As we all use more and more different services and applications in our personal and work lives, password management becomes ever more of an issue. It’s staggering the number of times I’ve had to gently make people aware of the fact that using one simple password for every single service they use probably isn’t the best idea. To be honest, it wasn’t that long ago that laziness and an unwillingness to spend a little more time when signing up (and thereafter when signing in) to services meant that I too had a poor approach towards password security.
A couple of years ago I finally realized that with several hundred different services in my proverbial quiver, and given my propensity to sign up to every single new site I find, that a more robust approach towards password management was required. In my case I started using, and became a massive fan of, LastPass, an amazing service I’ve written about before that not only remembers all your passwords, but has handy features like automated form-filling and password generation – the idea being that users have one master password and that unlocks LastPass and hence access to all other passwords.
I’ve always had a concern at the back of my mind though that this approach wasn’t really safe – what happens if LastPass got hacked? What if, during my frequent travels, someone used key-logging software to learn the password and then gained access to all my other services? What if I get run over a bus and incapacitated and my passwords, and hence online services, all become inaccessible?
I was pretty relieved then to read a post by Mark O’Hare, CIO at email management vendor Mimecast, in which he talks about password security and tells of his own use of LastPass. I figure if a risk averse CIO uses the product, it must be safe for mere mortals too. O’Hare gives some advice for using a password manager (PM) effectively:
Protect your PM with a single secure complex password, one that is easy to remember but hard to guess. My suggestion is 12+ characters, not based on a dictionary word and a mix of upper, lower, numerals and special characters. If your PM supports it, use 2-factor authentication. Google Authenticator is a free, time-based one-time Password generator and some PMs integrate with it. Use your PM’s built in password generator to generate long and complex passwords which will be stored securely in your PM. Go to each site or service you use and change the password to something unique using your PM’s built in password generator.
It feels like we’re reaching a tipping point however – there has been lots of attention given recently to the fact that using two-factor authentication is a sensible choice. Free products like Google Authenticator help make online service use more secure. The other angle that helps in this regard is the rising use of authentication tools like OAuth and SAML, which both help users to authenticate third party sites using one trusted identity provider – in the consumer space Facebook and Google have both proved popular as identity hubs.
As increased use of online tools makes it ever more attractive for people to gain access to others’ accounts, robust approaches towards authentication and security become all the more important. Password management and third party authentication are two important safeguards in this journey.
(Cross-posted @ The Diversity Blog - SaaS, Cloud & Business Strategy)