that subjective quality of passwords aside, we tend to make things worse by spreading these five to nine passwords all over the place. It’s not like people only have five services they ever log in to; in fact, we have dozens to hundreds of services we use, so not only are these passwords pretty weak, but they’re also used over and over again.

Password managers (finally) on mobile

None of this has to be the case, though. Using a password manager pretty handily solves dreaming up suitable passwords, remembering those passwords, and remembering which ones go with which websites. I’m happy to report that this year is the first year you really don’t have any excuse to put off using a password manager.

Password managers have been super useful for a long time in a desktop environment, but alas, many people today spend a whole bunch of time accessing things with their phones. I’m pretty sure that this gulf in password management has been holding up the wide, common adoption of this technology. After all, if all your passwords end up stuck on your desktop, you’re unlikely to actually use those sites with robust passwords when you can’t log in with your phone.

But this is not the case anymore. Android Oreo has had full integration with excellent password managers LastPass1Password, and Dashlane since August 2017, and Apple iOS 12 just rolled out the same in September 2018.

Now, actually using a password manager is absolutely a case of putting all your credential eggs in one basket, so what if that basket gets hacked? After all, password managers are software applications, and it’s axiomatic that all software has some number of bugs. In fact, security research team TeamSIK reported last year it had discovered a bunch of vulnerabilities in a bunch of password managers, so is it reasonable to avoid these password managers?I don’t think so. To avoid using software simply because it might have security vulnerabilities is to avoid using all software. After all, everyone writes bugs, and sometimes those bugs introduce vulnerabilities.

Instead, look at how password management providers respond to security vulnerabilities and breach reports—do they act shady by dodging issues and attacking vulnerability reporters, or do they respond quickly by both fixing the immediate problem and making vulnerability reporters feel safe and welcome? In other words, I’m much more comfortable with using any software that has a track record of a few reported (and fixed) vulnerabilities, and that goes double for security software.

The upside of all of this is that using a password manager not only makes it easy to replace all your passwords with long, complex gobbledygook (which is good security hygiene), but it incidentally makes you nearly invulnerable to phishing attacks. After all, if you don’t know your password, it’s pretty hard for you to accidentally give it away in a moment of panic. Password managers that autodetect websites don’t fall for fake login pages; if a website’s domain doesn’t match, it doesn’t match, and no amount of eyeball-fooling with similar names and graphics will trick a decent password manager’s autofill.

So, take this opportunity during National Cybersecurity Awareness Month to get your house in order when it comes to passwords, by which I mean your whole house—kids, spouses, parents, siblings, cousins, everyone. It’s on you to recruit into our secret secure club, and hopefully one day make this all less secret and more secure for everyone.

This post was the third in a four-part series celebrating National Cybersecurity Awareness Week. Check back next week to hear about approaches to securing the nation’s most critical infrastructure, and be sure to read our previously published posts, “Manage Your Risk at Home with Simple Tweaks to Your Voice-Controlled Devices” and “Getting Started with Cybersecurity Education and Training Assistance Programs.”

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?