Tech consultants and journalists have their own conflicting opinions about the best way to manage access in a world full of security risks.
Too short, too complex, too frequently used, too many to remember: There are any number of problems with passwords. Stanford University now uses digital keys instead of log-in/passwords for students, staff, and professors to access university networks. IT teams are considering password-less solutions to reduce the burden of managing access and identity.
SEE: Identity theft protection policy (TechRepublic Premium)
Individuals can use password managers to strike a balance between security and convenience. However, these services have their own security risks. Here are a look at the pros and the cons of password managers based on the experience and analysis of four tech journalists.
Advantages of password managers
Rob Pegoraro, a tech journalist, tried LastPass first and then switched to 1Password which offers a free service for journalists. He also uses iCloud Keychain for some accounts and , for some low-value logins, the one Google builds into Chrome and Android. He sees an end-to-end encrypted service as the perfect alternative to remembering dozens of complex passwords.
“A password manager will be a more reliable and secure store than your own head or your browser’s autofill–once you set and memorize a complex password for it and enable its two-step verification,” he said. “That last line of defense can’t be via text message, a channel vulnerable to SIM-swapping accounts; every password manager worth its salt should offer this via USB security keys, which can’t get faked by phishing attacks.”
SEE: The Best Password Managers for 2020 (CNET)
Pegoraro did add a significant caveat to this endorsement of password managers: He doesn’t keep the passwords for his most important accounts in a password manager.
David Strom, president of an IT consulting firm, has been using LastPass for several years to store hundreds of logins.
“I switch among using a Mac, a Windows laptop, and my iPhone—and I have access to my password collection from all three devices.
Strom said the benefits of the service outweigh the associated security risks.
“As I have a strong master vault password, protected by MFA, I am reasonably confident that I am secure, certainly more secure than reusing passwords across sites,” he said.
Password managers also can help with volunteer tech support.
“As a primary source of tech support for my relatives, I’ve also realized that the secure-notes feature in a password manager is a great place to store the most important passwords of family members in case they forget them or need help with their accounts,” Pegoraro said.
Pegoraro wants Apple to add biometric authentication to a desktop Mac so he doesn’t have to type out the master password every time to unlock 1Password.
“It’s stupid that this Mac-first service is more pleasant to use on my Windows laptop,” he said.
Disadvantages of password managers
After trying several password managers and writing about breaches, tech journalist Sean Michael Kerner takes a low-tech approach to managing his passwords: Paper.
“I have absolutely zero confidence in any password manager, and inevitably there is a risk,” he said. “Paper is low-tech, but it works.”
Kerner uses a YubiKey for multi-factor authentication.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
Tom Henderson, founder of ExtremeLabs Inc., does not use a password manager because he sees the companies as prime targets for hacks.
“Relying on them becomes habitual, and they offer a security blanket that’s dangerous,” Henderson said.
Henderson uses four YubiKeys to augment passwords, adding that he knows the owner and founder of the company.
“The convenience factor can be excellent, but having the same key for all possible or reasonable devices can be inconvenient,” he said.
Tips for managing passwords
In addition to using multi-factor authentication, Henderson suggests keeping passwords and security certificates in a text file with an easy-to-remember name, such as good_recipes.txt or school_dates.txt. Users should update passwords frequently and delete old versions of that file.
“Take a copy on a flash drive and take it off premises so that when the worst happens, you’ll at least have your passwords with you,” he said.
Several writers suggested keeping an eye on HaveiBeenPwned once a month to see if an active password has been exposed.
Strom said that he’d like LastPass to integrate with the site to prevent users from using compromised passwords, a feature offered by 1Password.