Longtime readers of this blog know, that I am a fan of password managers. I use one myself and I have recommended them to others, including my wife, who uses one too. I like them because they generate complex passwords and save them so I don’t have to remember them.
Participants in Learning Tree’s System and Network Security Introduction know, I believe encryption is important and in that course we use tools to encrypt files.
Both password managers and encryption tools use master passphrases to protect the valuable contents of their internal databases. I have heard people say that they use a password manager to generate and save passwords, and then they use a very simple password to access the tool.
That’s not such a great idea.
If it is easy to discover the key to the database – either by trying some common passwords or by somehow attacking the database directly – then it is easy to discover all the passwords. Likewise with the key file for encryption. It’s sort of like using a cheap lock on the front door of your house (which almost all houses do, but that’s a different post).
Some people have passwords stored on their phones, too, maybe with a password manager and maybe not.
So, what is the best practice for securing these tools? There are two important steps one must take to protect these tools: first, use a good password for the master password. Don’t use ‘princess’ or ‘1234356789’! Use something complicated. Mix upper and lower cases and special characters and make it at least fifteen characters. Second, add a layer of security by using a complex password or PIN to your computer or phone. “Defense in depth” is quite valuable. The more hoops an attacker has to go through, the less attractive a target you are and the more difficult it is to get your data.
Password managers are great whether on your computer, tablet, or phone. But you have to protect the data. Use strong passwords and password-protect the device with a (different) strong password. Tools such as password managers are just that: tools. Like so much in security tools are great, but only if you configure and use them correctly.
To your safe computing,