Most of us have multiple user accounts: social networks, forums, discussion boards, banking apps, online stores, and multiple other locations requiring valid user account for their full-scale usage. And that is where and when we start to have a problem: how to store our passwords for our user accounts.
There are several methods to fix this problem:
– use the same password for all user accounts;
– use different passwords and store them in a spreadsheet (Google Spreadsheets or Microsoft Excel);
– use different password and store them on paper;
– use a dedicated application, a password keeper, for storing and managing all passwords.
The first method is the simplest one as you don’t have to remember many different passwords – you just need to choose and remember only one password and propagate it to all your user accounts. But simplicity means vulnerability in this case: if somebody hacks your Twitter or Facebook account, this somebody may try to use the discovered password to get access to your banking applications, for example, and you may lose a powerful lot of money at the end.
The second and the third options are safer as the passwords are different and cracking of one password doesn’t mean cracking of all passwords. The difficulty here is that you will spend a lot of time finding an appropriate password in a spreadsheet or in a paper notebook. Then you will need to manually enter (in case of storing your passwords on paper) the password or copypaste (if you store your passwords in the spreadsheet) in the respective field of the Sign In window to log into your account. Quite a time-consuming procedure, ha?
Finally, you may use the fourth method which is believed to be the quickest and the safest solution. This method anticipates installation of special software (a mobile application) that collects and stores all your passwords in a single place, allowing for virtually instantaneous access and control. All you need to do is to launch the application on your smartphone or tablet and search for a needed password.
Seems quite a trick, doesn’t it?
But are the mobile password keepers as safe as they are believed to be? Let’s discuss it more specifically.
Popular cloud-based password managers (LastPass or Dashlane) use zero-knowledge security protocols, meaning that these applications encrypt users’ master passwords with a locally-stored (on users’ devices) encryption key. Such encryption consists of multiple rounds of authentication hashing, where an algorithm converts a text string of text into a longer string, making it a real headache for hackers to crack the hashed text.
In 2015, LastPass was hacked. While there was no confirmation that master or encrypted passwords were compromised, the LastPass management confirmed theft of email addresses and password reminders. Such a theft could make it possible for scammers to perform phishing, i.e. faking the Sign In screen and so retrieving the master password or any of the encrypted password of the users. Access to users’ email addresses could even increase the chances of cracking user accounts at social networks or in banking apps.
So the question is how to mitigate the risks of using the password keepers.
Actually, most of the risks can be reduced or avoided if the following requirements are met.
Summing up, we can conclude that it’s possible to ensure your passwords are 99% safe and secure. The solution is to use common sense and follow quite uncomplicated advice mentioned above.
- Do not use password keepers offering Master Password recovery feature: it means that the service provider has access to your Master Password and, respectively, to all your passwords. Just imagine what can happen if there is an unfair person with access to your passwords…
- Use Biometrics or Two-Factor Authentication (if supported): Biometrics is unique and will prevent any unauthorized access for anyone who does not have your finger or retina, and 2-factor authentication adds an extra step to the login procedure making it a more difficult task to hack your account.
- Don’t use autofill feature: though it is extremely convenient to have your respected password entered automatically if this feature is enabled, it can be a vulnerable link for getting unauthorized access to your accounts. If you are focused on security, enter your passwords manually.
- Choose unique and strong passwords: don’t use your birth date, your cat’s or dog’s name, or similar personal information as your password as it all can be known from open sources such as your social network profile, medical history etc.
- Update your mobile password keeper app right after the developer releases the update: developers try to fix all vulnerability issues with such updates.