Adam Morris, Founder and Managing Director, Avagio
With over 20 years’ experience in the IT industry, our guest blog by Adam Morris, Founder and Managing Director, Avagio tells BASDA why a Password Manager should be a fundamental part of your Cyber Security processes
Why I Use a Password Manager for My Business
I have used a password manager (it happens to be LastPass Pro (owned by LogMeIn) – but there are several other good ones) for about 3 years now. And if you took it away from me, my digital life would end. I rely on it probably 50 times a day, every day. I use it on my desk top at work, my PC at home, my iPad, my iPhone. It it not an exaggeration to say LastPass has become an integral part of my life.
But is this good or bad?
I’m not sure if it’s good or bad that I now rely on this single piece of software to run my life, but to some extent whether it’s good or bad is irrelevant – it’s a necessity. There is no discussion. I have to have a password manager.
So what led to this change?
There are a number of reasons.
Firstly, I was getting more and more frustrated with the time I was spending attempting to login to online services (and at last count I have about 150 that I use). You know the pattern – you put the wrong password in, or was it the login name? I would end up asking for an email to be sent to give me a temporary password (sometimes of course this would get trapped in my spam filter and I would then need to remember the password to that) and then work out what password I could use that would meet the sites restrictive criteria, x characters, y numbers etc. etc. I would come up with a great password that I know I can remember only to be told its been used before and I can’t use it! Ahhh. So I come up with something else and the next time I use the site, I can’t remember it and then the whole circus repeats.
Secondly, I needed to start eating my own dog food. We have been spending more and more time advising and educating our IT support clients around cyber security best practices and breach detection over the last 10 years or so. This of course has been driven by the massive changes that the cyber security space is going through – namely that it is so much easier now for anyone to start to distribute and monetise cybercrime. A cyber criminal no longer needs to write malware code or hire a team of geeks from dark web forums to setup his server farm and expensive comms links. He can simply purchase all these services ready to go and pay a commission to someone else. This is called Cybercrime as a Service and it’s a really successful business model.
One of the key forms of protection is ensuring you have an appropriate password policy for you and your staff. And this is where it gets difficult. We know that a longer password is more secure than a shorter one, that a more complex password with odd characters and numbers is more secure and that a truly random sequence of characters is better than meaningful words, Thus J1ClDT4d6VK2 is about 10,000 times stronger than MynameisAdam. But can I remember J1ClDT4d6VK2? I can’t! And by the way, I need a unique password for each of my 150 services I use and I need to change them at varying levels of frequency.
The other reason I now rely on a password manager is that these tools have become a mature product that works (mostly) and that those lovely Apple people have integrated finger print authentication into their devices. Now I can login to an online service on my iPad without needing to remember my ID, password or even my password manager master password. I simply click on the integration link on the browser and select Lastpass, touch my finger on the pad and this inserts the credentials for me and I am logged in. I don’t actually know most of my online services passwords now.
How Fesiable are Password Managers For Business?
Of course it’s not perfect. Sometimes the software can be a bit clunky. It doesn’t integrate with many native apps (so I still have to login to Lastpass first to copy my password) and it does not have integration for Microsoft Active Directory. But it does mean a bit like Homer Simpson, in order to remember a password, I don’t have to lose another piece of information from my brain.
How Do I Ensure My Password Manager Is Safe?
“What happens when the password manager gets hacked” I hear you say. “Isn’t this risk worse because all your eggs are in one basket?” We get asked this question every time we hold one of our Cyber Security Education Seminars. It’s a great question.
Firstly you MUST ensure you use a solution that supports Two Factor Authentication. This means that any access to your password vault can only be made by inserting a code generated by a supported Two Factor service (such as Google Authenticator) on a device you have (such as a mobile phone) in addition to the master password. Although this does add an extra step (where you don’t have finger print recognition). It’s still far more efficient and secure than trying to remember non complex passwords.
Secondly you should change your master password on a regular basis. Now you just have one password to remember – I think even I can manage that.
Thirdly – LastPass never has access to your master password. They encrypt all the user data (inc username and password) with 5,000 rounds of PBKDF2-SHA256, a password strengthening algorithm. That creates a key, on which they perform another round of hashing, to generate the master password authentication hash. That is sent to the LastPass server so that they can perform an authentication check as the user is logging in. They then take that value, and use a salt (a random string per user) and do another 100,000 rounds of hashing, and compare that to what is in their database. In layman’s terms: Cracking their algorithms is extremely difficult, even for the strongest of computers.
So that is why I use a password manager.
If you would like to learn more about Avagio’s IT support or cyber security solutions please visit our website at http://avagio.co.uk/ or give us a call.
Are you are business software application developer? There are so many benefits to joining BASDA. Find out more about how BASDA can help your business – Benefits of joining BASDA. Or you can give us a call on 01494 868030 to find out more.