Password risks and how to treat them
By Tom, on 15 February 2017
We are all drowning in password advice and I’m loath to add my name to the seemingly endless list of “security people berating bad password practice”, but if you try to apply an information risk management viewpoint to a lot of areas where we store private information, both in our work and private lives, it is still all too often the case that a username and a password are the only elements controlling access to vast tracts of our lives.
Or, in other words, if I’m going to discuss practical information risk advice, then I need to discuss passwords. I’ll keep it brief I promise.
P@55w0rd is ok right..?
There is plenty of good advice available on how to write a strong password. Instead, I’m going to talk about how to remember all those long, complex passwords. If you can make it easy to manage all these different accounts then you can remove the motivation to use weak, or duplicate passwords.
Password managers are tools that allow you to do just this. A password manager allows you to create a single strong password, and use that to encrypt a vault containing the logins to all your remaining accounts. What this means is that you can create a highly complex password for each site, but without the added overhead of having to remember these complicated strings.
Let’s apply that to an example risk
“There is a risk that my information may be accessed by unauthorised actors as a result of my password being guessed, or duplicated from another site that has been hacked”
You can calculate risk as a function of a threat (unauthorised access) due to a vulnerability (password being compromised) resulting in an impact (the consequences of the unauthorised access).
We can reduce the risk by controlling any one of these factors. Practically speaking we can’t reduce the chances that someone may try and hack an account. Similarly, we can’t do much to reduce the value that other people ascribe to our information. What we can do however, is reduce the chance that they will be successful. By using a password manager (and creating strong passwords) we have reduced the likelihood that someone will compromise our password. Reducing the liklihood has reduced the risk.
Of the many tools available, ISG have reviewed the two below and can recommend them as offering reasonable assurance:
- LastPass https://lastpass.com/
- Password Safe https://pwsafe.org/