Password managers
What is a password manager?
Password managers are software applications that store and enter passwords for you. They combine high security with convenience.
Password security for schools is a challenging issue. There needs to be a suitable balance between:
- security – protection of information
- usability – ready access to this information.
Poor password practices are a common cause of information being accessed by the wrong people enabling possible harm to individuals or the school as a whole. This is why password management requires careful consideration.
Benefits of using a password manager
Image by TheDigitalWay from Pixabay
A password manager takes the effort out of remembering unique, secure passwords. It creates a suitable password, stores it, and enters it for you as required.
- You only have to remember one very strong password to unlock a range of services.
- Passwords are encrypted and securely stored.
- Login details can be shared easily among devices.
- Other sensitive data can be securely stored for convenient use online (for example, credit card details).
It is recommended, all school staff use a password manager
It is highly recommended that all school staff use a password manager. School staff manage passwords that access sensitive data about their students and school communities. These include passwords to the Student Management System (SMS), school email, shared files and school intranet. As most teachers use the same laptop for school and home, the line between what is private and what is work can be blurred. School passwords might be reused for private purposes and vice versa. If someone on the internet used your login, could they access any school systems using the same email and password?
Effective passwords
Password security and passphrases are explained in this short interview.
Brute force cracking
A brute force attack is where huge numbers of passwords are tried in rapid succession hoping one of them will succeed. As computers have increased in power, they have become faster at brute force cracking passwords. Modern computers can be set up to test thousands of passwords per second.
A secure password is long and random
The only way to beat brute force attacks is to use a long, random password. A password like “vI6pDM*gLg#!kxPOrV” would take a computer several hundred years to guess via the brute force method, but it's very hard for people to remember. The password manager takes the effort out of remembering unique, secure passwords. Your password manager creates a suitable password, stores it, and enters it for you as required.
Vast databases of leaked passwords are available online and have been analysed to determine how people choose passwords. That's why the only secure password is a long and random one. However, second best to a long and random password is a long yet simple password.
Two factor authentication
Two factor authentication requires a combination of two factors to enable authentication: something a person knows (usually a password) and something a person has (a fingerprint, app on their phone or special code sent by text message or printed and securely stored).
It uses heuristics (time since last login, location, device, and browser) to decide if a login attempt is suspicious.
Two-factor authentication is available for an increasing number of services used in schools including G Suite and Office 365 .
Enabling two-factor authentication for staff will significantly increase the security of their use of G Suite or Office 365. Two-factor authentication has very little to no impact on usability. We recommend that it is enforced for staff, but is voluntary for students because staff are likely to own a cellphone while students may not. We suggest that if possible it is introduced to staff in a planned, gradual, managed, supportive way rather than suddenly switched on!
Choosing a password manager
There are a number of options. Your choice depends on the features you need and the different devices you use.
To help with your decision, start by looking at:
- Wikipedia list of password managers
- reviews online.
Many password managers are free or have a demo mode to allow you to try them out. You will need to install the software on each device you wish to use it on.
Image by Gerd Altmann from Pixabay
Built in password managers
- Apple macOS – Keychain
- Microsoft Windows – Credentials Manager
In combination with cloud storage and their own browsers, Keychain and Credentials manager offer to create and store secure passwords when they detect you are creating a login. Passwords are stored securely in the cloud and are available on their respective phones and tablets too. This system works well for your Apple or Microsoft equipment and software.
- Note: Passwords in the Keychain are only available on Safari.
In the case of built-in password managers such as Keychain, the computer user’s login password unlocks them. These login passwords should also conform to the long and complicated ideal.
Using your browser to store passwords
Modern web browsers have a function that is superficially similar to a password manager. There are issues with relying on your browser for this:
- most web browsers don’t secure their password storage – they will normally auto-fill or display passwords without requiring you to identify yourself
- browsers potentially store passwords in ways that are easier to decrypt than those stored in a password manager
- passwords aren’t necessarily shared between different browsers and applications, although they are able to be shared with the same browser on another device.
Using your password manager
1. Lock the password manager with a long, complicated password
Create a long, complicated password to lock your password manager. It needs to be long and complicated because you only need this one single password to unlock everything else.
If your password:
- is less than 9 characters, then it has probably already been guessed via brute force
- uses a word or name and replaces some of the letters with numbers, or adds some numbers to the end then it is easily and almost instantly guessable using a dictionary attack .
Create a memorable, safe password
To create a memorable password that would resist brute force and dictionary attacks, combine a string of three or four uncommon, unrelated words, for example, "doorbell conclude kudos boxing". With a little creativity, you can generate a mental picture to help you remember it. Leave spaces between the words as it makes it easier to remember and to type.
Complexity comes from choosing unusual words, rather than using capital letters, punctuation and numbers. You can still put a capital letter, number, or symbol in to increase the complexity. Choose one randomly and put it somewhere random – “doorbell conc=lude kudos boxing”.
2. Load your passwords into the password manager
Loading your existing passwords into your new password manager can be a bit of a chore, as you have to create a new record for each site. A strong recommendation is to change your passwords on each site as you do this into ones generated by the password manager. It’s a one-time process and worth going through the pain.
Once set up, every time you sign up at a new site the password manager will offer to create a secure login for you. The required effort at this point is minimal.
3. Use the password manager to enter passwords for you
Each password manager works slightly differently, but they all have the same basic functions. As you visit a site:
- click a button on your browser or on your computer’s dock or tray to unlock your password manager
- the password manager enters the username and password for that site into the correct fields for you.
They are generally very good at detecting which fields need to be filled in.
You set how aggressively your password manager locks itself again. Allowing it to remain unlocked until you quit your browser or are inactive for a set time should be safe enough.
Situations when password managers won’t increase security
Password managers are very effective at protecting you from an attack from the internet by making it easy to use long, unique passwords. There are some things they don’t protect you from.
Storing your old, insecure passwords
The password manager is only effective if you set all your passwords to secure ones. A password manager will store and supply an insecure password you have created for a site, but this won’t lead to better security. Many password managers will flag passwords that are too short, or simple to guess.
Attacks that don’t come from the internet
Schools are unusual from a security standpoint because of the danger of people physically seeing you enter your password. Students have time and opportunity to steal staff passwords, and have done so. Techniques such as groups of students watching you type and remembering a few characters each, or using keyloggers, have been used in New Zealand to gain unauthorised access to school systems. Some schools even have simple password allocation schemes, meaning once you know one password, you can guess that of any user who hasn’t changed theirs.
Security techniques
- be mindful of who else is present when you enter your password
- use different passwords for everything
- ensure your computer locks the screen – security is severely compromised when someone has physical access to a logged-in computer
- keep passwords secret – it’s never a good idea to divulge passwords to students, no matter how trustworthy.
- technicians and network administrators shouldn’t need to know your passwords – change your password to something easy when you hand your machine in for service or repairs, and change it back when they have finished
- use two-factor authentication – G Suite allows for easy two-factor authentication using your mobile, as does Office 365.
Biometric systems such as fingerprint scanners are common on phones, tablets, and laptops. You may be able to set up your fingerprint to work in place of the master password for your password manager, so you can unlock it without having to type.
Good password practices
Good practice includes:
- never sharing your personal password, even with a technician
- technicians not recording passwords as they are given out
- never writing down passwords that can be used to access sensitive data
- always enforcing passwords to be changed at first log-in.
Passwords can be stored on Key Chain on a Mac and some web browsers save passwords. These are only as secure as the password that is required to access them so this password must be very secure (for example, long and unique).
Resources
XKCD Password strength
The comic strip that started a lot of conversations about secure passwords.
Have I been pwned?
Check if you have an account that has been compromised in a data breach.
Passwords
In this video, ABC consumer affairs show a 7minute segment on password managers.
How to choose a password
In this 11-minute video, Dr Mike Pound, University of Nottingham explains how to create a strong password.
Keeping your school network safe
CERT NZ’s guide to keeping your school network safe
Two Factor Authentication
Netsafe’s blog post explains what two-factor authentication is, why you need it, and provides links to how to set it up for a range of applications.
Password complexity rules more annoying, less effective than lengthy ones
A blog post discussing password complexity.
How secure is my password?
Test how secure your passwords are using this tool.
Password security – Why secure passwords need length over complexity
This blog post compares password types and explains why long passwords are preferable to complex passwords
.
