Business experts


Expert opinion: why I use a password manager

Written by Adam Morris on .

Adam MorrisAdam MorrisI have used a password manager for about three years now. And if you took it away from me, my digital life would end.

I rely on it probably 50 times a day, every day. I use it on my desktop at work, my PC at home, my iPad, my iPhone. It it not an exaggeration to say LastPass has become an integral part of my life.

I’m not sure if it is a good or bad thing that I now rely on this single piece of software to run my life, but to some extent whether its good or bad is irrelevant - it’s a necessity. There is no discussion. I have to have a password manager.

So what led to this change? There are a number of reasons.

Firstly, I was getting more and more frustrated with the time I was spending attempting to login to online services – and at last count, I use around 150.

You know the pattern: you put the wrong password in, or was it the login name? Oh wait, is this the login that I had to modify my standard password for because it didn’t accept.

I would end up asking for an email to be sent to give me a temporary password, which sometimes would get trapped in my spam filter and I would then need to remember the password to that, and then work out what password I could use that would meet the sites restrictive criteria.

I would come up with a great password that I know I can remember only to be told its been used before and that I couldn't use it. So I'd come up with something else and the next time I visited the site, I couldn't remember it – and the whole circus repeated.

Secondly, I needed to start 'eating my own dog food'.

We have been spending more and more time advising and educating our IT support clients around cyber security best practices and breach detection.

This, of course, has been driven by the massive changes that the cyber security space is going through - namely that its so much easier now for anyone to start to distribute and monetise cybercrime.

A cyber criminal no longer needs to write malware code or hire a team of geeks from dark web forums, setup his server farm, and expensive comms links.

He can simply purchase all these services ready to go and pay a commission to someone else. This is called Cybercrime As A Service, and it’s a really successful business model.

One of the key forms of protection is ensuring you have an appropriate password policy for you and your staff. And this is where it gets difficult.

We know that a longer password is more secure than a shorter one, that a more complex password with odd characters and numbers is more secure and that a truly random sequence of characters is better than meaningful words, thus J1ClDT4d6VK2 is about 10,000 times stronger than MynameisAdam.

But can I remember J1ClDT4d6VK2? (I cant). And by the way, I need a unique password for each of the 150 services I use, and I need to change them at varying levels of frequency.

The other reason I now rely on a password manager is that these tools have become a mature product that work – mostly – and that those lovely Apple people have integrated finger print authentication into their devices.

So now I can login to an online service on my iPad without needing to remember my ID, password or even my password manager master password.

I simply click on the integration link on the browser and select Lastpass, touch my finger on the pad and this inserts the credentials for me and I am logged in.

I don’t actually know most of my online services passwords now.

Of course its not perfect. Sometimes the software can be a bit clunky, it doesn’t integrate with many native apps – so I still have to login to Lastpass first to copy my password – and it does not have integration for Microsoft Active Directory, but it does mean that in order to remember a password, I don’t have to lose another piece of information from my brain.

"But what happens when the password manager gets hacked?” I hear you say. "Isn’t this risk worse because all your eggs are in one basket?"

We get asked this question every time we hold one of our Cyber Security Education Seminars. It’s a great question.

Firstly, you must ensure you use a solution that supports Two Factor Authentication. This means that any access to your password vault can only be made by inserting a code generated by a supported Two Factor service, such as Google Authenticator, on a device you have, such as a mobile phone, in addition to the master password.

Although this does add an extra step – where you don’t have finger print recognition – it's still far more efficient and secure than trying to remember non complex passwords.

Secondly, you should change your master password on a regular basis. Now you just have one password to remember – I think even I can manage that.

Thirdly, LastPass never has access to your master password. They encrypt all the user data, including username and password, with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm.

That creates a key, on which they perform another round of hashing, to generate the master password authentication hash.

That is sent to the LastPass server so that they can perform an authentication check as the user is logging in.

They then take that value, and use a salt – a random string per user – and do another 100,000 rounds of hashing, and compare that to what is in their database.

In layman’s terms, cracking their algorithms is extremely difficult, even for the strongest of computers.

That's why I use a password manager.

Adam Morris is the founder and managing director of Chippenham-based Avagio IT.