How to: Stay secure online with a password manager

Browse this article:  Prev   Next

Master password security
Many password manager applications combine two features that make for strong protection – namely, the ability to generate random and complex password strings, and the ability to automatically log the user into the service or site using those passwords.

Since you don’t have to remember each random string, each password can be as long and complex as you like, which adds greatly to the security of your access. And if the login process is being handled by the application then you don’t even have to know what the password is in the first place.

The one password that needs to be long, strong and complex, but very much known to you, is the master password; it acts as the encryption key to lock away all the others. A password manager is only ever as secure as this master password, so it needs to be a good one.

The idea of having to memorise a complex password that’s at least 12 characters long, which includes both cases, both numbers and letters, and some special keyboard characters for good measure, sounds much worse than the reality. I use a master passphrase of more than 15 characters and change it every three months, yet have never once forgotten it.

The key, if you’ll excuse the pun, is to abandon the truly random approach here and go for something you’ll remember – but in a format that makes it difficult for a human to make a guess or a machine to use brute force. You can combine words, with mixed cases and special characters in-between, throw in a few numbers and still have something that’s memorable but almost uncrackable. For example, the easily recalled phrase “my car is a pocket rocket” could be turned into a strong passphrase with the use of some misspelling and capitalisation, the addition of the numerals from your number plate and a couple of question marks to make it “?myKar13isaPokitRokit?”.

If the master password is your key to password file security, then encryption is the lock that protects that file. LastPass and 1Password, for example, encrypt your data locally on your device using the master password, so that any data that you store online in the cloud is already encrypted before it arrives.

Security matters
It’s a given when choosing a secure password manager that it should use a high level of data encryption. In practical terms, this means a minimum of 256-bit Advanced Encryption Standard (AES) or equivalent algorithm. One common myth, which we touched on earlier, is that your passwords become vulnerable as soon as they’re stored in the cloud. The truth is that as long as your password data files are encrypted and protected by a secure master password – one that isn’t written down or reused elsewhere – then your passwords are safe even when stored online. In order to compromise them, an attacker would first have to compromise the password service, then crack the encryption protecting your password file. It really isn’t any more risky than if the password file were stored locally, as your laptop or USB drive could always be stolen; it’s the encryption that’s important.

For the truly paranoid it’s possible to strengthen your password vault further. Some password managers – RoboForm and LastPass Premium, for example – allow for the use of biometrics, by way of a fingerprint reader, to replace the master password for access. Both LastPass (Premium) and KeePass support the use of YubiKey hardware two-factor authentication tokens. These can be purchased cheaply online, and provide a time-variant secure login code when the button on the USB stick is pressed, by simulating a USB keyboard. This 128-bit code is unique every time the device is used and, as such, can’t be copied and reused. It is basic security logic that adding a requirement for something you physically have (the YubiKey token) to something you know (your master password) considerably strengthens the access security to your password vault.

Password managers aren’t a magic bullet against those who would steal your data, and shouldn’t be regarded as a replacement for other essentials such as security software and large doses of common sense. The autofill function of a password manager can make it harder for malware to capture live login data (a keylogger will fail, since no keystrokes are being made), but it doesn’t make it impossible; a man-in-the-middle attack could still compromise your security once you’ve logged in.

All the same, software that makes it practical to use regularly changed, truly random and complex passwords is an incredibly powerful security tool – and one that’s increasingly becoming essential.

Browse this article:  Prev   Next

Source: Copyright © PC Pro, Dennis Publishing
Copyright © PC Authority, nextmedia Pty Ltd

See more about:  passwords  |  password manager  |  security  |  cloud security  |  lastpass  |  roboform  |  keepass  |  1password
 
 

Readers of this article also read...

Seagate drive teardown 

Seagate drive teardown

 
The very best of Dice Shaming 

The very best of Dice Shaming

 
How to: 20 features you’ve never used in Word 

How to: 20 features you’ve never used in Word

 
Cancon 2014 

Cancon 2014

 
Unboxed: Corsair's fantastic new Obsidian 250D! 

Unboxed: Corsair's fantastic new Obsidian 250D!

 
Latest articles on BIT Latest Articles from BIT
Looking for storage? Seagate has five new small business NAS devices
22 Aug 2014
Seagate has announced a new portfolio of Networked Attached Storage (NAS) solutions specifically ...
Run a small business in western Sydney?
15 Aug 2014
This event might be of interest if you're looking to meet other people with a similar interest ...
Panasonic launches new security cameras and recorders
14 Aug 2014
Panasonic has released seven new cameras that can record at high-speed and in HD - that's better ...
Does your business need a backup and recovery appliance?
14 Aug 2014
News that Netgear has added ReadyRECOVER to its ReadyDATA unified storage might be of interest ...
Need to share files securely using your phone?
12 Aug 2014
Accelion's kiteworks Team Starter costs $5 per month per person and is designed to help teams ...

Latest Comments

Latest Poll

What PC component are you planning to upgrade in the next six months










Ads by Google

From our Partners

PC & Tech Authority Downloads