Passwords – Unloved but Unavoidable

Passwords – unloved but unavoidable

There’s a huge debate to be had around passwords. It’s one of those topics that generates endless rolling of the eyes, no matter who you are.

The average person dislikes having to remember them all or keep thinking up new ones when a system nags them to change the one they’ve been using for months/years/decades (delete as appropriate, etc).

Passwords – we all love to hate them, but we can’t hide from them!

Systems administrators get a different type of pain from passwords, usually around discovering that people are still using their pet’s name or their child’s birthday, but more often than not having to repetitively fix the fact that they’ve managed to lose or forget the magic word and need their access resetting. Daily.

No doubt someone will come up with something better before very much longer (please!) but many have tried and we’re still not there.

Whatever your feelings on the subject, there’s still no getting away from the fact that passwords are part of life. The best thing to do is try to remove as much of the friction as possible while we have to live with them.

First and foremost a password should be strong, and to be strong it should be as far as possible from being guessable by either a human or a millions-of-combinations-per-second number crunching computer. Definitely no less than 10/12 characters, but very preferably quite a few more. In fact, you’re probably better off with an obscure phrase.

It’s also worth noting, for Windows users (which is still most people), that passwords are more secure if they are 7, 14, 21 or 28 characters in length (happy to tell you why if you’d like to know…).

Of course once you’ve come up with this sturdy key to your most private information, it would be nice not to have to then come up with a whole new hard-to-memorise version for the next online service that comes along.

That’s where a good password manager comes into play. There are a number on the market and they will suit varying needs differently but, in essence, they are a way to lock away all of your login details behind just one secure password. That way you can make that one string of letters, numbers and other characters as unguessable as possible but only have the one instance of it to remember.

A good password manager will then allow you to generate strong, random passwords for all of the online sign-ups you need to do without you needing to remember (or even know them). Password managers usually have a browser extension and mobile app that lets you recover your passwords as you need them, taking much of the friction out of the process. Just don’t forget that one master password..! In fact, we use a service that has a password and a passphrase.

Strong Password, Strong Encryption

That’s a useful strategy for anyone, as long as you ensure the password manager you choose has a good reputation and has proper encryption and other security measures in place.

For a business though it can be a lifesaver to invest in such a setup. Too often, especially with smaller firms, one person is made responsible for a variety of tasks which each require their own login. No matter how conscientious that person in setting up secure passwords and keeping them safe, if they suddenly can’t or don’t turn up for work one day how much damage could that do to you?

It’s not as easy as calling the service provider and asking for a new login. Even if they are willing to play ball, you have to prove who you are and why you should be allowed in. That could take days or even weeks – and that’s just for a social media account! Can you survive that long without access to your online accounting software, for instance?

A password manager that’s ultimately overseen by key senior personnel can make a big difference. A good solution will even allow the senior person to delegate the ability to use logins to other staff without giving away the power to change (or sometimes even see) the actual password.

That’s good for the centralised services that the business might rely on, but there’s still the need for most employees to have a username and password of their own, even if only for email – and that’s still a weak link that is open to human fallibility.

There are ways to limit the risks through policies and practices, such as enforcing routine password changes or requiring two-factor authentication (where a smartphone app gives you a unique number to confirm your identity or the system sends a code by text message to your phone). These are very worthwhile, though they can take some managing from a human point of view; staff have to be trained to use them and they can be resistant to anything that takes more time.

Ultimately, we’re stuck, for the time being at least, with passwords and the weaknesses they represent. The best defence is to have robust policies around their use and good strategies to manage any actual or suspected breach and to do so quickly.

If you have to make yourself unpopular by insisting the sticky notes with login credentials written down are taken off office monitors, that’s better than the security risk it represents. The office manager who jealously guards the fact they’re the only one with the Twitter login needs to be re-educated.

Passwords, currently at least, are the keys to the kingdom. You need to be sure that you have them under control. If you’re not sure how, that’s what Bespoke Computing is here for.