Under Lock and Passphrase: Protecting and storing your passwords with a password manager

By Leila Sharma
When it comes to passwords for your various online accounts and services, a best practice is to use a unique password for each. After all, if passwords are shared between accounts and one is compromised, it creates a security risk for other accounts with the same password. It can also be very difficult to remember increasing numbers of strong passwords, many of which are required to contain special characters and capitalized letters. How can one adhere to the best practice of using unique strong passwords for every account and still be able to recall them all?

The solution is to use a password manager or vault. These applications function as digital safes and securely store login credentials, including your username, password, and other sensitive information. A password manager encrypts the content in a list and protects it with a master password you create (though many password managers can also generate passwords for you if you chose) meaning you only need to remember one password to access your many other passwords.

How does a password manager work?

Non-browser-based password managers store your passwords in the cloud on a remote server maintained by the company that developed the software, or in an encrypted vault on your local system or your smartphone, or in some combination of both of these methods. Once the password manager has been set up, when you visit a website, rather than typing in account information, go to your password manager and unlock it with the master password. It will then automatically fill in all of the necessary login information for the website you’re visiting and into which you need to log in. If you’re already logged into your password manager, it will automatically fill out this information for you when you visit a website.

Are browser-based password managers recommended?

No, many browsers, including Google Chrome, Firefox, and others, have integrated password managers. However, use of these password managers is not recommended. Some of these integrated password managers will store your passwords in unencrypted form, making them more vulnerable to hacking attempts unless you encrypt your entire hard drive. Firefox’s password manager does enable you to encrypt passwords and protect them with a master password, but it lacks certain features common in non-browser based managers, such as the ability to generate passwords for you or provide syncing with iOS devices.

What security features should I look for when choosing a password manager?

Please keep the following in mind when evaluating possible password management solutions:

  • Research password managers and choose a well-known and trusted solution. Do not use an unknown/untested solution, as cyber-criminals are known to release tools such as password managers in the hope that users will adopt them, thus opening themselves up to malware and other hacking attempts. Password managers which you may want to research and evaluate for individual/personal use include:
  • Please note that group or enterprise (vs. individual) password management may have additional associated requirements.
  • Confirm that the password manager is compatible with all systems and devices you use and that updates will synchronize across all devices/systems.
  • Choose a solution that you find easy to use.

Creating a master password

A “master password” is like the key you use to lock a safe or vault. In this case, the safe is your password manager, and its contents are all the other passwords you need to use for your various accounts. NYU IT recommends using a “passphrase” for your master password. Passphrases are different from passwords in that they contain several words, though they follow the same basic guideline for creating strong passwords. Be sure you select a passphrase you can remember and that you do not use for any other account. If you are concerned about not remembering this master password, you may want to consider writing the master password on paper and placing it in a safety deposit box or other similarly secure location. For recommendations, please see “Password Best Practices” below. Furthermore, if you choose a password manager that supports multi-factor authentication (MFA), NYU IT recommends that you use it with your master password. For more information on MFA, see the NYU IT website.

Password Best Practices

  • Longer passwords (12+ characters) are stronger passwords.
  • If systems permit, good passwords are ideally comprised of lowercase letters, uppercase letters, numbers, and special characters.
  • See the knowledge article regarding NYU NetID password requirements & tips.
  • Passphrases should be at least six words long and should not be common or well known phrases which can be guessed. A key difference between passwords and passphrases, is that passphrases can contain spaces. Use of upper/lowercase, numbers & special characters will further strengthen your passphrase.
    • Example of a weak passphrase: twinkletwinklelittlestar (known phrase, too short, no use of uppercase, numbers, special characters or spaces).
    • Example of a strong passphrase: Anna 2016 is going to summer camp in Vermont!
  • Use a unique password for each account.
  • Change your passwords every 90 days, and do not reuse passwords.
  • Do not disclose a password when/if asked to do so via email, phone or any other communication. Please be reminded that NYU will never ask your for your for login credentials.
  • Change a password as soon as possible if you believe it may have been compromised or if you have used a publicly-shared device (kiosk, Internet cafe computer); there is a risk that your password can be captured via “keystroke logging” on public devices.
  • For information on securing a compromised or suspended NYU Google Apps account, see the NYU IT ServiceLink knowledge base.
  • Never “allow” your browser to remember your passwords.
  • Never leave your computer unlocked when you step away from your desk, nor write your password(s) on paper near your desk or computer.
  • Enable a guest account if you opt to share your computer.

Cognitive Passwords (Security Challenge Questions)

Cognitive passwords a/k/a security challenge questions, which are now extremely common, are user-supplied answers to questions. The answers to these questions do not need to be truthful, but you need to be able to remember or access (via a password manager) the answers you’ve supplied. A “rule of thumb” is that if others know or can easily discover the answers to your cognitive questions, the answers you supply should not be truthful.

Resources

For additional information, please see: