A Look at Password Management Applications

Written on Jan 29, 2018


Password

By Anne Jenkins, CPA, CGMA

With daily reports of cyber security breaches, keeping a password secret is an increasingly difficult challenge. Although most people know that password security is important, they create weak passwords and reuse them on various websites.  Hopefully, you’re not using one of the top 10 worst passwords such as password, princess, football, dragon, Star Wars or combining your favorite words with a family member’s birthdate.  Most current computer systems require the creation of complex passwords that correspond to certain guidelines (e.g., using a certain number of capital letters, lowercase letters, numbers, special symbols). 

Many systems also require changing passwords frequently.  While both requirements are good protocol, they can lead to poor password management, causing many people to write down their passwords and create them by using common words and then replacing the letters with numbers or characters (e.g., changing “password” to pa55w*rd).  Research shows this method to be ineffective; a computer can crack this type of password in only a matter of days.  Another security concern is the reuse of passwords.  Using the same one on multiple websites is very tenuous.  If one website gets hacked, then your other accounts sharing that password can be put at risk.  These factors make the process of creating and tracking passwords frustrating, time consuming and sometimes overwhelming.  One option that can ease these troubles is to use a password manager.

 A password manager application is the gatekeeper for all of your passwords and login information.  It will generate long, random, secure passwords and help you log in automatically to the websites you use.  Your password database is encrypted with a single master password.  (One password to rule them all!)  Once created, you only have one password to remember. Another benefit is that the login and auto-populating features of a password manager are very efficient, with some estimating the time savings to be more than 50 hours per year.  

There are many choices when it comes to password management software.  Most web browsers (e.g., Chrome, Firefox, Internet Explorer) offer integrated password managers.  However, these should be approached cautiously.  Many of these don’t use encryption, and some won’t generate random passwords or are unable to sync across different devices and platforms.  A better option is a dedicated password management application.  Most applications offer a free product with basic encrypted password storage for individual use.  Free options generally provide a password generator, auto-fill capabilities, secure notes and one-to-one sharing of passwords.  Premium options for individuals and businesses are usually available for a minimum monthly fee, starting around $2 to $4 per month.  Premium versions usually offer options for syncing across multiple devices, emergency access, priority tech support and password sharing features among multiple users.

While the use of a password manager has many advantages, and most experts agree that using one is significantly safer than current alternatives, it is important to be aware of the risks.  Similar to credit card companies, hackers will target password management applications because they hold large quantities of personal data.  While no software can offer absolute security, it is important to review how the password manager service handled security incidents in the past.  Did they quickly respond to the incident and apply software fixes timely?  Did they communicate the issue promptly to their users?  The other important consideration of using a password manager is realizing that a large part of security falls to the individual user to keep their physical computer and its software safe by updating software timely, and avoiding malicious websites, emails and phishing scams. 

Because the master password is the main lock of securing your password vault, it is imperative that users take the time to apply the best practices in creating the master password and memorizing it.  Another safety consideration is to choose an application that allows the option of two-factor authentication for accessing your password manager.  By requiring the use of a master password and a secondary factor (security question, cell phone, token response or biometric), a password manager can be made even safer.  An important point to keep in mind is that with or without a password manager, there is always the possibility that your computer could be compromised, but chances are that your security will be improved if you have employed a password manager. Below are short summaries of a few systems you might want to consider.

LastPass—This cloud-based password manager works on multiple platforms, such as Android and iOS, and has desktop apps that are compatible with all browsers and operating systems.  Syncing your desktop and other devices requires an upgrade to the premium product.  Like many password managers, it will auto-populate your passwords on websites, as well as the personal information you use to fill out forms.  The built-in password generator can create long, randomized passwords.  For your master password, it offers a variety of two-factor authentication options that secures your password vault.  Your passwords are stored on the LastPass servers in an encrypted form.

KeePassX—For those who may have security concerns about cloud-based options or secret back doors, KeePassX is an open-source password manager.  It provides transparency by disclosing its source code, which independent researchers can audit.  KeePassX is not as user friendly as some applications.  It’s compatible on multiple platforms but syncing your passwords across multiple devices must be done manually.  Users need to upload their encrypted password file into their own online storage (i.e., Dropbox or Google Drive).  If you’re technically inclined, KeePassX allows users to customize the application with plug-ins you write yourself.

Dashlane—This application gives you the choice of storing your passwords locally on your computer or in the cloud where they are AES encrypted.  Dashlane has a password generator, security monitoring services, and unlimited password and data storage on a single device.  Plus it works on multiple platforms, although syncing to multiple devices requires an upgrade to the premium product.  Dashlane has a security analysis dashboard that ranks your current password security and targets passwords that need improving.  For security purposes, the Dashlane app does not store master passwords or password hints.

These three applications are just a few of the many password manager options available.  Apple users might also want to consider an application called 1Password, although it doesn’t work well on other platforms.  If you’re interested in securing your passwords through biometrics, Sticky Password is an application that offers this feature.  As with any software choice, take the time to do your research, consult your IT professional, and choose the application that works best for your situation and meets your security requirements.

Cyber security threats increase daily.  Protecting and securing your data and information systems is a constant endeavor.  A critical component of most security systems is the use of unique and complicated passwords.  As password creation becomes more challenging and complex, using a password management tool can help make your life simpler and your technology more secure.

Anne Jenkins is vice president and chief financial officer of Embassy Properties, Inc. in Kansas City. Anne chairs MOCPA’s Information Management and Technology Assurance Committee.  ajenkins@mrpinckc.com

Leave a comment