Password managers

A while ago we discussed password managers at a meeting. I got a sense that most people liked the idea, a few people had some specific issues, and in general people wanted some direction. It's taken me quite a while to return to the subject, but here it is. If you don't read the rest of this, please at least note that I strongly encourage them and that we're considering requiring them for all our sysadmins next semester.

Password manager basics:

1. On your password manager application of choice, create an account with a very strong password or (preferably) pass phrase
2. Store all your other passwords in that account
3. Start replacing bad passwords with strong passwords that you don't need to remember.

It can autofill in your browser using a browser extension, and you can copy-paste to applications on mobile devices. There's a million details, but that's the principle.

Some specific options for password manager applications (there are many others):

• KeePass: most popular open-source password manager; versions exist for all OS families
• LastPass: the most popular password manager, and the one I personally use - cross-platform, syncs between devices, easy to learn, you can subscribe for sharing tools but the basic functions are free
• 1Password: a subscription-only service, people who use it seem to like it a lot; see a local alum's writeup from 2013: https://chrishardie.com/2013/01/1password-password-management-review/
• others are free to send along recommendations

If you want to read more:

• Here's a rundown on password managers and their importance. From a security standpoint, which we as sysadmins care the most about, a password manager lets us avoid most instances of weak passwords, duplication, etc. From the perspective of a user, I enjoy not having to manage my own passwords (I only remember 5 or so, out of over a hundred, and I don't have to make up long strings of characters or rules to make them).
• Here's a comment by the author of the piece acknowledging and addressing the problem that password managers create a single-point-of-failure. TL;DR most every security measure has tradeoffs, you can address some of them with two-factor authentication (another important subject!), and no piece of technology will solve ALL security problems.
• I picked the Verge article essentially at random - you can search the Internet for similar pieces from your choice of tech sources, security blogs, etc.

These will be mandatory.