As technology professionals, we make password demands that can feel unreasonable. We want you to:
1. Use a strong password.
2. Set unique passwords for every service you use.
3. Reset all of your passwords frequently.
4. Never reuse a password.
5. Never write any of these passwords down anywhere.
Of course, we have really good reasons for all of these requirements! For instance, in the table below, you can see how long it would take to “crack” a password based on its length and composition. Your passwords are the virtual keys to much of your online life; it is critical that they not wind up in the hands of anyone else.
The burden of producing and remembering passwords only increases with each passing year. Even with the advent of bio authentication (such as fingerprint scanners on mobile devices) and two-factor authentication, passwords will still be a crucial part of your online identity and security management practices for years to come.
One technical solution to this problem is a software product called a password manager. In short, these are programs that handle all of your passwords for you.
Password managers do more than just keep passwords. They help you create strong passwords for all of your various websites and devices. They can automatically authenticate for you and even do advanced macro-like log-ins. They help you organize all of your various credentials and track their changes over time. You can store encryption keys, secure notes, and files. You can use them to keep up with all of your personal information, credit card numbers, account numbers, and pin codes. Password managers are like digital vaults – they can hold a variety of information and everything inside is encrypted and protected from others.
The password manager usually consists of an app for your phone or mobile device, and some online service that you can use if you do not have your device.
Some password managers let you store the password database locally. The database is encrypted, so even if someone was to get the database it would be ok, as long as they did not have your Master Password. If you chose a stand alone password manager, make sure to keep good backups of the file. You can keep them online, behind a storage service. We recommend that you enable multi-factor authentication for your online storage provider to protect the database file though. And if you use a cloud-based password manager, make sure to enable multi-factor authentication for it as well.
It is very important to choose a strong Master Password (AKA the Password of Passwords) and to keep it secure. Only log in to online password managers from trusted computers (keep away from public labs, hotel lobbies, and other shared computers), and make sure to change the master password periodically. Since you only have to remember this one password, make it a good one. Here is a website that can help you create a secure and memorable master password:
If this sounds like a lot of trouble, consider that you can migrate to the password manager over time. It does not have to be all at once. Each time you log into a website, you can update your password manager. Ideally, this is a good time to change the website password as well (use the password manager generator to help).
See the IT Security Website for more information and password manager recommendations:infosec, IT Security, UM Information Security