Why Password Managers are Important and How To Use Them
It seems that no matter what job, role, or position you have in technology, one thing will always stay the same: users will inevitably forget their passwords and you will have to spend your morning sipping coffee and resetting passwords. Now, it’s not entirely their fault, after all, everyone is human and sometimes we just can’t remember if we made our password GuitarHero18 or guitarhero17. But wouldn’t it be great if there was something that securely kept all of our passwords in one place? Thankfully there is a solution, password managers.
Password Managers are extensions, applications, or software that store a list of passwords and logins for websites that help users login to their accounts automatically. This works through the use of a master password. The master password is one password that the user enters that unlocks the vault that the other passwords and logins are stored behind. Having this vaulted system of storage allows for all account passwords and logins to be encrypted instead of in plain text, which helps in keeping passwords private and secure. The beauty of this solution is that the user just has to remember the master password to access all of their accounts instead of all of the individual passwords to those accounts. These accounts can be shared between devices as well so no matter if the user is on their laptop, phone, or anything else they can have all of their passwords and accounts at their fingertips. With this versatility and flexibility it can allow for longer, more complex password requirements as well as enforced MFA (Multi Factor Authentication) without adding additional requirements for the user to follow or have to remember.
One of the benefits of password managers is that they have the ability to automatically generate passwords based on the security settings that are enforced. This means that we can keep our district more secure by removing common or weak passwords simply by having our password manager automatically generate a random password for each account. A popular technique that malicious actors use to get user’s passwords is through password spraying. Password spraying is when a malicious actor tries to access a large number of usernames with a few commonly used passwords. This decreases the chances of alerts being triggered by high password failure or account lockout. The worst part about this technique is that it actually works. Some common passwords you may find on a password spraying list are passwords like Password1, Spring2021, or 12345678.
Recently in the news, there was a very high-profile hack that targeted the Solar Winds software company. While doing forensics work after the hack to determine the cause of the breach, investigators found that there was a weak password that was compromised and used to gain the initial access. The password being solarwinds123. A very weak password that was more than likely hit by password spraying. Again, it cannot be stated enough that attackers use these methods because they work. But by having a password manager for the users in the district we can avoid common passwords and protect against password spraying simply by having the password manager create a randomized password for all users’ accounts. We can eliminate weak spots in our security posture simply by giving users tools to help them develop better security habits and hygiene.
A really cool way to check password strength is Security.org’s How Secure Is My Password? Tool. This tool analyzes the amount of characters, different combinations, and the uniqueness of the password to calculate how quickly an attacker might be able to crack (mathematically guess the password using an algorithm based on the encryption method) the given password. As an example of how randomness can help the strength of a password, let’s compare two different passwords of the same character length, Summer2021, and Dg4moe!Tf. Summer2021 technically meets the most basic password complexity requirements but would only take roughly 7 months to crack and is likely to be hit by malicious actors when password spraying. On the other hand, the randomly generated password of Dg4moe!Tf would roughly take 5 years to crack and is incredibly unlikely to be used by malicious actors when password spraying.
Password managers also allow for longer password requirements as the user no longer needs to remember 20 different passwords but rather just the one master password. Using the same How Secure Is My Password? Tool, we can see how length affects the strength of the password. By randomizing a password using both 8 characters, which is the most basic security policy enforced, and 16 characters, recommended by most security professionals, we can see how length makes a difference in password strength. The 8 character password, LqK1&E1P, would take roughly 8 hours to crack whereas the 16 character password, UsinK%IXOsyfFSz5pyP4, would take roughly 1 Trillion Years to crack. As you can see, it doesn’t take an expert to see that password managers allow us to create the strongest passwords possible by enabling more complexity through length and randomization without having users remember increasingly complex passwords.
Most password managers now also have the ability to store or issue MFA Tokens (Timed One Time Password). This allows us to turn on MFA for all of our accounts and have the overall impact on the end-user be very minimal. Oftentimes, MFA is not turned on because it makes an extra step for the users to go through to login to anything and is viewed as cumbersome or a burden instead of an added layer of security. Password managers can help to change that view by lowering the barrier of entry to MFA. A user can login using the password manager and then input the MFA token generated by the password manager when prompted. Usually, if MFA is set up this way for password managers an MFA token will also be required for the master password in which case the users will need another device, such as their phone, to get the token. But having to input MFA once to login to the password manager definitely beats having to drag out an extra device for every single login.
Another benefit of using an enterprise-level password manager is that you now have the ability to share passwords and logins easily and securely. This is done by setting up your district as an organization in the password manager and then adding the district employees as users. Once they are set up in the password manager, you can manage them and put them in specific groups like 5th-grade teachers or district administration allowing for easy sharing of shared credentials or logins between people in those groups. But let’s say you want to share logins between two different groups? All that is needed to do is give that user access to those credentials. This means no more post-it notes with passwords stuck to computers! (Seriously, don’t do that!) By using an enterprise-level solution you will be able to add granular controls to achieve the perfect level of access across your organization.
Password managers are incredibly helpful tools in keeping our organization secure as well as providing an easy-to-use platform for our users. By empowering our users with the correct security tools we can continue to develop and create good security habits and hygiene that will help protect our users and our organization. It’s important to have Cybersecurity initiatives, like password managers in place to deter unwanted or even criminal activity. For more information on our Cybersecurity Awareness Training Program and how to secure your district’s data, please reach out to firstname.lastname@example.org!