How do you keep track of your passwords? In your head because you only use a handful for everything? In a document on your PC, Mac, or Linux desktop, on sticky notes, or maybe in the famous Password Keeper notebook that is featured in this Micro Focus video – where my favorite IT hero Sam talks about solving single sign-on problems.
It turns out that Kikkerland and Galison took a page (pun intended) from our video and actually released a pocket-sized password keeper note book. Now in theory, this should be a good idea, given that the number one way to prevent password compromise is to use different passwords for email accounts, social accounts, and banking accounts. However, unless your password keeper book is left in a vault and handled with care for every use, it is just as subject to theft as those sticky notes on your keyboard. And that brings me to the human factor.
Why the Human Factor is Bad for Passwords
We as humans have the tendency to:
- Misplace things:
Do you know exactly where your keys, wallet and phone are right now? A recent British study concluded that the average person loses up to 9 things a day and spends at least 15 minutes looking for them.
- Take measured and what seem like practical risks without weighing the consequences:
Ever take your phone out in public to show someone pictures? When you entered your password, did you think anyone could see it? Have you ever left your phone on the table at a restaurant while visiting the bathroom? While arriving for a birthday party, a friend of mine recently gave her keys to what she thought was a valet and the next time she saw her car was three months later, stripped; and of course the presents were gone! People have a lot of trust in each other and take measured risks with their things all the time and they don’t really think deeply about the consequences of handing their keys over to an assumed valet.
- Bend the rules to create efficiency even if the rules are there to protect them:
Ever jump a turnstile, duck under ribbons at a security checkpoint, or use someone else’s credentials rather than your own to quickly access data? Have you ever broken policy by paying a commercial vendor with a credit card instead of a Purchase Oder to start a project faster? Humans have the need for speed and instant gratification over security and following policies which only at that moment seem to be made to get in the way. The down side is they don’t realize the risks they are taking with their lives or the lives of others.
The human factor is why using the paper password keeper is high risk. Can you guarantee that it won’t be accidently left on a table or desk, or it will never be taken and shown in public, or perhaps given to others so they can just logon without proper authorization?
What about it being used to open the door to policy violations, compliance violations; and even worse – malicious hackers who will gladly take advantage of your passwords. The next thing you know, your credit cards are being used in Moldovia, your PC is running ransomware, and someone is posing as you while they try to steal intellectual and physical property. There is no limit to what a hacker can do once they have “Fullz;” hacker slang for a complete set of your personal data which includes social security numbers, account numbers, birthdates, and credit card numbers.
How to Securely Store Your Personal Passwords
While there is no one best way to keep and use passwords there are safer ways. Here are my three top tips for individuals:
- If it is an option, use multi-factor authentication instead of simple passwords; especially for banking.
- Use a common account like Google that has multi-factor authentication to access your other accounts. But be very careful to protect access to that account.
- Use commercially-available software to store and vault your passwords like Password Safe, Last Pass, Dashlane, or open source BitWarden.
Securely Storing Business Passwords
Organizations which manage multiple users who have access to multiple applications should strongly consider implementing Micro Focus solutions which offer strong password protection and management such as:
SecureLogin and Access Manager – With just one password (or multi-factor authentication with an add-on module) your users can be securely authenticated for access to sensitive accounts and applications across multiple operating systems, the cloud – and even your mainframe. For industries where multiple users share terminals, fast-user switching ensures the previous user is completely logged out before the next user logs in.
Privileged Account Management – Privileged Account Manager features a check-out, check-in Enterprise Credential Vault, which encrypts and stores passwords for your systems, applications, and databases for multiple users. The software provides an intuitive interface for privileged users to check-out and return passwords, and supports both policy-based and workflow-based password retrieval.
Educate Your Employees on Password Safety
You can take immediate action to educate your organization on the risks of writing passwords down, ask if anyone has a paper password keeper, and implement stronger and safer password management hygiene. Thinking about shredding your password keeper but not sure where to go for help? Request a call and a CyberRes password management expert will get right back to you.