How to: Stay secure online with a password manager

Browse this article:  Prev   Next

Master password security
Many password manager applications combine two features that make for strong protection – namely, the ability to generate random and complex password strings, and the ability to automatically log the user into the service or site using those passwords.

Since you don’t have to remember each random string, each password can be as long and complex as you like, which adds greatly to the security of your access. And if the login process is being handled by the application then you don’t even have to know what the password is in the first place.

The one password that needs to be long, strong and complex, but very much known to you, is the master password; it acts as the encryption key to lock away all the others. A password manager is only ever as secure as this master password, so it needs to be a good one.

The idea of having to memorise a complex password that’s at least 12 characters long, which includes both cases, both numbers and letters, and some special keyboard characters for good measure, sounds much worse than the reality. I use a master passphrase of more than 15 characters and change it every three months, yet have never once forgotten it.

The key, if you’ll excuse the pun, is to abandon the truly random approach here and go for something you’ll remember – but in a format that makes it difficult for a human to make a guess or a machine to use brute force. You can combine words, with mixed cases and special characters in-between, throw in a few numbers and still have something that’s memorable but almost uncrackable. For example, the easily recalled phrase “my car is a pocket rocket” could be turned into a strong passphrase with the use of some misspelling and capitalisation, the addition of the numerals from your number plate and a couple of question marks to make it “?myKar13isaPokitRokit?”.

If the master password is your key to password file security, then encryption is the lock that protects that file. LastPass and 1Password, for example, encrypt your data locally on your device using the master password, so that any data that you store online in the cloud is already encrypted before it arrives.

Security matters
It’s a given when choosing a secure password manager that it should use a high level of data encryption. In practical terms, this means a minimum of 256-bit Advanced Encryption Standard (AES) or equivalent algorithm. One common myth, which we touched on earlier, is that your passwords become vulnerable as soon as they’re stored in the cloud. The truth is that as long as your password data files are encrypted and protected by a secure master password – one that isn’t written down or reused elsewhere – then your passwords are safe even when stored online. In order to compromise them, an attacker would first have to compromise the password service, then crack the encryption protecting your password file. It really isn’t any more risky than if the password file were stored locally, as your laptop or USB drive could always be stolen; it’s the encryption that’s important.

For the truly paranoid it’s possible to strengthen your password vault further. Some password managers – RoboForm and LastPass Premium, for example – allow for the use of biometrics, by way of a fingerprint reader, to replace the master password for access. Both LastPass (Premium) and KeePass support the use of YubiKey hardware two-factor authentication tokens. These can be purchased cheaply online, and provide a time-variant secure login code when the button on the USB stick is pressed, by simulating a USB keyboard. This 128-bit code is unique every time the device is used and, as such, can’t be copied and reused. It is basic security logic that adding a requirement for something you physically have (the YubiKey token) to something you know (your master password) considerably strengthens the access security to your password vault.

Password managers aren’t a magic bullet against those who would steal your data, and shouldn’t be regarded as a replacement for other essentials such as security software and large doses of common sense. The autofill function of a password manager can make it harder for malware to capture live login data (a keylogger will fail, since no keystrokes are being made), but it doesn’t make it impossible; a man-in-the-middle attack could still compromise your security once you’ve logged in.

All the same, software that makes it practical to use regularly changed, truly random and complex passwords is an incredibly powerful security tool – and one that’s increasingly becoming essential.

Browse this article:  Prev   Next

Source: Copyright © PC Pro, Dennis Publishing
Copyright © PC Authority, nextmedia Pty Ltd

See more about:  passwords  |  password manager  |  security  |  cloud security  |  lastpass  |  roboform  |  keepass  |  1password
 
 

Readers of this article also read...

Zero Latency 

Zero Latency

 
35 excellent, FREE Android games 

35 excellent, FREE Android games

 
Thermaltake's Level 10 Titanium Limited Edition Case 

Thermaltake's Level 10 Titanium Limited Edition Case

 
iOS 8 bugs confound iPhone and iPad users 

iOS 8 bugs confound iPhone and iPad users

 
Seagate drive teardown 

Seagate drive teardown

 
Latest articles on BIT Latest Articles from BIT
Synology's DS411 Slim reviewed: a baby NAS for unique needs
14 Nov 2014
The Synology DS411 Slim is one of those products that will be the perfect solution for some, but ...
Why I'm looking at tape again for storage
17 Oct 2014
Jon Honeyball discovers that tape is still the medium of choice for mass storage needs.
My Passport Wireless: share files between everyone regardless of their device
17 Oct 2014
Need an external hard drive? This Western Digital My Passport Wireless can share files across ...
Product Brief: Seagate Business Storage 4-bay NAS
24 Sep 2014
Not everyone needs a high-end, business-grade NAS at home. But for those that do, this Seagate ...
It's time to start planning your Windows Server 2003 replacement
24 Sep 2014
Have an IT advisor? Start working with them on a plan for this, if you haven't already.

Latest Comments

Latest Poll

What PC component are you planning to upgrade in the next six months










Ads by Google

From our Partners

PC & Tech Authority Downloads