Managing passwords securely and conveniently in a team

We probably all know how important it is for passwords to be hard to guess and are securely stored, in order to prevent any malicious access to our logins. But many I talk to and read about still see passwords as an afterthought and assume there is little chance of them being hacked or will worry about it later if need be. But with the right implementation for creating and storing passwords, it can be just as easy and convenient (plus secure!) to store complex passwords somewhere no one other than you has access.

As a team, we’ve recently reviewed our password use and storage practice as we believed it could be better. Our previous processes were secure, but the workflow for updating, storing and sharing passwords within the team was clunky and complicated. Especially when trying to log in somewhere off campus and you needed access quickly.

We explored many options, from paid for applications to in-house creation and storage solutions. We also spent a lot of time discussing good password creation techniques. Including easy to remember passwords that are still secure. Another important factor is to agree how regularly these passwords should be reset.

I won’t go into detail as to which platform we used (this is a post about security after all) but some good options we looked at include:

Each good application offers different features that may benefit usage as a team like password collaboration, browser add-ons, two-step authentication, secure password generation and more. Some also offer features such as letting you know if any of your listed sites have been compromised and so suggesting that it would be safe to change the password for it. Many enterprise solutions also allow installing the software on your own servers so your passwords don’t go anywhere you don’t know about. A nice feature on LastPass is to give you a breakdown of password security. It shows you a percentage of how secure a password is and also highlights any duplicate passwords. Most offer some sort of free trial, so if your thinking of using one, try it out and see what works best for you.

Important factors for us was security and ease of use. Any platform that enabled us to not have to worry about trying to remember complex passwords was pretty much our main requirement.

Whatever solution you go for, the next step is to think about good and bad password practices…

BAD PRACTICE

  • Using the same password for multiple logins – even with slight easy to guess variations is not a good idea.
  • Using short passwords.
  • Using words that are dictionary hackable – e.g. batman, superman, qwerty.
  • Using passwords that have no special characters.
  • Passwords with any guessable information to that user – such as things that are potentially easy to find via your public Facebook quizzes like the ones that give you a pop star name by providing your favourite colour and year of birth. Just don’t complete these quizzes if your passwords include that sort of information.
  • Not regularly changing passwords.
  • Storing passwords where anyone else can access it – e.g. on paper. I know people that do this, its such a bad idea. Please just don’t. Unless you plan on eating that piece of paper and if that’s the case, write them on these.

GOOD PRACTICE

  • Use unique passwords for everything – then if one website gets hacked and your password leaked, only that password will be compromised. Saving you time in the long run.
  • Use long passwords – try to have a minimum of 8 characters. 16 characters is the recommended minimum and 32 for anything that has really important information such as your bank and personal information is a good idea.
  • Use random generated passwords – like this d+fg,e45n.dfgdj(sv
  • Include special characters – try to include characters like &@%?()$£ within and around any alphanumeric characters.
  • Don’t do things like Facebook quizzes if its anything related to any information you might include in your passwords.
  • Regularly change your passwords – at least yearly.
  • Store passwords in one secure place. If that place changes such as the application you choose, then remember to delete that information.
  • Using a good password manager which takes the stress out of creating and remembering complex passwords.

Once you have this thought out and agreed, using a password management tool does the hard work of remembering your login info.

One last thing…

Embrace two-step authentication!

I can’t emphasize enough how useful two-step authentication (aka two-step verification) is for securing your logins. If you’re not already aware what this is, do a quick search on google for things like banks and anything that takes money from you (think PayPal, Amazon) as well as social media services like Facebook and Twitter for how to enable two-step auth as most support this extra level of security. A good example is sending a unique, one-off 6 digit pin as a text message to your mobile phone. This pin has to be used within 30-60 seconds in order to function. Then once logged in, the browser or app usually asks if you’d like the browser/app to remember your login, so you won’t have to do this extra step each time. The key thing here is a potential hacker would need your phone (and then also be able to unlock your phone) as well as your password in order to login to that service.

Leave a Reply

Your email address will not be published. Required fields are marked *