Password Management—Increase Security, Ease of Use, and Peace of Mind
May/June, 2010 Pipeline
Many web sites now provide access to highly personal and sensitive information, and in response to user demands for tight protection of their data, many companies have substantially increased the level of security required to access their sites.
Most web sites require passwords that contain a minimum number of characters in upper and lower case, numbers, and symbols, and many enforce their password criteria to ensure that all passwords used on the site are complex and secure.
Many also require that passwords be changed on a regular basis. With many users having upwards of 50 sites they access requiring passwords, wildly varying password requirements, and many password changes to keep track of, users typically either use a single password whenever it will work, write down their passwords and store them in an insecure location, or flounder through the password reset process when they have forgotten which one they entered on which site. None of these strategies is be considered a “best practice”–-in fact, a
survey released in March, 2010 by security firm Symantec, revealed that 60% of its respondents do not change passwords and close to half utilize the same passwords for all of their accounts. The respondents were subscribers to the
Symantec Connect Blog.
So what can you do? What is considered the “best practice” for securely managing passwords? On a site-by-site basis, users should use the most secure and unique password permitted by the site, and change each password frequently. Keeping track of all your different passwords is extremely difficult to do by hand, but fortunately technology has come to the rescue. Many password management tools are available to “manage” your entire portfolio of passwords. These software or web-based tools store and encrypt all of your passwords, and keep them all safe by requiring the user to enter a “master password” or even an entire passphrase.
Here is an overview of how these tools work:
1. Install or subscribe to the software. During setup you will provide a “master password” or passphrase that only you know and which you will use to unlock your password database.
2. You visit your bank web site, ABCD Bank, at https://www.abcdbank.com and log in. The software will ask if it should remember this user ID, password and any other required login information. The software can also generate a unique and very complex password for the site.
3. The next time you visit this site, the software will either automatically log you in, or provide a button you can click to log in.
Once you have entered your master password, you can then visit other sites and log in using the database until either you close your browser, your master password times out, or you close your browser. Some tools store the passwords locally on your PC, some offer “portable” storage on a USB drive, and others offer storage on the internet so you can get to your passwords from any device connected to the internet—some even allow you to download your passwords to your smartphone. Most also offer additional features such as the ability to auto-fill forms with personal data such as name, address, credit card numbers, to store password protected notes, and to back up your passwords to another location.
The specific features offered by each password management solution may vary and the example above does not represent all solutions, but they all function in a similar fashion and are generally easy to set-up and use. Pricing currently ranges from about $20 to $50 per user.
This list is not comprehensive, but does provide a starting point for your own research. You can also type “password management” into your browser search engine for more options and to access reviews. If you have any questions, please contact Dave Golden, Director, Technology, at dgolden@nasbp.org.
Reference to products and services contained in this article is solely provided for description and informational purposes only and does not constitute or imply endorsement or recommendation by NASBP. NASBP makes no representations as to, and assumes no responsibility for, the use of these products or services. Should you have any questions regarding the use of these products or services, please contact the businesses listed above directly.