I use a password manager and it currently has more than 150 accounts in it, ranging from my checking account and other personal stuff to logins to MSDN, various client VPN’s, and more. Almost all of the passwords are unique. Ideally they would be unique, but sometimes I sacrifice ease of use for maximum security. Most of them are strong passwords, and mostly generated by the app. Earlier this week I spent an hour reviewing and pruning those accounts, deleting some that I no longer use and where possible deleting the accounts they were associated with as well. Next week I’ll do a check for duplicate passwords and fix ones I think need to be fixed. Password Managers are more than just a convenience. In the event that a web site you use is breached and credentials leak out, being able to quickly assess your risk level is important. You want to see what other places use the same password and you want to see where you’re using your email as your ID (probably a lot of places). No good way to do that without keeping the list as you go.
Plenty of options to pick from, free and paid, local and online:
- Top 10 Password Managers (InformationWeek)
- Which Password Manager Is Most Secure (Lifehacker)
- Some Password Managers are Safer Than Others (PCWorld)
- The Best Password Managers (PC Magazine)
I’m always aware of the risk embodied in such a central store. If it’s compromised someone would have basically unlimited access to everything – credit cards, checking account, retirement, phone, etc, etc, etc. In the scheme of things having the app is a risk worth taking, but choose your password manager based on how you see the world – do you manage it locally only, or use one with an online data store? Whichever path you take, get one that will automatically capture/enter credentials – it’s the only way it will get used often enough to be worth doing (in my view). Definitely check to see if there is an option to enable two-factor authentication. Finally, my rule is to never access the file on a computer I don’t trust – I trust my laptop at home, my laptop at work, and my phone.
4 thoughts on “Schedule Time To Review Your Passwords & Using a Password Manager”
Andy – I use password manager myself(1Password for personal use and KeePass for work); but I am having a second thought after I recently read study called “Password Managers Exposing Passwords Everywhere” which shows how password managers with browser extensions can be exploited. http://isecpartners.github.io/whitepapers/passwords/2013/11/05/Browser-Extension-Password-Managers.html
Just gave it a quick read, thanks for that link, I’ll do a quick follow up post to call it out.
What happens to the data if the password managing software company goes bust?
Steve, a fair question and one I can’t totally answer. I always have a local copy of my data so I wouldn’t lose it. Unclear how much pain would be involved in migrating to some other password manager. Definitely no way to guarantee what happens to the data on the server. The one I use claims to only store an encrypted copy.
Comments are closed.