The trade-off of convenience versus security will help answer the question, but password management best practices should reign supreme.
As you browse the internet through Chrome, Safari, Firefox, or other browser of your choice, you are often faced with an enticing option: Would you like the browser to save your password? If you say yes, research shows you are taking a risk. These browser-based password managers make life more convenient, but they may offer a false sense of security. For the most part, it is not at all clear how secure any of them really is.
This is the world of password management. Whether it is for work or personal use across retail websites, news subscriptions or social media, chances are that you use several different passwords. Some of these passwords may even give you access to sensitive accounts and critical systems at your workplace. However, some people make the top security mistake on the internet—reusing passwords.
There is an even greater chance that those passwords are relatively simple and easy to guess by attackers. If you are using the same password repeatedly, when attacker cracks your password for one system, they can compromise all other accounts which are secured by that same password. For people who use multiple, hard to guess passwords, but save time and brainpower by saving the credentials in your browser’s built-in password manager, the simplicity makes this a compelling option. However, it may not be the best way to protect the data you care about most.
Despite the convenience, there is a major downside to saving credentials in a browser. Since so many people use integrated password managers, they are a natural target for credential theft attacks. According to research by a content delivery network (CDN) services provider, Singapore ranks 15th on the company’s global list of the top source countries (where the traffic is coming from and not necessarily where the attacker is located) for credential stuffing.
Cyber attackers count on us choosing convenience over security making the credentials saved in a browser an easy target. Credential theft attacks can be fully executed from a single user’s workstation by leveraging passwords for social media accounts and other credentials stored on the device. What should you be using to better protect your online passwords and secure your digital life?
Best practices for password security
This type of separately-sold utility allows you to save, generate and update all passwords in one encrypted location protected by a single, strong password or passphrase. These tools are increasingly popular among consumers and businesses, but as with most tools and technologies, they do not completely eliminate security risks.
Regardless, here are a few best practices to help safeguard a dedicated password manager.
- Be on the lookout for phishing attempts. The Cyber Security Agency Singapore (CSA) revealed in its latest Cyber Landscape report that it observed 16,100 phishing URLs with a Singapore link in 2018, up from 2,500 in 2016. It is important to stay vigilant and never click on links or open attachments from people you do not know or ones that seem out of character.
- Always use multi-factor authentication (MFA). Ensure that multiple types of authentication methods, not just a password, are required to unlock an account. This is important not only for your dedicated password manager, but for other online services such as bank accounts, email and social media accounts.
- Choose a strong master password. It is the key to unlocking every single online password stored in the repository.
- Use different passwords for every online account. It is hard to remember long and strong passwords. Even so, do not reuse passwords on multiple sites or accounts. If you do, and one account is hacked, the others can easily be compromised. Password managers can also act as password generators and create a unique password for you.
- Create a tip sheet. A tip sheet offers clues as to what your password might be. Never write your password down anywhere anyone else could see it, and never keep a list of passwords that could be accessible to anyone.
- Create your own code. Replacing a few letters with numbers, misspelling words or using acronyms and abbreviations are cool code tricks you can use to make your password more unique and harder to crack. Remember, your password is secret, so no one will be checking your spelling.
- Choose random words. Another trick is to create a short phrase out of several random words. Using the entire word but still replacing a few letters with special characters helps increase its security capabilities. Choose something silly or memorable, like an inside joke or favorite food, animal or color.
- Try a dedicated password manager. Although having all of your passwords in one place might not be the best idea, there are a lot of options for password managers that allow users to safely keep their passwords in a list. Some even allow you to change passwords with a single click from the app.
Password managers only manage the passwords of a single person, which is great when only one person needs protecting. However, businesses comprised many people, and with many different needs when it comes to system access. For such scenarios, it is more important to secure passwords through an enterprise-level solution such as privilege access management (PAM), which is a cybersecurity strategy for controlling, monitoring, securing and auditing everyone and everything in an IT environment.
Password managers are a big step up from trying to memorize all of your passwords or letting your browser (or a Post-it note) remember them for you. These solutions can save time, increase security and free up mental clutter. Beyond that, if you are trying to handle access on the scale of a business, consider privileged access management.