- 17-12-21Wij werken gewoon thuis door
- 05-11-21Mond- en neusmasker vanaf 6 november bij BIT verplicht
- 14-10-21Nationale Datacenter Dag 9 november 2021
- 12-10-21Plaatsing nieuwe drycooler voor BIT-2A
- 03-08-21Wegwerkzaamheden BIT-2 van 16 aug tot en met 25 sep
- 23-07-21DDoS aanvallen naar BIT infra
- 25-06-21Mond- en neusmasker niet meer verplicht bij BIT
- 14-04-21Untangle haalt de complexiteit uit netwerkbeveiliging
- 03-03-21Vacature Netwerk Engineer
- 02-03-21Update RFO netwerk incident 17 februari 2021
A password manager: is it for me?
Yes, I think so.
Login data constantly being are stolen, discovered or leaked from different websites. Several cases show up on the news every week and then there are loads more that do not get that much attention.
To decrease the risk of your login data being abused, it is a must to use a different password on every website and application.
How can you remember all these passwords?
The most obvious solution for that is to use a password manager. This allows you to use a different password every time without having to remember them all. That way you will be less tempted to choose a simple(r) password. You can even get your password manager to generate a strong password and immediately save them on the website it is for. You don’t even need to see the passwords!
You only have to remember one password with a password manager, but you have the advantages of different passwords per site or app(lication). The downside, however, is that when someone gets access to your password manager, they get access to all your accounts. Therefore, it is strongly advised to choose a password manager outfitted with 2FA and that can use 2FA on places where you want to log on. You can read a previous blog on choosing a 2FA tool here.
In general, you can choose between the following password managers: local, local supplemented with cloud synchronisation, web based on own infrastructure, web based on a dedicated VM, or cloud based. These varieties all have their advantages and their disadvantages. I will list the most important ones below.
Local password manager
In the case of a local password manager, you have full control over who has access, but you have to make your own backups, updates, etcetera. When you combine a local password manager with a synchronisation to a cloud storage service, you have a ‘backup’, but the access is less secure.
Web based password manager
Web bases has an advantage that is a disadvantage at the same time: you have access to your password manager from every location. Adjust your settings accordingly, so you can only access it from a limited number of IP addresses. When you have a web based solution on your own infrastructure, you know who has access, but you still have to take care of your backups. If you don’t have your own infrastructure, you can also choose to use a dedicated VM or server, at BIT for example. In all cases, do make sure your encryption on files and within the database is in order. Another option is a web based password manager service (cloud based), which often works on an app. This variety does not need you to make your own backups, updates, etcetera. The service provider does this for you. A disadvantage is that you do not know who can access your data and where it is stored. They are also a more attractive target for people with malicious intent, because there are many passwords to retrieve from there.
Which password manager did BIT choose and why?
First of all, you are the only one who can decide which ‘variety’ is best suited to your needs. I do always discourage people from saving passwords in a plain text file, a Word file or an Excel file. They get out there and can be read by anyone who happens to find the file. Your choice for a password manager should always be based on where the passwords are saved. Make a list of requirements that your password manager needs to meet and then start looking for one. There are several (often, unfortunately, incomplete or commercially oriented) overviews to be found on the internet that compare password managers. Try some password managers and do not insert all of them during the testing phase, because it is not unthinkable that you find out it does not work for you or your colleagues. Not all password managers have an import and export function, so switching password manager can possibly be a lot of work.
Your list of requirements for a password manager can be composed based on the following items:
- Is the service secured with multi/two-factor authentication?
- Is there an import and export function?
- Can you share passwords with others?
- Can you generate strong passwords?
- Can you directly place passwords in a paste buffer?
- Is integration in browsers possible?
- Is it possible to use passwords on mobile devices?
- Is it available on any possible operating system?
- Is it a free or a paid service?
- Is the source code public?
- Do you want to host or outsource?
- Are logs public and what is in them?
- How are the backups set up?
- Where is my data stored?
- Who can access my data?
- Which encryption is in place?
So, if you are still using the same password on different sites and app(lication)s, you have to make your move now and start using a password manager. That will decrease the risk of your login data being abused.
Want to know more about password managers?
Do you want to know more about using a password manager? Then contact us. We are happy to advise you.
By: Kristian de Bruijn