Te Kete Ipurangi Navigation:

Te Kete Ipurangi
Communities
Schools

Te Kete Ipurangi user options:


Getting started with password managers

Password managers are software applications that store and enter passwords for you. They combine high security with convenience.

Benefits of using a password manager

Padlock and computer.

Image by TheDigitalWay  from Pixabay

A password manager takes the effort out of remembering unique, secure passwords. It creates a suitable password, stores it, and enters it for you as required.

  • You only have to remember one very strong password to unlock a range of services.
  • Passwords are encrypted and securely stored.
  • Login details can be shared easily among devices.
  • Other sensitive data can be securely stored for convenient use online (for example, credit card details).

It is recommended, all school staff use a password manager 

It is highly recommended that all school staff use a password manager. School staff manage passwords that access sensitive data about their students and school communities. These include passwords to the Student Management System (SMS), school email, shared files and school intranet. As most teachers use the same laptop for school and home, the line between what is private and what is work can be blurred. School passwords might be reused for private purposes and vice versa. If someone on the internet used your login, could they access any school systems using the same email and password?

Effective passwords

Edward Snowden explains password security in this short interview. He suggests using long passwords which are a random phrase to overcome brute force attacks.

Brute force cracking

A brute force attack is where huge numbers of passwords are tried in rapid succession hoping one of them will succeed. As computers have increased in power, they have become faster at brute force cracking passwords. Modern computers can be set up to test thousands of passwords per second. 

A secure password is long and random

The only way to beat brute force attacks is to use a long, random password. A password like “vI6pDM*gLg#!kxPOrV” would take a computer several hundred years to guess via the brute force method, but it's very hard for people to remember. The password manager takes the effort out of remembering unique, secure passwords. Your password manager creates a suitable password, stores it, and enters it for you as required.

Vast databases of leaked passwords are available online, and have been analysed to determine how people choose passwords. That's why the only secure password is a long and random one.

Choosing a password manager

There are a number of options. Your choice depends on the features you need and the different devices you use.

To help with your decision, start by looking at:

Many password managers are free or have a demo mode to allow you to try them out. You will need to install the software on each device you wish to use it on.

Built in password managers

  • Apple macOS – Keychain
  • Microsoft Windows – Credentials Manager

In combination with cloud storage and their own browsers, Keychain and Credentials manager offer to create and store secure passwords when they detect you are creating a login. Passwords are stored securely in the cloud and are available on their respective phones and tablets too. This system works well for your Apple or Microsoft equipment and software.

  • Note: Passwords in the Keychain are only available on Safari.

In the case of built-in password managers such as Keychain, the computer user’s login password unlocks them. These login passwords should also conform to the long and complicated ideal.

Using your browser to store passwords

Modern web browsers have a function that is superficially similar to a password manager. There are issues with relying on your browser for this:

  • most web browsers don’t secure their password storage – they will normally auto-fill or display passwords without requiring you to identify yourself
  • browsers often store passwords in ways that are easy to decrypt
  • if you use different browsers, the passwords aren’t communicated between them
  • passwords aren’t shared between other devices like phones and tablets.

Using your password manager

1. Lock the password manager with a long, complicated password

Create a long, complicated password to lock your password manager. It needs to be long and complicated because you only need this one single password to unlock everything else.

Create a memorable, safe password

To create a memorable password that would resist a brute force attack, combine a string of four or five uncommon, unrelated words, for example "doorbell conclude kudos boxing". With a little creativity, you can generate a mental picture to help you remember it. Leave the spaces between the words as it makes it easier to remember and to type.

If your password:

  • is less than 9 characters, then it has probably already been guessed via brute force 
  • uses a common word and replaces some of the letters with numbers, then it is easily and almost instantly guessable using a dictionary attack .

2. Load your passwords into the password manager

Loading your existing passwords into your new password manager can be a bit of a chore, as you have to create a new record for each site. A strong recommendation is to change your passwords on each site as you do this into ones generated by the password manager. It’s a one-time process and worth going through the pain.

Once set up, every time you sign up at a new site the password manager will offer to create a secure login for you. The required effort at this point is minimal.

3. Use the password manager to enter passwords for you

Each password manager works slightly differently, but they all have the same basic functions. As you visit a site:

  1. click a button on your browser or on your computer’s dock or tray to unlock your password manager
  2. the password manager enters the username and password for that site into the correct fields for you.

They are generally very good at detecting which fields need to be filled in.

You set how aggressively your password manager locks itself again. Allowing it to remain unlocked until you quit your browser or are inactive for a set time should be safe enough.

Sometimes password managers won’t increase security

Password managers are very effective at protecting you from an attack from the internet by making it easy to use long, unique passwords. There are some things they don’t protect you from.

Storing your old, insecure passwords

The password manager is only going to be effective if you make the effort to set all your passwords to secure ones. A password manager will store and supply an insecure password you have created for a site, but this won’t lead to better security. Many password managers will flag passwords that are too short, or simple to guess.

Attacks that don’t come from the internet

Schools are unusual from a security standpoint because of the danger of people physically seeing you enter your password. Students have time and opportunity to steal staff passwords, and have done so. Techniques such as groups of students watching you type and remembering a few characters each, or using keyloggers, have been used in New Zealand to gain unauthorised access to school systems. Some schools even have simple password allocation schemes, meaning once you know one password, you can guess that of any user who hasn’t changed theirs.

Security techniques
  • be mindful of who else is present when you enter your password 
  • use different passwords for everything
  • ensure your computer locks the screen – security is severely compromised when someone has physical access to a logged-in computer
  • keep passwords secret – it’s never a good idea to divulge passwords to students, no matter how trustworthy. 
  • technicians and network administrators shouldn’t need to know your passwords – change your password to something easy when you hand your machine in for service or repairs, and change it back when they have finished
  • use two-factor authentication – Google Suite allows for easy two-factor authentication using your mobile, as does Office 365.

Biometric systems such as fingerprint scanners are common on phones, tablets, and laptops. You may be able to set up your fingerprint to work in place of the master password for your password manager, so you can unlock it without having to type.

Resources

Recommendations for managing passwords  – Connected Learning Advisory resources

XKCD password strength – the comic strip that started a lot of conversations about secure passwords

Have I been pwned?  – see if your passwords have been compromised

Passwords (7:40) – ABC consumer affairs show segment on password managers

How to choose a password (11:32) – Dr Mike Pound, University of Nottingham

e-Learning community discussions

Join these groups to participate in discussions with other teachers/educators about the content here, or that is relevant for you.

Enabling e-Learning
e-Learning: Leadership
e-Learning: Teaching
e-Learning: Technologies
e-Learning: Professional Learning
e-Learning: Beyond the classroom
Using the e-Learning Planning Frameworks

Keep informed

Subscribe to the newsletter.


Footer: