Password Managers

Password Managers
17 September 2024 Emma Alsos

A Password Manager is a valuable tool that helps organise and store passwords securely, making it much simpler to stay safe online. GSL’s Minimum Recommendations for IT security advises every client to deploy a Password Manager. 

These software applications significantly ease the secure management of hundreds, even thousands, of credentials for accounts and services, such as email, banking, social media and more. They enable users to easily generate very secure passwords (with combinations of uppercase and lowercase letters, numbers and characters) and save them along with logon URLs and information credentials to a secure “vault”, usually in the cloud. 

Password Managers make logins easy because they can autofill a user’s login ID and password automatically when they visit a website or open an app that requires them to sign in. Users no longer need to memorise passwords. 

Why do we need Password Managers? 

A great number of websites and apps require a log in with ID and password. Human nature means users often seek an easy solution by using easy to remember passwords or memorising one complex one and using it for multiple logins. That presents a cybersecurity risk that can lead to your online accounts being taken over, for example.  

The issue is that strong unique passwords are difficult to remember but they are very important for ensuring our online safety. Password Managers provide a simple, fast and secure solution. 

Many Password Managers can do more than merely store passwords. They can securely store other personal details that people frequently need online, such as phone number, street address, card details and email address. Then they autofill that information at checkout for online purchases. Some can even store important documents and other confidential information such as medical details. 

Good Password Managers apply a hygiene test to a user’s current passwords as well as new ones. They highlight weak passwords that would be relatively easy to crack and also passwords reused for multiple sites. They ensure that passwords are strong and unique for every app and site. 

The best Password Managers also interrogate the Dark Web where login credentials are bought and sold. They raise an alert if a user’s passwords or personal information have been compromised 

Why strong passwords are vitally important and what they look like  

Length and complexity are the key ingredients of strong passwords. Security experts recommend they be more than 14 or even 20 characters long, not contain dictionary words, and consist of a random mix of capital and lowercase letters, numbers and symbols.  

There are just 10 numerical digits, for example, and so an 8-character password made up only of numbers has a relatively tiny number of possible combinations that would be cracked in milliseconds. 

Even more complex short passwords can be very quickly cracked by the powerful algorithms, computers and techniques that hackers use. For example, a 7-character password that includes symbols, numbers and mixed capitalisation can be broken in two seconds.  

An 8-character password with no numbers or symbols has 209 billion possible combinations but is practically useless because it can be cracked almost immediately. Even using the best practice mix of characters, an 8-character password can be cracked in about six hours. 

By comparison, an 18-character password made up of symbols, numbers, upper and lowercase letters, would take trillions of years to crack with current technology. 

That term “current technology” is significant because of Moore’s Law, which states that CPU and GPU (Graphics Processing Unit) double in speed and processing power roughly every two years. It means the time taken to crack a password is halved.  

Password Managers generate very strong passwords that should comfortably remain impossible to crack for many years to come. 

What types of password management software are available? 

While the most popular Password Manager products are standalone apps that store encrypted data in the cloud, there are other types on the market: 

    • Practically all browsers now offer integrated Password Management. At first glance, this would appear to be a simple, convenient and mostly free approach. However, web browsers are designed for great web browsing but true cybersecurity is of secondary importance. Security may not be enterprise grade, with weaknesses such as inadequate or no encryption. Users who switch between multiple browsers find it difficult to manage passwords on all of them individually. While browsers may offer entry level Password Management features, a dedicated Password Manager almost always does it better.  
    • Local, rather than cloud-based, Password Managers encrypt and store passwords locally on the device. Users risk losing that data if the device is lost or stolen, or suffers a malfunction.  
    • Stateless Password Managers do not save or store any password information anywhere. They generate one-time usage passwords (tokens) for every login instead. That delivers greater security. The term “stateless” contrasts with the more common “stateful” Password Managers that do store passwords. 

Buyers’ Guide 

What features should prospective buyers look for in Password Managers? 

As with most IT products and services, there is a range of choices with different features, functionality and cost. Commercial organisations may have more requirements than individuals. 

This section aims to unpack some of the key factors when deciding to buy a Password Manager. 

It is good practice to list the important requirements you need before searching for a suitable product. Organisations often have different priorities that guide them towards selecting a product. 

For example, you might wish to install a Password Manager with some or all of these capabilities: 

    • Generate strong complex passwords instantly and save them to an encrypted vault, either on your device or in the cloud 
    • Work on all the platforms your devices use (e.g. Windows, IoS, Android) so that you only need one password manager on all of them 
    • Automatically synchronise your passwords across all the devices you use to get online so that passwords are always available and up to date no matter which device you are using 
    • Notify you if you are using the same password for more than one site to help keep each password unique 
    • Alert you if your password, login credentials or personal information has been captured during a known security breach of one of the websites you log into 
    • Warn you if you navigate to fake or suspicious websites that might attempt to transfer malware to your device or be a source of phishing attacks 

Essentials Level – Minimum practice, lowest subscription cost 

For individuals working from home behind a router, browser-based Password Managers may be considered. suitable These are usually free, convenient and easy to use even if many are lacking in strong encryption and other cybersecurity considerations that a business would consider essential. 

The most important factor is that they should be capable of generating strong passwords, storing them securely, and ideally use auto-fill to log into sites.  

It is also important to be able to take a backup of the password file onto external media such as a USB memory stick as a precaution in case the device suffers a failure, is lost or stolen. 

Be aware that while most modern browsers now offer an entry level Password Manager, none are as secure as a dedicated Password Manager product. These are of higher quality and usually offer capabilities such as optional 2-factor authentication (2FA), very strong encryption, a VPN and other features for strengthened security. 

Essential features of Password Managers for Minimum Practice include: 

    • Generate strong complex passwords and save them to an encrypted file or database.
    • Auto-fill your login credentials when you navigate to a website.
    • Support strong end-to-end encryption.

Standard Level – Good practice, balanced costs, best value 

This is a good entry point for many businesses and organisations. Dedicated Password Manager products generally provide excellent security at a reasonable price.  

Scanning reputable review sites will provide an outline of the functionality of each product as well as pros and cons. Always be aware that owners of most review sites benefit financially when you click through their product review to the vendor website. That said, the best five/six products tend to appear consistently across most reviews. 

Standard level should include the functionality list above in Essentials Level with the addition of these desirable features: 

    • Multi-factor authentication to access the password vault. 
    • Alerts for breached/compromised passwords. 
    • Secure sharing options (bad IT security practice but pragmatic for sharing Netflix passwords, for example). 
    • Multi-platform support to enable seamless access and compatibility across multiple devices and platforms (Windows, IoSs, Android). 
    • Automatic device syncing when switching devices such that your vault is always up-to-date.  

Enhanced Level – Best practice, enterprise grade 

The best Password Managers will provide additional features that may be highly desirable, depending on business needs and processes: 

    • Role-based permissions enabling administrators to choose who has access to which passwords.
    • Accessible recovery process if a user should lose their master password.
    • Vendor is reputable and issues frequent updates (patches).  

At this level, businesses might also consider Single Sign-On (SSO) password managers. These enable staff to use just one password for all enterprise applications and web services, making them more convenient and secure than having different access credentials for all of them. Employees do not need to share passwords and the password manger transmits tokens to the web service or application for validation and authentication. 

In reality, any product may offer a mix of basic and enhanced features. By listing your important requirements before seeking a matching product, you are far more likely to make a good choice. 

Conclusion 

Deploying a Password Manager for your business is a highly recommended course of action to maintain good cybersecurity. At the very least, this removes the very real threat posed by weak passwords. It also makes life online easier and faster. 

Next steps 

We are happy to advise you when choosing a Password Manager based on the unique requirements of your organisation. We are also likely to be able to secure excellent subscription terms on your behalf. 

Phone: +44 (0)1223 903 800 

Email: hello@grace.solutions 

Contact Us form: https://grace.solutions/contact-us/