Search
  • OSG

Password Managers



We've spoken a little about passwords, and the importance of making, and keeping them safe & secure. As touched on in a previous article, there are a few things you can do to mitigate risk of your passwords. We are told to create a password that contains Special Characters, Numbers and Capital Letters. Some added tips would be to avoid using dictionary words, use length over complexity, and use a different passwords for each service.


The last one on that list that seems to be the tough one for most people. An average person uses a password for around 50 services. Is there a chance you'll remember all of those passwords? People try to work around it by altering a password slightly for each service (e.g. Password1, Password2, Password3 etc). You are in fact using a different password for each site, technically. However, by doing it this way, you are making yourself more predictable, and thus increasing the risk of a hack. In essence, this system has the same security level as using the same password for everything - very low!


Remembering completely different passwords can be very difficult. For example, hYf5i1sZ*CZW7oU , d#%$*gxsIPUK43$ - there are only two strong passwords there, and it seems almost impossible to remember them exactly. Granted, these passwords don't seem to have any relevance to daily life, which would make it trickier. But even using things like children's names etc, it can be hard to remember which name one uses for which service. After asking around, we've discovered that some people write them down in a notepad, but this does leave you at risk again.


And so we come to Password Managers. There are a number of these available to you, most of which are free. The idea behind these is to allow you to only need one 'master' password for all your sites. Simply log into your password manager, and you are then able to login to any service you have saved. There is no need to remember all your passwords, as the manager does it for you.

So what are the risks? It can be argued that it's a bad idea to put all of your eggs in one basket. However, accessing your information is no easy task for intruders. The example here is LastPass.



The system has been built so that the company itself does not hold the key to your account. Sensitive data is encrypted at the device level with AES-256 before syncing with TLS to protect from 'man-in-the-middle' attacks, ensure complete security in the cloud. For all the 'non-technical' people, this basically means that every time you enter details into your account, it is not recorded as plain text, so hackers simply aren't able to read what it is. Creating your account with a strong master password will locally-generate a unique encryption key. Your data is encrypted, and decrypted at the device level, so your data is never sent, as plain text, to LastPass' servers.


In effect, the only way someone will gain access to your data is by using your master password. However, they have added another level of security on this also, as you can activate Two-Factor Authentication (highly recommended!)


As mentioned, there are a number of providers for this service - LastPass, Dashlane, 1Password, KeeperSecurity, TrueKey. If you are interested in the idea of it, feel free to find the right one for you.

If you have any questions on these, don't hesitate to get in touch.