According to the U.S. Department of Homeland Security (DHS), strong passwords and multi-factor authentication are key to maintaining information security. The strongest passwords are composed of upper- and lower-case letters, special characters, and numbers. Long and unpredictable passwords are ideal, and according to DHS, these passwords should not include any words that “can be found in any dictionary of any language.” In addition, these passwords should be unique to each site, and they should be changed regularly, especially after a suspected security breach. Further, writing down passwords is in itself a security vulnerability, unless the password document itself is secured.
These are great recommendations, but as any user knows, memorizing dozens of unique and complicated passwords can be a daunting task. Without a good system in place for safely storing passwords, users may find that they frequently forget and need to reset passwords, perhaps opting for less-secure but easier-to-remember passwords.
According to WashU Information Security Manager, Brian Allen, “a good password manager will keep separate passwords and login information for all your different accounts.” Allen says, “I have over two hundred accounts in my password manager accumulated over the last ten years or so. For the most part, each one has a different password, so if one account gets compromised (like Linkedin in 2012), then the rest of your accounts are not at risk.”
Although WashU does not yet offer an enterprise solution to these password woes, many in the WashU community are already using tools to manage and secure passwords simultaneously. We asked IT professionals from across our campuses about their experiences in using these tools. Below, please find valuable insights offered by Ben Geers (senior director of computing and IT services, McKelvey School of Engineering), Brett McFadden (information security analyst), and Quint Smith (information security communications).
Ben Geers, senior director of computing and IT services, McKelvey School of Engineering
Q. Which password management solution do you use?
A. 1 Password
Q. On which devices does this solution work?
A. MacOS, iOS, Windows, Android, Linux, Chrome OS, Command Line
Q. How much user configuration (and technical know-how) is needed to set up this solution?
A. Not much.
Q. Was there a cost involved with this solution?
A. Yes, we have the Teams version, which is $3.99 per user per month.
Q. How did you choose the manager that you use? Which characteristics were important to you?
A. We were using KeePass, but it was local and really single user. I had been using 1Password on a personal basis, so we elected to start there. Characteristics: Secure, multi-user, cross-platform access, ability for two-factor authentication.
Q. Why should a person use a password manager? What are the advantages from a security perspective? What are the advantages from an ease-of-use and setup perspective?
A. The ability to auto-generate secure, random passwords across systems and have a secure place to store and, when necessary, share those passwords.
Q. Has anything surprised you about how you use your password manager? Do you find it to be useful in ways you didn’t predict?
A. It provides a good inventory of the systems that we have in place.
Q. Can a password manager help users learn better habits and secure their disparate accounts?
A. Sure.
Q. Is there anything you think a user should know or do when setting up a password management solution?
A. Start slowly and just get what you have into it. Once you are more familiar you can start to update passwords to make them more secure.
Q. Is using a password manager enough to secure accounts? Are their additional protections that should be in place?
A. 2FA
Q. Can a password manager help identify and implement any necessary additional protections?
A. 1Password does scan breach databases to let you know if an account or password has been compromised.
Brett McFadden, information security analyst, Office of Information Security
Q. Which password management solution do you use?
A. I currently use LastPass as my password management solution.
Q. On which devices does this solution work?
A. LastPass can work on your internet browsers as an extension. You can download the browser extension by going to LastPass’ website. There is also an application for iOS and Android to save passwords and use passwords on the go. The platforms that support the use of LastPass are PC, MAC, iOS, and Android.
Q. How much user configuration (and technical know-how) is needed to set up this solution?
A. There is minimal technical knowhow needed to install the browser extension as well as minimal technical knowhow needed to install the application onto your mobile device.
Q. Was there a cost involved with this solution?
A. LastPass is free.
Q. How did you choose the manager that you use? Which characteristics were important to you?
A. I chose LastPass because it was a free password management solution that offered a unique password generator.
Q. Why should a person use a password manager? What are the advantages from a security perspective? What are the advantages from an ease-of-use and setup perspective?
A. Everyone should use a password manager to secure all of their passwords and other things they want to secure. This goes for passwords, driver’s license numbers, social security numbers, passport information, insurance information, and much more. One of the advantages of having a password manager like LastPass is that you won’t need to remember all of your passwords, but just remember one strong password. This ties into another advantage of discouraging people from reusing old passwords for new accounts. This password manager offers a uniquely generated password for each new account that is being made. The main advantage of setting up LastPass for me would be the ease of access to my password and other secure items. I can log into my account and then have the information wherever and whenever I need it. On the computer, on my mobile device, and on my internet browser are a few places where I would need my passwords and can easily get to them.
If someone were to save all their accounts that they use within a password manager, it would be easy to know when you have created the account, what website the account is listed, and if they share the same passwords between accounts. The best thing about a password manager is that you can understand where you could be using the same password for different accounts. Sharing the same password for multiple accounts is a bad idea because if your information is compromised from a data breach within one website and you use the same password form that website with everything else, that means all of your other accounts could be compromised. The best thing to do is to use a uniquely generated password for each account, and a password manager would store these passwords so you wouldn’t need to remember them all.
Q. Has anything surprised you about how you use your password manager? Do you find it to be useful in ways you didn’t predict?
A. The most surprising thing with LastPass is that it can store other information other than passwords and can organize all the information I need to secure.
Q. Can a password manager help users learn better habits and secure their disparate accounts?
A. Yes! The best thing about password managers, like LastPass, is that it can teach users how to use a unique password for each account that is used. Using unique passwords for each account is very important because if a user were to use the same password for everything, and if that password were to be leaked out via a data breach, that means all of the accounts used by the user are now considered potentially compromised.
Q. Is there anything you think a user should know or do when setting up a password management solution?
A. They should know what they are wanting out of a password manager and should do their own research into which password management solution they would want.
Q. Is using a password manager enough to secure accounts? Are their additional protections that should be in place?
A. Using a password management solution is not enough to secure accounts. While having a secure place to put your password is great, the strength of the password being used and if the account has two-factor authentication is also very important. A strong password would usually have no less than 12 characters, have at least one lowercase and one uppercase letter, at least two numbers, and at least two special characters. Two-factor authentication is sometimes offered from websites to double-check that the user logging into the account is really the person that is supposed to be able to log into the account.
Q. Can a password manager help identify and implement any necessary additional protections?
A. A password manager can help identify if a user is using the same password in multiple accounts, and if the password being used is weak or strong.
Q. Is there any additional information about password management or managers that you would like to add?
A. Password management solutions are very helpful when trying to store information that you would like to secure. It can store uniquely generated passwords within it in so that users won’t have to remember their passwords or other information that needs to be secured.
Quint Smith, information security communications, Office of Information Security
Q. Which password management solution do you use?
A. 1 Password
Q. On which devices does this solution work?
A. MacOS, iOS, Windows, Android, Linux, Chrome OS, Command Line
Q. How much user configuration (and technical know-how) is needed to set up this solution?
A. Very little.
Q. Was there a cost involved with this solution?
A. Yes. We use the family plan. That plan costs $60 per year for up to five family members.
Q. How did you choose the manager that you use? Which characteristics were important to you?
A. I was looking for the most full-featured, modern solution. The cost was less of a consideration than ease-of-use, security, reputation, and compatibility with all of the platforms that we use.
Q. Why should a person use a password manager? What are the advantages from a security perspective? What are the advantages from an ease-of-use and setup perspective?
A. There are many advantages to using a password manager. I didn’t fully understand the many benefits of using a password manager until I took the plunge and signed up for the paid version of 1 Password. Up until that point, many of my accounts were using old and recycled passwords. 1 Password helped me develop an understanding of best practices in passwords and start putting those practices into action across my accounts.
Q. Has anything surprised you about how you use your password manager? Do you find it to be useful in ways you didn’t predict?
A. There were some pleasant surprises! I discovered I could store more than just passwords. I store all kinds of sensitive information in 1 Password, including credit card numbers, insurance cards, and passport information. I am confident that my data are secured because 1 Password also features Watchtower, which alerts me to any unexpected password vulnerabilities. In addition, the 1 Password platform features end-to-end encryption, which ensures that I’m the only person who has access to this important information.
Q. Can a password manager help users learn better habits and secure their disparate accounts?
A. I regularly check the 1 Password audits of my passwords using Watchtower. Using 1 Password has helped me to understand and implement a number of best practices in security.
Q. Is there anything you think a user should know or do when setting up a password management solution?
A. Do your research to ensure that the solution you choose does everything that you want it to do and works on all of the platforms that you use. Also, don’t be afraid to invest a little money in getting a good password manager. For several years, I knew about 1 Password but didn’t sign up because of the subscription model. Now that I have incorporated 1 Password into my daily life and my workflow, I can honestly say that it’s the best money I’ve ever spent on a subscription.
Q. Is using a password manager enough to secure accounts? Are their additional protections that should be in place?
A. The password manager is only as good as the user makes it. The passwords should be strong, and multi-factor authentication should also be used whenever it is available. 1 Password made all of this easy for me by providing the Watchtower auditing service and a handy password generator that allows me to customize my passwords for various system requirements.
Q. Is there any additional information about password management or managers that you would like to add?
A. I was resistant to using one of these services for years. Now that I use a password manager, I can’t live without it. It is the most important tool in my digital arsenal in both my home and work life.
After publishing this article, we received the following tip from Otto Bartsch from the School of Law about how users can fortify their security around secret/personal question fields using a password manager.
“When using a manager, you can also leverage your security questions, making them impossible to socially engineer. When I am setting up my login within 1Password, I add a section for “Security questions” and then put each one in as a “password” type. You can edit the “label” for each item (e.g. Mother’s Maiden name). Then use the password generator to come up with something like cm2s*GiRcbkwG3CapwzK9.wt (not actually one of mine). Repeat for each additional personal question. You won’t be reusing information within a login nor across your logins, and no amount of asking questions or social media searching would turn up the correct response.”