Intelligence

Bite-Sized Cyber Essentials: Password Practices and Best Password Managers

This article is part of our Bite-Sized Cyber Essentials Guide, which is designed to help anyone understand the essential information they need to incrementally level up privacy and security - at work and at home.

Password Practices and Best Password Managers

If we were to think in terms of pure brute force password cracking, a typical password chart looks like the following. The information in each box represents the estimated amount of time it would take to hack each password through a brute force attempt.

Image credit: https://www.thecyberidiots.com/post/why-i-m-worried-about-the-lastpass-breach

Unfortunately, there are smarter and more efficient ways to crack passwords. In reality, the password chart should probably look like this.

Reality of brute force password cracking
Image credit: https://www.thecyberidiots.com/post/why-i-m-worried-about-the-lastpass-breach

While it may seem like there is nothing that can be done, this is not the case! There are smart and effective ways to create (and manage) passwords that reduce the likelihood of a personal account becoming compromised.

things to avoid Things to consider
Things to Avoid
  • Default / weak passwords
  • Repetition & variation
  • Writing passwords down (Paper / Excel / iNotes)
  • Saving passwords directly to your browser
  • Single factor authentication
Things to Consider
  • Lengthy / complex / unique / customized passwords
    • ‘February-1983-is-my-fav-month’ is more secure
      (and easier to remember) than ‘ge6eVD5rVgQ*’
  • Secure password repository
    • Enable geofenced access
      (only certain locations can access the repository)
    • Maintain an offline backup
  • Multi factor authentication

Selecting the Best Password Manager

Having more secure passwords is a great start, but even the best passwords are still at risk if they are all stored in a spreadsheet or notes app.

In addition to having safer and more secure password practices, it is important to understand how password managers work.

Remember: Just because a password manager suffers a security incident [1] does not mean your passwords, and everything stored there, are compromised!!

Using a safe and secure password manager that follows proper and mature security practices is still much safer than storing notes inside a browser directly, in notes, or a spreadsheet.

The following is a representative list of the best password managers and is not meant as a recommendation or a comprehensive list. We’ve included it here to help our readers understand what types of features we recommend that you look for when evaluating the best password manager for you. Pricing is current as of research date on 12 Oct 2022 - users should check for updated pricing.

PRICE PLANENCRYPTED VAULTCOMPLIANCE

TRANSPARENCY

ADDITIONAL FEATURES

KEEPASS

Entirely freeAES-256-bit encryption

Database files are encrypted
OSI certifiedOpen sourceSupports offline use

BITWARDEN

Personal: Free

Premium: ~$1/mo

Families: ~ $3.33/mo

+ Business pricing options
AES-256-bit encryption

End-to-end encryption
GDPR
CCPA
HIPPA
EU-US Privacy Shield
SOC2 & SOC3
Bug bounty programSupports offline use

Cross platform

KEEPER

Personal: $2.92/mo

Families: $6.25/mo

Students: 50% off

Medical & Military: 30% off

+ Business pricing options
AES-256-bit encryption

Local encrypted key
GDPR
CCPA
HIPPA
EU-US Privacy Shield
ISO27001
SOC2
Additional certifications & compliance here
Penetration testing

Incident response report

Bug bounty program
Cross platform

Dark web monitoring

1PASSWORD

Personal: $2.99/mo

Families: $4.99/mo

+ Business pricing options
AES-256-bit encryption

Local encrypted key
SOC2Penetration testing

Incident response report

Bug bounty program
Clipboard management

Cross platform

Dark web monitoring

When it comes to password managers, use multifactor authentication (MFA) on the master password as well!

--

[1] Often the term “data breach” is used whenever a there is a security incident. It is important to distinguish that a breach refers to when a certain amount of personally identifiable information is accessed or mishandled whereas a security incident refers to a violation or imminent threat of violation of security policies, acceptable use policies, or standard security practices. https://www.linkedin.com/posts/dan-desko_was-lastpass-actually-breached-or-did-they-activity-6970780468052983808-rpe8

Sign up to get Cyber Intelligence Weekly in your inbox.