How to keep your passwords and secrets safe?
- KZ
- 1 day ago
- 6 min read
When it comes to your online life, whether that be in business or your every day activities, you need to keep you passwords safe from the multiple ways malicious actors are trying to get access to them - so how do you keep your passwords and secrets safe?
But how can you do that safely? Is adding or changing the number at the end the right way? How about that post it note with your details? or your PIN number scratched into the side of the ATM machine (points if you get the reference).
General public:
So you're only interested in looking after your personal details;
Bank accounts
Social media
Emails
Anything with your card linked as a payment method
Retirement funds/programs/accounts
or anything else sensitive, what should you consider?
Password complexity:
Passwords should be complex enough to not be guessed, you should avoid linking it to public information as they can be easily guessed by hackers. There are also multiple toolkits where key information can be fed in, then the toolkits create a password list based on common rules and patterns people use for their accounts.
The current advice is to use PassPhrases rather than words, you can also keep these to a theme to make it easier - for example (DO NOT COPY - using these phrases would be a monumentally bad decision)
Financial accounts:
TheQuickBrownFoxJumpsOverTheLazyDog
Social media:
TheSlowWhiteFoxJumpsOverTheSleepingDog
Emails:
TheDogJumpedBackOverTheFoxAndProvedHimself
The above passwords were checked with https://password.kaspersky.com - as you can see the first one was found in a leak - but that is not surprising as the eagle eyed among you will have seen this is a standard phrase for font files on all computers world wide - the others are variations on the original theme. It is NOT recommended that you test your current passwords on this site, but you can use it as a reference to see what works and what doesn't.
Now these are going to be pretty hard to crack, how can you make this more difficult to crack? Add numbers or symbols (again stick to a theme) for example replace all the 'I' letters with the number '1'.
Storage:
So now you have an idea what will make a strong password, how do you store it?
Memory:
Try to remember it - with passphrases they can be easier to remember, however you should be aware of your own ability to recall this when you need it. Also typing in a passphrase can be time consuming when you are always on the move.
Post it notes:
Strictly speaking this is frowned upon, however if you have it concealed out of line of site (don't put it on the same desk or on the monitor etc.) then the threat is low unless someone is hunting for it. You should consider your risk factor with this, are you likely to have someone looking for your password? Are you potentially a target for someone who is nosey and wants access to your money or information who also has physical access to your home? if so then this is not recommended. If you have minimal risk of this, then it would be a good option as long as it's secure (hide it in a book, in a specific drawer where it blends in for example).
Password Manager:
Password managers are the best option, there are many out there and some work better than others. You should always check into the history of the password manager, if they have repeated breaches then they are not the best option. Ideally what you want in a password manager is:
Secure password storage standards
Check they meet industry standards
Ideally you are looking for 256 bit AES encryption
No option for the company to recover
If the company can recover your passwords, they are not secure and could be exposed in a breach.
End to end encryption
Good track history of delivering the service
Check for breaches, one or two are to be expected, however multiple ongoing breaches and exposures of unencrypted passwords should be a huge red flag.
Ability to run on all your devices
Ideally you want to be able to run on your phone, computer, tablet and browsers.
If you get a centrally managed one, this can then instantly share passwords between all devices securely.
Able to assist in password changes
Some password managers will assist you when you need to change passwords and will help you confirm the password has changed before you commit
Ease of use
If you have a password manager that does not make your life easier, you are likely to stop using it.
Family accounts available
This can be useful to secure your whole family
You can share passwords with multiple people
Password changes are shared immediately and securely
Breachwatch
Get alerted if any of your passwords are potentially exposed
This is done by checking the password 'hash' against breaches, enabling you to respond and change passwords quickly.
These functions should help keep you and your data secure.
What to use?
There are many out there, the one I use is KeeperSecurity and it is a great option. It meets stringent security requirements, works on all devices and also allows me to autofill while using biometrics on my phone. I can also share passwords with my family as needed.
Businesses:
For businesses the overall expectation should be the same as above on a basic level, however you may also want to be looking into options such as:
Integration with Single Sign On services
Key to ensuring security does not become overly intrusive to peoples day, if it becomes a burden then your staff may find ways around this and bring more exposure to systems.
Secrets protection and rotation
You can do this manually, or find a manager than can auto rotate your AWS secrets etc. which can remove the risk of downtime. You can also automate the rotation more frequently which reduces the chances of exposure.
Secure file storage
Even if this is just a small storage, when it's built in to the password manager you can share key files required for encryption like a public key or even a temporary private key for small tasks across geographical restriction.
Auditing capability
You should be able to audit who accesses passwords/secrets, this will enable you to see who accessed key information during an investigation.
Role based access (with immediate revocation options)
Limit who has access to the passwords based on their role, keep the exposure limited to those who really need access to it.
Cloud and on prem versions available
This will be useful if you want to make sure you don't have to shut down operations due to the internet dropping out, or to stop your workers being hamstrung by working from home or abroad.
Compliance reports
This can help your security teams identify issues with weak or old passwords, ensuring you can stay ahead of potential issues.
These options are some of the basics I would be looking for during a business deployment, however this is not the end of the options available. Ideally I would be looking for additional features that provide secure options such as:
Secure chat
Secure connection manager
Privilege access manager
Training modules for staff
Free licenses for family accounts
These can be very useful for secure communication, access and ensuring your staff are secure in their non-work lives.
Keeper security is a great option for these reasons, I have deployed this at multiple organisations and it is always well received as it raises the security level of the business with minimal impact on the organisations daily business. It is also pretty cost effective compared to some of the competitors, as partners of KeeperSecurity we are able to offer special rates that you can not get by going directly to the company. If this is of interest then please get in touch!
Summary:
So what this means is you should be aware of how you are doing things, avoid common mistakes with passwords and try to evolve with the times (passphrases).
Your risk factors depend on your lives/business, if you would like some advice then please feel free to message us.
Keep an eye out for a future article on encryption of messages, a special entry on secure communications.
Comments