A while ago we discussed password managers at a meeting. I got a sense that most people liked the idea, a few people had some specific issues, and in general people wanted some direction. It’s taken me quite a while to return to the subject, but here it is. If you don’t read the rest of this, please at least note that I strongly encourage them and that we’re considering requiring them for all our sysadmins next semester.
Password manager basics:
- On your password manager application of choice, create an account with a very strong password or (preferably) pass phrase
- Store all your other passwords in that account
- Start replacing bad passwords with strong passwords that you don’t need to remember.
It can autofill in your browser using a browser extension, and you can copy-paste to applications on mobile devices. There’s a million details, but that’s the principle.
Some specific options for password manager applications (there are many others):
- KeePass: most popular open-source password manager; versions exist for all OS families
- LastPass: the most popular password manager, and the one I personally use - cross-platform, syncs between devices, easy to learn, you can subscribe for sharing tools but the basic functions are free
- 1Password: a subscription-only service, people who use it seem to like it a lot; see a local alum’s writeup from 2013: https://chrishardie.com/2013/01/1password-password-management-review/
- others are free to send along recommendations
If you want to read more:
- Here’s a rundown on password managers and their importance. From a security standpoint, which we as sysadmins care the most about, a password manager lets us avoid most instances of weak passwords, duplication, etc. From the perspective of a user, I enjoy not having to manage my own passwords (I only remember 5 or so, out of over a hundred, and I don’t have to make up long strings of characters or rules to make them).
- Here’s a comment by the author of the piece acknowledging and addressing the problem that password managers create a single-point-of-failure. TL;DR most every security measure has tradeoffs, you can address some of them with two-factor authentication (another important subject!), and no piece of technology will solve ALL security problems.
- I picked the Verge article essentially at random - you can search the Internet for similar pieces from your choice of tech sources, security blogs, etc.
These will be mandatory.